There are lots of ways in which your company’s computer systems can become vulnerable to attack. One key issue is the relentless march of new technology, which means that devices that are just a few years old get left behind, and after a while are no longer supported. If you keep using these, they could become vulnerable to new attacks, such as the Windows XP NHS systems that fell afoul of WannaCry in 2017.
Even when up-to-date hardware and recent software is used, there still might be an inconsistent or non-existent strategy for applying updates and patches to software. The operating system might get updated automatically, but application software could well be left behind. Lots of companies are still using older versions of the Internet Explorer browser, for example, and not the most recent iteration of Microsoft Office. In September 2017, Spiceworks calculated that 68% of companies were still using some Office 2007 installations, 46% some Office 2003, and 21% even Office 2000.
Lax IT policy could also mean that password-protected software and devices don’t have the simplest level of security applied. Instead of changing default usernames and passwords as soon as the software or device is set up, these are often left as they were in the factory, and never changed. The default username and password will be the first options a hacker tries in an attempt to gain access.
However, the biggest issue will always be human behaviour itself. People fall for phishing attacks, clicking on that link that pretends to be from a bank or online retailer. They fall foul of “social engineering” that is designed to play on their habits in order to obtain security details. They find it hard to remember complex passwords, so they use simple, easily guessed passwords instead, or write them down on Post-Its pinned to their screens. This makes corporate IT security as much a matter of staff training against insecure behaviour as it is using the right technology.
Even with users that are savvy or trained enough not to be susceptible to the most common types of attack, the changing usage habits around computing pose new risks. One of these comes from the tendency towards “Bring Your Own Device” (BYOD). Where companies don’t provide the latest kit, or devices that could hardly be described as top of the range, employees will purchase the phones, laptops or tablets that they actually want to use, and bring these into work.
The obvious problem with this from a security point of view is that these devices did not come from the company itself, so IT administrators will not have installed an operating system and application suite that has been approved as compliant with policy. There is no way of ensuring these devices have been properly updated and patched, and if they are allowed on the network they could be just the kind of easily compromised endpoint hackers are looking for.
Cheap smartphones can be a particular problem. These will often use an older version of Android, and may not have regular live updates, or any updates at all. An employee may also turn off automatic updates on their notebook, or avoid the update-and-restart cycle, so that its operating system and software isn’t patched and remains susceptible to new exploits that have been discovered.
The knee-jerk reaction to BYOD would be to ban all non-company devices from the network, so that these un-patched devices don’t pose a threat. But numerous workplace surveys have shown that this can actively provoke employees to seek positions elsewhere. This means that BYOD is something that employers have to live with, but they can still take better control over how it’s implemented.
For a start, there can be a policy to limit the types of BYOD devices that are allowed on the network. Old Android phones should be excluded, and this could also impose minimum versions of operating systems, patches and application versions. Beyond this, a mobile device management system could also impose things like storage encryption, minimum levels of authentication, and the ability to wipe a device remotely if it is registered as having been lost. There could be an insistence on only secure access to organisational data, and a restriction on the software allowed to those applications that have been approved, which would also mean that app stores could be blocked.
Of course, applying restrictive policies like these needs to be properly explained to staff so they don’t see it as merely the paranoia of a draconian IT department. That’s why BYOD is very much about how people are the most significant link in security policy, and how you deal with them is as important as the defensive technology employed.
The BYOD trend isn’t the only issue from our changing behaviour with our computing devices. Another potential threat has come from the exponential rise of mobile computing. This isn’t just about the fact you can carry your devices with you and work anywhere, but also about the software that makes these devices particularly useful. As with BYOD, this is exacerbated when the tools available through your company aren’t providing all the features an employee wants.
These could include public cloud storage for sharing files, or consumer-grade messaging apps for business discussions with other employees or clients. There could be an issue with data security in both cases, not because these services are inherently secure, but because these services are outside the control of the corporate IT department and could be configured in an insecure way by the user. There is also likely to be no policy from these services about retaining data for regulatory compliance.
To avoid these issues, organisations need to understand what their employees want, and find business applications that cover these capabilities – or business versions of the software they already use. Companies also need to take on board their employees’ desires to choose the latest devices, and create policies and practices that allow this sufficiently whilst maintaining control over security. In the end, whilst your employees are the biggest threat to security on your corporate network, they’re also your greatest asset, so long as your policies take their needs into account.
Protect your business from cyber threats and discover more about endpoint security with our What is endpoint security and why a Firewall isn’t enough article.