Inside Out vs. Outside In

When we think of information security, we tend to think of external hackers and cyber-criminals fighting their way inside an organisation’s network to steal its information. Clearswift commissioned some research that takes a holistic view of information security incidents and found that 83% of organisations surveyed said they had experienced a security breach in the last 12 months. However, contrary to where the security spend is focused, 58% of all incidents originated from inside the organization rather than from shadowy, malevolent outsiders – the culprits being employees, ex-employees and trusted partners: people like you and me.

byod_title

The research uncovered the fact that 72% of organisations are struggling to keep up with changes in the security landscape and the policies required to support the changes in the way people communicate and the way business is conducted today. One of the major changes in both business practice and business risk has been the rise of Bring Your Own Device (BYOD).

The top three BYOD threats are:
- employee use of USB or storage devices;
- Inadvertent human error;
- employees sending work-related emails via personal email devices.

However it’s not fair to lump the blame for these types of security risk solely on employees if they are being encouraged (or at least not discouraged from) adopting BYOD. Roughly one third (31%) of organizations are proactively managing BYOD, while 11% reject it outright. Those who reject the use of BYOD are more likely to encounter internal security threats (37% vs. 18% for those who proactively manage it). In the survey, 53% said that employees would use BYOD on the corporate network whether it was sanctioned or not. The onus is on the company to manage their use rather than behave like an ostrich and pretend it won’t happen.

So, what next? Organizations need to acknowledge that the threats from within are at least as important as those from outside and should plan their security spend accordingly. When it comes to BYOD, a comprehensive set of policies must be put in place as quickly as possible. There should be an education or awareness programme for both users and employers alike around the risks BYOD can have and how these risks can be mitigated, so that employees’ personal devices can be used securely.

If your company still doesn’t publish BYOD rules, you as an employee can stick to our recommendations:

  1. Don’t put your company (or yourself) at risk by using your personal devices, even USB sticks, to process corporate data without prior consultation with a system administrator or an information security officer.
  2. If you need to use a USB stick, then use one which has encryption on it – and preferably one that your company endorses. There are lots to choose from out there and they are not that much more expensive than unencrypted options. For the sake of £20 you could save your company its reputation.
  3. The same goes for private e-mail accounts. If you have a pressing need to use private e-mail (e.g. your corporate mail is down), set up a dedicated account with maximum security applied (Gmail with two-factor authentication switched on could be a great starting point).
  4. Send any documents strictly in encrypted form. There are plenty of ways to do that – starting from password-protecting MS Office documents or ZIP files with a strong password. Of course you must not send encrypted passwords in the same e-mail- call the recipient by phone to tell them the password.
  5. Don’t set up your working e-mail account on your private device without prior consultation with a system administrator. There are specially protected clients to do that in a safe way.
Send to Kindle

Comments

  1. Chris Boorman says:

    Great commentary. The risk to enterprises form consumer tools and storage devices (Dropbox, USB sticks, external FTP servers etc) is very real. Huddle recently commissioned a major research program through Ipsos Mori around the use of such tools across the UK and US workforce – the results can be found here (http://ow.ly/mheRD) and are quite startling. BYOD does not mean that security should be thrown out of the window – cloud services exist that deploy closed-security services.

    The same goes for email – it is a poor choice for helping teams share and work on valuable content. It loses audit trails, it lacks version control, it absolves responsibility, it fragments information, it loses control, it has no approval processes, it propagates inefficiency, and it breaks corporate security by enabling involvement of anyone with an email address. It is an antiquated communication tool borne out of the 1980’s rather than an effective tool for sharing and working on content in the 21st century. It is time to move content collaboration out of email and into a secure and controlled environment that protects the security of enterprises.

    [Full disclosure: I work for Huddle, which provides next generation content collaboration – trusted by governments and solving these issues].

  2. Heidi Frederiksen says:

    Great blog post