In a never-ending cycle of high profile breaches, enterprise security has never been more important. However, according to the latest PwC ‘Global State of Information Security Survey’ security spending has dropped by a third in the last 12 months. It’s clear that the threat is there, but the evidence suggests some businesses are still adopting a “security through obscurity” strategy; i.e. wrongly assuming their corporate data is of no interest to hackers because they are a small or medium-sized enterprise.
This lack of spending can often produce an unclear IT security strategy, with teams relying on manual processes such as password spreadsheets to keep accounts secure. This problem is exacerbated by the bring your own device (BYOD) culture and remote working which is making it difficult for companies who don’t have the right technology to have an all-encompassing view of their security. In many cases, this results in employees becoming the first line of defence against outside threats to protect company data. According to a recent study by LastPass and Ovum, more than half of IT executives surveyed rely on employees alone to monitor their own password behaviour, subsequently leaving the company at risk. While it’s important that employees are adequately trained in security practices, it’s also crucial that IT teams make the right investment of time and resources to take control of company security.
With that in mind, here are four ways businesses can revamp their security policies for 2018.
Address the problem
This may sound like an obvious starting point, but many businesses are failing to address security failings within their organisations, even though they know they exist. For example, when it comes to password management, many IT teams hold the view if it’s ‘not our password, it’s not our problem’. Employee passwords are chosen by the employees, and so they should be the ones that manage and control them. However, according to Verizon’s 2017 Data Breach Investigations Report, more than 80 percent of breaches are caused by weak, compromised, or re-used passwords, so this isn’t a fool-proof approach. Furthermore, in a recent survey, more than three-quarters of employees reported that they have problems with password usage or management, at least once a month, with many saying they don’t have the support they need. Clearly, it’s time for IT teams to address the elephant in the room and take back control of password management for employees.
Take a holistic approach
It’s important that businesses understand that the lines between work and personal are increasingly blurred, and this extends to security too. IT teams need to acknowledge modern working behaviour, as ‘bring your own device’ and working remotely becomes more popular, and tailor policies and practices to match this behaviour. This will involve looking beyond an employee’s work log-in and not be limited to passwords that only relate to the company. One only needs to look at the Yahoo breach, where three billion passwords were stolen, to understand that there are a multitude of entry points for attackers to access business data. For example, if an employee checks their personal emails at work, and clicks on a link containing malware, the entire organisations network could be at risk. The sooner IT teams understand that they need a 360 degree view of employee security, the stronger the company defences will be.
Educate your employees
Part of taking on the responsibility of enterprise security should involve educating employees in best practices. In particular, these should stress the importance of complex, unique passwords across all accounts, as well as the risks surrounding public Wi-Fi networks, and what employees should and shouldn’t access on them. Companies should draw up a security policy and regularly educate and re-educate both new and existing staff. A good way of engaging employees in security education is through gamification, which can incentivise them to understand and practice good habits. Turning security into a game is also a way for organisations to understand the human element of security. For example, employees could be scored on the strength of their passwords, and the employee with the highest password score would get a prize.
Invest in technology – and make sure it’s up to date
Finally, as we reach the end of 2017, there’s no excuse to be relying on manual processes to manage enterprise security. Noting down employee passwords in an excel spreadsheet, or writing down debit card details on pieces of paper, aren’t effective ways of managing security. Investing in technology which will allow you to easily manage confidential data should be a must for businesses of all sizes. Similarly, companies should ensure they turn on multi-factor authentication across all accounts, which can be anything from biometrics, to a one-time passcode.
Steve Schult is senior director of product management at LastPass.