In my last article, I mentioned Cisco’s recent quarterly survey, in which 80 percent of IT customers surveyed admitted that they felt comfortable with the security technology already in place. I’d like to start there again, but take the focus in another direction — the endpoint of the network.
Traditionally, the endpoint was a desktop computer, but today it can encompass anything from tablets to smartphones. In the case of the Target breach, it was the point-of-sale system. Protecting the endpoint has become a challenge as attacks have become more sophisticated. With nearly 52 million different viruses appearing monthly, it’s impossible for antivirus software to combat security threats alone. Simply installing antivirus isn’t enough anymore — if you have even installed it in the first place. A recent survey from antivirus maker Avast says that 34 percent of people don’t have any antivirus installed on their smartphones. That’s an alarming percentage, considering that people look to their phones and tablets for everyday sensitive tasks and have retired the use of a traditional PC. Although the device has changed, the risks have not gone away.
Getting back to the discussion on the business network, antivirus alone is not enough. A great reference as to what is needed to help protect endpoints is the Australian Signals Directorate Strategies to Mitigate Target Cyber Intrusions (ASD). The ASD is Australia’s counterpart to and working partner with the U.S. National Security Agency (NSA). The ASD publishes a regularly updated manual on the best practices for preventing cyber incidents. Following their top four strategies, by their estimates, would prevent 85 percent of the attacks they investigate. Their top four mitigation strategies are ranked in order of overall effectiveness and are as follows:
- Use application whitelisting to help prevent malicious software and unapproved programs from running
- Patch applications such as Java, PDF viewers, Flash, Web browsers and Microsoft Office
- Patch operating system vulnerabilities
- Restrict administrative privileges to operating systems and applications based on user duties
Looking at each strategy, you can see that solely having antivirus software installed doesn’t make devices any more secure. Desktops require constant updates and maintenance to remain protected. This holds true with tablets and other devices. The final strategy, restricting administrative privileges, begins to address user capabilities regarding application installation. While many companies still allow end users to install whatever they please in an effort to reduce calls to their IT department, if there is an IT-focused department or individual, this affects both sides — and not always for the better. Just as users can install whatever applications they choose, they can also unintentionally install bad applications, namely covert malware. Moreover, people left to their own devices will install software and neglect updates or fail to secure their networks as previously mentioned. Unfortunately, all of the previous mitigation strategies can be undone in one swoop.
Organizations need to set the tone with their employees on what is expected of them when they access and utilize computer technology & data on their networks. Management must be perfectly clear on its expectations of employees regarding their behavior when accessing private data. This includes defining what their individual responsibility is for proper handling and reporting of suspicious behavior. Employees need to be educated and trained on what to do and how to do it.
Today, you can’t leave anything to chance or assume that individuals will do the right thing. Employees may not be aware of what the right thing is — or worse, not know what the wrong thing looks like. Therefore, well-documented policies that are repeatedly enforced are vital. Other forms of awareness training are also needed as the ruses that trick people change almost daily. Nearly all of the major security incidents reported in 2013 were the result of human error or deception.
People are truly eager for information on how to be safer both at home and in the office. This is an opportune time for organizations to update their security policies and educate their employees on the risks and proper use of technology. Nobody wants to be the cause of a security incident that leads to company losses, but unfortunately every day someone becomes just that. Everyday employees can become sentries by reporting suspicious activities. The more people who are on the lookout for security, the better. Today’s threats are not going away anytime soon, and in fact things will probably get worse before they get better.