Essentiality of Security across Organizations
By Jason Flynn, CIO, Tourism Australia
I’m still surprised by how often I see this with people I interact with from all types of organizations. Given the number of enterprise mobility solutions available in the market today, there are still organizations without sufficiently modern mobility strategies or tools in place to empower their people to be securely productive anytime and anywhere.
How Did We Get Here?
Over the years, technology departments have built up defences, much like a medieval castle. The same way the fortified walls were constructed in the Middle Ages to keep citizens and nobility protected, organizations have built layers of defences to keep everyone inside (systems, data, IP) safe, and let out only what we choose.
But with the advent of the modern mobile worker enabled by cloud services and consumer devices, the village has moved outside of the castle. The walls have been broken, not by those seeking to find a way in, but by the technology available to our users letting them simply pick up and move out. All the years spent building perimeter-based network security is essentially ineffective because data is no longer passing through the perimeter or stored on devices controlled by IT. Company data no longer remains within the walls of the organization.
Employees and end users today know enough about technology to get what they need when and where they need it. If an employee uses ‘the thing’ issued to them by their enterprise to access data, yet the experience is slow, restrictive, poorly designed or onerous; they simply find another way. The most obvious and frequent method is simply to email work to their personal account where they can use what’s readily available to get their job done as efficiently as possible. User - 1, Enterprise - nil.
To be fair, the online world for mobile users is an increasingly scary place for CIOs and enterprises. The Verizon 2018 Data Breach Report shows that 87 percent of breaches took only minutes to occur, yet 68 percent of these took months (or longer) to discover. The ‘village outside the castle’ operating model for most organizations has created new attack vectors for all of us to worry about.
As attacks become more targeted, sophisticated and impactful, the knee-jerk reaction of many IT departments has been to lock everything down, centralize and isolate access.
Employees and end users today know enough about technology to get what they need when and where they need it
Generally, this surfaces as a complex combination of tools that allow users to get access to a secure vault, at the expense of employee productivity and engagement. However, there is another way…
The endgame for a successful enterprise mobility strategy is to strike the balance between usability, manageability and security—to provide users with seamless mobile experiences allowing them to be their most productive AND give IT the visibility and control required to protect enterprise data in the face of increasing threats.
Know Who is Accessing Your Data :
As the secure perimeter has become weakened by the rapid movement to cloud services, identity has become foundational and provides a new perimeter in any enterprise mobility strategy. It is critical IT can ensure everyone accessing data is who they say they are. Multifactor authentication (MFA) is a key part of any security strategy to ensure your users have verified identities as they travel across devices and locations. But to make this a seamless experience, it’s important to go the step further to introduce a conditional policy to prompt the user for this additional layer of security, when and where we see risky behaviour in their profile.
Grant Access Based on Risk :
Creating a risk-based, conditional, access will ensure only devices compliant with your policies can access corporate data using known, trusted, identities. Conditional access needs, in real time, to govern access to on-prem and cloud assets based on the risk presented by the users’ identity, devices, apps, and location. Identifying risk in user behaviour, such as your VP of Marketing logging on in Sydney at 9 am and somehow again from Hong Kong at 10 am, should be prompting automated actions to enforce an MFA prompt or password reset.
Protect Data in Transit :
If you are using solutions such as Office 365, ensure you are taking advantage of Message Encryption and Transport Layer Security to provide defence in depth and encrypt at the individual message basis in transit. Plus enable Data Loss Prevention (DLP) to ensure messages are only able to be opened by intended recipients. It is possible with the tools available today to make data self-protecting and store the privileges and rights in the documents themselves, ensuring protection on and off the network, in transit and at rest.
Discover and React to Breach :
It’s important you find the right toolset to monitor and control all the enrolled devices across the fleet. Look for vendors who have put significant research, effort and resources into deploying AI based signal tracking into their mobility solutions. By bringing these smarts into your organisation, the IT department can concentrate on higher value projects, and let the tools handle the bulk of monitoring and responding in real time. Get your IT department trained to effectively use the AI scanning built into the tools, so the action is taken in the background on behalf of the user as often as possible.
Ensure Your Users Love the Experience :
Your employees know more about technology than most IT departments are willing to give them credit for. Ensure you take them on the change journey and explain through regular communication in plain language what is happening and why. They understand why their bank uses mobile confirmation codes to protect their personal internet banking—MFA is the same thing for your enterprise data. Your employees will appreciate being part of the journey, rather than what they may perceive to be having more productivity blockers put in their paths.
Aim to deliver an experience that allows users will be productive in a way you trust but ensuring that you make the experience seamless. If you don’t provide this, your end-users will go it alone, and that’s where the success of your enterprise mobility strategy will be won or lost.