2017 reveals a number of high profile security incidents, from Uber’s breach that affected 57 million people worldwide, to the recent case of MPs sharing passwords and computer access with anyone who happens to be in the office. Enterprise security has never been more important, and yet many businesses are still leaving corporate data in a vulnerable position. A recent government survey on cyber security breaches highlighted that almost all UK businesses are exposed to threats, no matter how big or small they are. Business leaders that assume they are of no interest to hackers are walking a thin and misguided line of security through obscurity.
Many businesses are also still relying on manual processes and the will of employees to stay secure. It’s well known that breaches are often caused by weak, compromised or re-used passwords but a recent study by LastPass and Ovum highlighted that over half of IT executives surveyed rely solely on employees to exercise good password hygiene.
The same survey also found that over 75 per cent of employees reported problems with password usage or management at least once a month with many not having the support they need to overcome their issues. Given passwords are often the main entry point for business accounts, it’s clear that many businesses are exposing themselves to obvious threats, and not providing adequate training for staff.
Ultimately, enterprise security will come down to convenience vs. disrupting workflow. If something is inconvenient, employees are more likely to try and get around the process which could have far-reaching, damaging consequences. Similarly, IT teams might be reluctant to adopt technology that will add an extra process that many employees might deem as unnecessary.
The good news is that there are a number of ways businesses and IT teams can conveniently and easily take back control of enterprise security.
Here are our top three:
Adopt a 360 view
When security breaches occur, many are quick to place the blame solely on human error. While humans are an important component of any security defence, part of adopting a 360 degree view involves recognising the roles of both humans and technology.
IT teams need to start acknowledging the changing nature of modern working. The lines between work and personal are becoming increasingly blurred, and this is having an impact on security. Because of this it’s important that policies and tools are adopted to match this change in behaviour. If an employee checks their personal emails at work and clicks a link containing malware, the entire network of the organisation could be at risk. We only need to look at the Yahoo breach to put the threat levels into context. Three billion stolen passwords provide a whole number of entry points for attackers to potentially access business data. The sooner companies appreciate the wider picture of enterprise security, the stronger their defences will be.
Invest in the right technology for your company
Technology has made leaps and bounds over the last few years and yet when it comes to security, many businesses are failing to implement technology that will allow them to easily and conveniently stay secure. Keeping company credit card details and passwords stored in a shared excel document that everyone has access to is a sure-fire way to increase your threat level. IT teams should evaluate existing practices and tools and look at where they can enhance their defence.
Each company will be different – you don’t necessarily need government level security for a family owned business – but there are basic levels of security that companies should adopt regardless of size. For example, using a password manager helps create and store strong passwords for every login and also lets employees securely share passwords without compromising confidential data, which can be useful for departments and those who need to access a variety of work tools. Additionally, multi-factor authentication should be enforced across all accounts, and contingencies should be put in place in case an employee who has access to sensitive data leaves the business.
It’s good practice to regularly assess the technology you have in place to make sure it’s up to date and still appropriate for your business. January is always a good time to do this, as people gear up for the year ahead.
Educate, and re-educate
Taking control of enterprise security should also go beyond technology. IT teams should take the time to educate employees in best practices, and re-educate them on a regular basis. All the security basics should be covered, including the importance of complex, unique passwords, the risks surrounding ‘bring your own device’ (BYOD) and accessing work accounts on public Wi-Fi networks. Ideally, a clear, concise security policy should be drawn up – the longer and more technical, the less likely employees are to absorb and really take in the advice. An easy way to engage employees is by turning security into a game or competition, for example rewarding employees with strong passwords.
The more employees understand about the need to stay secure, the more likely they are to adopt new practices and technology, keeping company accounts and data as safe as possible.
Steve Schult is senior director product management of LastPass