The Wall Street Journal’s Geoffrey Fowler posted a piece yesterday that caught our eye. I think the title “What's a Company's Biggest Security Risk? You” speaks for itself, but the crux is that corporate networks are no longer the big enterprise security threat. Instead, users have become the primary entry point for security attacks.
While that’s an issue we’ve seen popping up in the news from time to time, what raised our eyebrows is the number of examples that have taken place in 2011 – it’s astonishing. Geoffrey references Sony Corp, Citigroup, EMC Corp – EA and Dropbox are two other situations we’ve covered – in which data was exposed.
Corporate networks are now for most part locked down, and users are the new liabilities. They’re the ones who tend to circumvent policies and when that happens, issues arise. BYOD – which we wrote about earlier in the week – is a perfect example of a growing trend across the enterprise that only exacerbates security problems. And that’s only one of a larger number. As Fowler put it:
“Employees have more opportunities than ever to compromise company information. We not only screw up by clicking on emails from hackers that download viruses, letting them bypass corporate firewalls. We also open a Pandora's Box of security problems by circumventing company tech-support rules and doing work with personal gadgets and consumer-grade online services like Web email and cloud storage services.”
What’s the driving factor here? One word: Cloud. With employees using SaaS apps without the knowledge or supervision of IT, cloud has the potential to transfer all the control into the hands of end users and LOBs – and away from IT entirely. And that’s where trouble starts.
While you can’t fix user behavior by dictating policy – those days are in the past – IT needs to make it easy for employees to be secure no matter what they’re doing, where they are or what device they’re on. IT must by definition switch their focus from being device-centric to people-centric.
That means they must determine how they can connect users with the cloud services they need independent of device, time and place. How? Familiarity. If they can replicate the security processes of some of the most commonly used applications like Facebook, Google and many online banking sites, through things like soft tokens and security questions, they’ll succeed in keeping their potentially weakest link– their employees – strong and secure.
As we say, lead, rather than impede. In the cloud, that’s one of the very most important things for IT to keep in mind.