You can patch all your systems, guard your perimeter, secure your endpoints and harden your network, yet there's one vulnerability that's almost impossible to fix: the people you have using all this stuff. No matter how you lock everything down, they're out there misusing your systems, disregarding secure practices and doing deeply silly things that render your network security irrelevant. For many companies, people are the weakest link in the security chain.
Verizon's 2017 Data Breach Investigations Report makes a convincing case for never trusting an employee with your security. 25% of the breaches covered in the report involved internal actors in some capacity. Errors were causal events in 14% of breaches, with another 14% involving the misuse of privileged accounts. 81% of breaches leveraged weak or stolen passwords, while 43% involved a social attack.
On the one hand, you may have employees that can't be trusted because they're deliberately working against your interests. In cases involving insiders, the Verizon report found that 60% of the insiders stole data in the hope of converting it into cash at a future date, with taking it to a rival employer or a new startup the aim of a further 15%.
On the other, you could have employees who shouldn't be trusted because they're incapable of following smart security practices or simply don't see why they should. Verizon's survey found that 66% of malware involved in a breach was installed via malicious attachments, and that 95% of phishing attacks that led to a breach were followed by some form of software installation. Why is it, then, that so many users will still happily click on a link or open an attachment when they get an unsolicited email? One moment of thoughtless could result in a download of malware that replaces their PC's BIOS, giving hackers control of its most fundamental functions and a backdoor into the corporate network?
Verizon isn't alone in its findings. The Ponemon Institute's 2016 State of Endpoint Report found that Negligent employees (users) and the devices they used in the workplace continue to be the greatest source of endpoint risk. 81% of respondents say the biggest challenge is minimising the threat of negligent or careless employees who do not follow security policies, a slight increase from 78% of respondents in 2015.'
Those who click on links in phishing emails are just one part of the problem. There are the employees who use the same password across numerous accounts, both work and personal, so that when their account for a gaming or online dating services is hacked, the hacker gets the keys to their work email and any cloud-based services as well.
Then there are the employees who'll pick up a USB memory key in the car park and plug it into their laptop without thinking. An experiment by researchers at US universities found that when USB keys were dropped around six campus locations, over 45% of them were plugged into a computer by the person that found them. And what about the employees who use consumer-grade cloud services for business purposes, then get a nasty surprise when these aren't properly secure?
Plugging holes
What can CIOs and IT teams do with this mixture of deliberate misuse and absent-minded behaviour? Well, some or all of the following should help:
Improve endpoint security: Strong network security is a good thing, but it's at the endpoints where end-users have the most impact. Any hardware, software or policies you can put in place to enhance endpoint security should help tip things in your favour.
Have clear policies: Translate security policies into clear, jargon-free English and make it clear why each one matters. Employees need to understand that plugging unauthorised USB memory sticks into a PC isn't sensible behaviour, but also why.
Secure shadow IT or replace it with business-grade alternatives: Employees might have good reasons for using insecure consumer-grade cloud services in addition to corporate IT services, but you need to either secure them, dissuade them from using them or provide great, secure alternatives that they'll be happy to use instead.
Review access rights: One issue for too many companies is that those employees with access to the network enjoy access to too much of it, meaning they can open folders and view documents beyond their job requirements. By reviewing access rights and putting proper controls in place you can ensure that data isn't widely available to anyone who can log-on to a server.
Invest in training and support: The more training and support your teams have in security and sensible practices, the more likely they'll be to follow them. Again, it's about making sure they know what's important and what's at stake if they make a serious error.
Use software to aid security: A wide range of tools can help you build a better security program, ranging from password managers that can help users handle multiple complex passwords to SIEM tools that can help you track events and incidents and get real-time alerts of aberrant behaviour. Some manufacturers, like HP, even produce their own tools specifically to help companies manage their PCs, laptops, mobile devices, printers and network infrastructure.
Move to Windows 10 Pro: Not only is Windows 10 Pro the most secure version of Windows ever, with strong built-in defences and a range of features that stop malware programs from executing and spreading, but its Windows Hello authentication empowers companies to boost security without adding complexity for end-users. By combining or replacing passwords with another factor, such as fingerprint or facial recognition, it makes it easier to confirm identities and ensure that only those authorised to access sensitive data can do so.
Hardware Solutions
All of the above will help reduce the human factor in security, but there's one other simple and effective step that can cut down those vulnerabilities even more: choosing hardware built with enterprise grade security in mind. That's why CDW works with HP PCs and laptops to deliver the most secure IT solutions on the market.
HP's ProBook and EliteBook laptops and ProDesk Mini PCs might be sleek and beautifully designed computers, but they also include features designed to spot, intercept and prevent the spread of malware at the lowest levels of operation. For example, HP SureStart monitors the BIOS, looking for signs of intrusion and self-healing, recovering to a last-known golden' BIOS if it finds any. BIOS whitelisting ensures that only an approved and validated HP BIOS can be installed.
HP WorkWise, meanwhile, partners a desktop app on the laptop or PC with an app for iOS or Android smartphones. It can be set to lock and unlock the PC automatically when the phone is in range, so that users can't leave their ProDesk Mini available for anyone to access while they wander off to get a coffee, while real-time alerts mean they get a notification when their EliteBook laptop is moved on the desk or has the lid opened. HP's EliteBook 840 can even be supplied with an integrated HP SureView electronic privacy screen, so that if employees will insist on working on sensitive forward-looking documents while on the train, you can be sure that the passenger in the next seat isn't getting an eyeful.
These features work because they enhance security without adding complexity, enabling ProBook and EliteBook laptops and ProDesk Mini PCs to fix-themselves and support secure policies without asking much of the average end-user. Can you eliminate the human factor entirely? Probably not, but with HP, Microsoft and CDW working with you, there's no reason why you can't minimise its impact.
