It’d like to preface today’s piece with something of a story. You’ve all watched heist movies, I’m certain – films like Ocean’s Eleven, The Italian Job, and The Usual Suspects. What’s one thing they all have in common?
A man on the inside.
See, the truth is that no matter what measures you take to protect your organization – no matter how much you harden your network devices and strengthen your encryption – there will always be a weak link. If a criminal cannot gain access to your business by targeting a security vulnerability, they’ll target your people, instead. Eventually, they’ll come across someone who lets them in.
Don’t worry – there is something you can do about this. Quite a bit, actually. Let’s talk about that.
Don’t Fight Shadow IT
Let me state right out the door that the battle against Shadow IT is one that you cannot win. Thanks to the advent of high–tech consumer devices like smartphone and tablets – and their newfound prevalence in enterprise – users are now more empowered than ever. What that means from an IT standpoint is that if they don’t like a solution you’ve mandated, they won’t use it.
They’ll simply look for an alternative, and won’t much care if what they’re using puts your business at risk.
Your job isn’t to try to force them away from those alternatives. You can’t. There’s always a workaround.
Instead, what you need to do is embrace it, to an extent. Look into why your users are resorting to these alternatives, and see if you can find a way to provide the same level of convenience with your apps – or better yet, see if there’s a way to let them use the apps they want without putting your organization at risk.
The biggest issue with end users isn’t that they’re stupid – it’s that they don’t always understand the risks ahead of them. While the identifiers of a phishing scam or the red flags of a malicious app might seem blindingly obvious to you, you’ve got to remember that not everyone has your level of technical knowledge. You also need to bear in mind that just because they don’t have that knowledge, it doesn’t mean they can’t acquire it.
It’s therefore critical that you take the necessary measures to educate users on how to avoid the myriad array of different threats they may face, including (but not limited to):
- Adware, Malware, and Crapware
- Phishing Scams/Spear Phishing
- The tactics used by scam artists in social engineering attacks
- The importance of regular malware scans
Stop Treating Them Like Idiots
If you’re like most, you’ve probably read your fair share of idiotic user stories (r/talesfromtechsupport is a great subreddit). Thing is, while there are idiots in every organization, the majority of your employees aren’t stupid. Ignorant, yes, but not stupid.
And as I touched on in the previous point, that ignorance is partially your fault. If you treat a user like they’re stupid because they don’t know what a VPN is or stare at you with confusion when you use terms like “dongle” or “WAN,” you are the problem. And they’re going to resent you for it.
“[IT Professionals] describe the end users as idiotic because they think the end user doesn’t have any common sense,” writes CSO Online’s Ira Winkler. “There can, however be no common sense without common knowledge. Users do not have the depth of knowledge that an IT person should in IT-related subjects. Users do not know the jargon that we use on a regular basis. It is not second nature to know how to install equipment.”
“What’s critical is that a competent IT person, especially one who does end user support, needs to know and understand that the end users do not have the same common knowledge they do,” he continues. “If they cannot accept that it is their job to make the most difficult technology understandable to just about any user, they should not be in the support role.”
Consumer applications are never going to be as secure as enterprise applications. Thing is, with more organizations than ever seeking to support BYOD, the chances that you’ll see the widespread use of these apps within your business, especially on personal devices, has never been higher. Factor in the issue of user privacy, and you’ve potentially got a dangerous cocktail for your IT department to deal with.
On the one hand, you need to protect and track enterprise data and applications. On the other, you cannot treat employee information in the same fashion – nor can you afford to have sensitive information leaking out through a poorly-designed chat app. Luckily, there’s a very easy solution here: containerization.
By creating a separate work and personal profile on a user device, you’ll ensure that private information is kept separate from corporate data. Better yet, you’ll also lessen the chances that someone will compromise your business by using an unsecured application. App containerization strengthens this even further, especially if you can find a solution that secures both the apps and the communications between them.
Know That People Are Never 100% Secure
At the end of the day, no matter how much you educate your employees, people are fallible. Everyone makes mistakes, even you – and it’s dangerous to assume otherwise. In my time, I’ve seen plenty of IT professionals cause vulnerabilities just as glaring as end users (sometimes worse, because we’re secure in the knowledge that we know what we’re doing).
You need to take a proactive approach to protecting your organization from user error, even as you educate and enable your users. That means document control, an enterprise mobility management platform, identity and access management; the whole works. People are never entirely secure….
But that doesn’t mean you have to simply sit and wait for someone to commit a blunder.