Security Leaders: You Must Share Corporate Mindshare Across the Virtual and the Physical, or Risk Embarrassing Information Security Blunders

Modern enterprises recognize that to attract and retain top talent and stop chasing the allures of shadow IT, they must embrace a corporate computing experience that moves closer to consumer experiences. Enterprise leaders have been quick to mimic trends in the consumer world, chasing mobility, flexibility, and personalization, but this comes with a financial cost and increases data security risk. Enterprise leaders and the growing population of chief information security officers must act now to ensure their cybersecurity policy stretches to physical devices, too, including when employees are travelling or working remotely.

Enterprise leaders must balance boosting productivity with growing information security threats

It’s logical for employers to embrace solutions and practices that increase productivity and boost employee wellbeing, but they often fail to appreciate the security implications of their decisions. The paradox is that organizations are also investing more than ever in cybersecurity to secure themselves against external security threats such as hacking.

But one of the biggest threats is from their own staff and internal human error. IBM established in 2014 that 95% of security incidents involve human error. Simply put, when an employee walks out of your office with their laptop, tablet, or smartphone, they are physically walking out the front door with company files, information, and equipment.

International hacking makes the front page, but it’s the admin assistant leaving a USB memory stick or a laptop on the bus that causes the most damage

The average risk from an employee is comparatively small compared to a high-profile data breach. But what about when an employee leaves their laptop on the train or has their work device stolen—a relatively common occurrence. Let’s take a look at some high-profile examples; in 1990, the Royal Air Force lost a laptop containing plans for the first Gulf War when it was stolen from a car in west London. The laptop contained information about how the military planned to remove Saddam Hussein’s forces from Kuwait. In a more recent example, in June 2008, government documents detailing the UK’s policies toward fighting global terrorist funding, drug trafficking, and money laundering were left on a Waterloo-bound train.

Now you can bet that given the high-profile of these organizations, an external hack would have been a no-go for anyone other than the most talented hackers—but human error and complacency effectively handed over privileged data to any third party that could get their hands on the devices.

And this is the root of the problem. Human error plays a significant risk in security incidents, and anything as simple as removing devices from company property adds another layer of risk. Even limiting this factor, human error can still take place within the confines of an office space. Personal device security has become lax in recent years with staff failing to follow even the most basic procedures, such as locking their device when leaving their work station. Leaving a remotely controlled application running on a PC with a weak password call creates an easily exploitable back door.

Decentralized and shared office spaces such as WeWork are prime examples of how changing working practices open enterprises and individuals to risk. In these environments, it’s simply not possible to know if the individual sitting next to you is a competitor, hacker, or future best friend. But even with this uncertainty, professionals are unlikely to be practicing basic security hygiene.

Education, education, education—each employee must be a bastion of defense

There are multiple ways in which an organization can secure itself against the possible threats posed by flexible and decentralized working practices. The first line of defense is education; like anything, people need to have the basic dangers explained. They need to know that locking their device protects much more than the risk of a colleague sending out a joke email from their account when they leave their desk. Enterprise and security leaders must recognize that money spent on training is as worthy an investment as spending big on digital cybersecurity technologies.

Bottom line:  Don’t lose hope, increased pressure for secure working environments (from the beach if necessary) are driving solutions from the IT services giants—enterprise leaders must invest wisely

But there are also technological solutions that tackle the basics to add an extra layer of security. Most of the major IT services providers are pushing enterprise mobility management (EMM) products and services. Or, they are driving digital workplace solutions that keep privileged corporate data secure in the office or on the beach—balancing security with flexibility and productivity. An IBM EMM solution, for example, enables organizations to secure their files and information from theft through multiple features such as through the ability to lock, block, and wipe internet of things (IoT) devices over the air (OTA) in minutes. An organization may still incur the loss of the device in question, but this will most likely have negligible value compared to the information that could have been at risk.

Other examples include EMM capabilities built into ITSM solutions to manage device lifecycles and protect corporate data. Even Microsoft has developed a suite of technologies to help balance increased flexibility with information security. To an extent, the market is dominated by giant vendors of digital workplace solutions and productivity suites, but as the market for secure mobile technology grows, we can expect some innovative start-ups to move into the space with fresh solutions to help secure physical devices in a world increasingly obsessed with cybersecurity.

Simply put, in a world where data flows more or less constantly and is swiftly becoming the most valuable resource an enterprise owns—enterprise leaders must ensure they don’t spend all of their time budgeting for an international hack when an employee leaving a device on the train poses more risk.