Security has always been expensive, and it’s getting worse. In fact, a recent survey shows 60 percent of enterprises in the U.S., Canada, UK and Australia increased their IT security spending since last year. Of the U.S. companies surveyed, nearly 50 percent said a cyber attack would cost them $15 million.
The high price of defending against cyber attacks exposes an age old problem in information security: how do you balance security requirements with maintaining your business’s bottom line and ability to deliver service? The average business doesn’t have an extensive security team or IT budget to stay on top of emerging threats – like spearphishing attacks, malware and trojans – and even large enterprises must focus the large portion of their IT resources on day-to-day, mission critical operations rather than on cutting-edge security.
The fact is, there’s no single technology solution that will address today’s most urgent security woes. Instead, companies must ensure that they’re not just investing in technology, but also nurturing a security-conscious workplace culture – a “human firewall.” This human firewall has three main components: employee education, minimizing human error and getting ahead of new threats. But the main objective of a human firewall is to raise the awareness of end users or employees to such an extent that they become a solid line of defense against attempts to compromise your systems or organization. Building a human firewall is more than just providing one-off security training, and it’s more than telling your users what’s bad and giving them boundaries. A human firewall seeks to stop humans from being the weak point in organizational security, by upgrading users to think securely.
Education must involve every level of the organization, and not simply treating security training as a compliance based “check-box” chore; there is much debate about the value of security training anyway. We train users not to click links in unexpected emails, yet they still do even after hours of training and publicity of the risks. Spearphishing in particular is a risk that is hard to explain to many end users, due to the nature of well-crafted emails and social engineering. Educating users here is very much a one-off or point in time effort, which rarely relates directly to the end users’ experience in their inbox.
Decision makers need to realize that classic, anti-virus vendors can’t protect their business from emerging threats like spearphishing, and the old fashioned firewall is no longer a clear line between clean and dirty networks. To truly protect corporate data, all employees must be taught to think like security professionals, or at least be cautious enough to think twice before acting. For example, they must treat every email in their inbox with care, and avoid clicking links that appear suspicious, out of context, or plain out of the ordinary. They must also pay attention to the URL and vet the source of the email.
IT departments are not excluded; they need education too, particularly in how to implement policies that are secure but also aren’t so restrictive that they disrupt the flow of business. IT should also be aware of their own vulnerability – for example, IT teams often have elevated administrative privileges on the network, as well as weaker controls for email attachments and internet browsing. As a result, administrators have become the defacto target for attacks, as they allow an easy pivot point to gain access inside the network.
Minimizing human error must involve pre-empting human nature. Hackers and spammers exploit human nature by using social engineering to gain trust, for example by manipulating users into clicking on malicious links in emails that appear to be from legitimate sources. This increasingly popular attack method, known as phishing, requires the user to be complicit by clicking the link – which is why the most surefire defense is educating employees about the threat. However, new technologies, including sophisticated email gateways are also helping to deal with these threats by creating unique safe links in every email hyperlink before it reaches the user’s inbox. Since some employees will invariably click bad links, an added layer of protection is vital to protect users who either accidentally or intentionally fail to follow training and guidance.
Finally there’s the issue of emerging threats themselves. The nature of new threats, like phishing and malware, is that they constantly change and adapt to the latest security measures. Last year, an average of 82,000 new malware strains appeared every day, for a total of about 30 million unique new threats, according to a recent report by Panda Security. With such immense accumulation of new attacks, smart security investments can’t rely on yesterday’s “tried and true” methods to stay ahead of the game.
In fact, any infosec strategy that relies on an old school LAN solution – i.e. anything that requires an on-premises appliance, tethering your company to its LAN – prevents you from getting the most benefit out of today’s cloud solutions. Due to its scalability and agility, lower cost of ownership and better capacity for collaboration, the cloud has become the first place to go when looking for new technology. With a cloud service, full-time security experts can fill any knowledge gap your IT staff has, keeping you protected from both external and internal threats.
We can’t live in a world of infosec extremes. Neither perpetual fear of the next big attack – which leads to overly restrictive policies and investment in bloated solutions – nor surrendering to shadow IT, is a sensible option. The human firewall is a more balanced and proactive approach to infosec that avoids both risks. If companies fail to adopt this proactive and preemptive infosec strategy, then cyber criminals have already won.