Views
1 year ago

CSLATEST

cyber warfare REAL

cyber warfare REAL SOLUTIONS, NOT BAND AIDS! ENTERPRISE I.T. IS FACED WITH A TREADMILL OF CHALLENGES FUELLED BY NEW CLOUD AND MOBILE INITIATIVES. HOW CAN THESE BE ENGAGED WITH AT THE HIGHEST LEVEL AND OVERCOME? The need to ensure security compliance in an increasingly agile world where BYOD is becoming the new mobility norm, with or without IT's blessing, is both complex and potentially costly. While workers should be good custodians of enterprise data, the evidence suggests that they often are not. "Keeper Security, a provider of password management and digital vault software, conducted a recent study of password usage and found that the most popular password, making up nearly 17% of the 10 million passwords reviewed, was '123456'. Can enterprises really rely on users to protect their data from today's cybercriminals, even with safeguards in place?" asks Dan Dearing, senior director of Product & Solutions Marketing for Pulse Secure. In their solution search to lock down their mobile users, enterprises are often steered by vendors and other market influencers to bestof-breed point Enterprise Mobility Management (EMM) solutions, he says. "These sophisticated solutions are deemed too complex by the resource-constrained IT teams of the small and medium enterprise. Instead, many looked to their Microsoft Exchange email server as a quick band-aid." As these enterprises adopt more sophisticated mobility strategies that now include mobile apps and BYOD, they are finding that Exchange has some critical shortcomings, Dearing adds. "Exchangebased mobile security is best suited for corporate-managed devices that do not require the use of a BYOD container to protect enterprise data while also respecting user privacy. As workers look to mobile devices as a laptop replacement, IT teams are mobilising legacy applications and now need a way to manage the deployment and use of enterprise apps - a capability not provided by Exchange." So, how can enterprises best secure their users without burdening their IT team? "The best advice would be for organisations to look for lightweight EMM solutions that manage a security container and not the device. Security containers, such as Android for Work, are embedded directly in the device. Combine that with a complex PIN/passcode on the device and the use of certificate authentication for application access, and enterprises can give workers the user experience they desire, while ensuring enterprise access to data centre applications and cloud services is compliant with their 28 computing security Jan/Feb 2018 @CSMagAndAwards www.computingsecurity.co.uk

cyber warfare required security policies and regulatory standards," he advises A final tip he offers is giving more consideration to regular device discovery and auditing, especially as laptops and other devices move within and sometimes leave the organisation; there can be devices that slip through the management cracks, leading to dangerous, but often overlooked, weaknesses. "Constant vigilance is needed to ensure that new OS updates and patches are applied to preserve security controls for information access," he states. CULTURE OF SECURITY According to Marc Sollars, CTO, Teneo, one of the biggest challenges for companies' senior managers is how to embed a culture of security within their organisations. "Leading on from that, the challenge is where to find industry innovations that make security rules and applications simpler - perhaps even enjoyable - to use. Whisper it, but could staff move on from being the weakest link in information security?" In the last couple of years, software vendors have successfully reinvented two-factor network authentication, notorious for its clunky security tokens, as a 'single tap' twofactor authentication on staff mobile devices and tablets, he points out. "This easy set-up makes employees' network log-in process less onerous, but it also enables staff to report suspicious activity on their network with a similar 'one tap' action. The employee makes a single tap on a smartphone screen button: green - 'approve' or red - 'deny' as their second stage of authentication after inputting their usual network password. Staff members no longer have to fumble with 'key fob' tokens or manually input codes, and the streamlined access reduces the incidence of user input error and passcode reset requests." This simpler access, says Sollars, also means that company help desks and IT teams' time is freed for managing more valuable tasks for their organisation. "But the real breakthrough from this 'inclusive' type of innovation is ensuring that information assurance rules are being followed from board-level, right down to endpoints like mobile phones. Internal launches of easy-to-use information security tools provide the opportunity for companies to motivate employees, reminding them that they are essential to security policy and will play an ever-more valuable part in locking down their organisation's business-critical assets. In time, staff will gravitate from being the weakest link to at the very least becoming the company's eyes and ears," he concludes. A lot of companies are backing such innovations by moving from standardised security training towards practical development or even gamification of their employees' knowledge and awareness. In many UK organisations, it is reported, the IT department follows up first-stage training sessions with a second stage of unannounced internal phishing and scam emails to their own employees; those showing inadequate knowledge are then required to carry out reminder tests. In any successful, large international business, there are plans for controlling almost every facet of operation. Even allowing for that, some things just happen. Mobile security/device management is no exception. It's worth looking at some instances where this has had to be tackled and resolved. SMART MOVE? When management at a large, global manufacturing company saw that an increasing number of employees were using their smart phones and portable electronic devices at work, they decided to allow it, without any plan or any security measures put into place initially. "We did it backwards; we let employees use their devices and then later we made some decisions about mobile device management [MDM]," said a manager of security for the manufacturing company. Dan Dearing, Pulse Secure: organisations should look for lightweight enterprise mobility management solutions that manage a security container and not the device Marc Sollars, Teneo: people should be engaged in a dynamic and inclusive way when it comes to thinking about their critical business information assets. www.computingsecurity.co.uk @CSMagAndAwards Jan/Feb 2018 computing security 29