Don’t fall asleep at the screen: why the ‘passive’ employee security mindset has to change

In an era of consumer-friendly technology, such as tablets and wearables, security is often 'baked' into devices. This is provoking a dangerous trend with technology now being ready to use 'out of the box' and is creating complacency among users.

For example, the popular operating system Android is increasingly targeted by hackers, yet many users have not downloaded any additional software to protect their devices. We’re so used to built-in firewalls, encryption and secure access that basic security is often overlooked.

Oversights such as this are posing a growing threat to enterprises as employees take their own technology into work and connect it to the corporate network, part of the Bring Your Own Device (BYOD) trend.

> See also: Big data: managing the legal and regulatory risks

This risk is continuing to increase. The popularity of tablets, smartphones, and now smart watches and other wearable technology, is seeing a surge in the number of Internet connected, insecure devices entering the workplace. These connected devices, collectively known as the 'Internet of things' (IoT), are complex to manage and require a proactive approach to security.

The IoT is set to grow exponentially. Analyst IDC predicts there will be over 28 billion active IoT devices by 2020. Meanwhile, Gartner forecasts 4.9 billion connected 'things' will be in use in 2015, an increase of 30% from 2014, and says this figure will reach 25 billion by 2020. 

People: the weakest link

At the same time, it is widely accepted that people are often the weakest link in the chain when it comes to security. It is usually employees who grant access to hackers, whether intentionally or through social engineering or phishing scams. Most commonly, data breaches are caused by humans. One only has to look at the high profile data breaches suffered by several large companies in recent years, to know how common this is today.

It is true that education is the only way to counter the growing user threat, but the problem goes further than that. Employees are so familiar with technology, thinking about security requires radical cultural change and is often overlooked.

Currently, the only time an average employee considers security is when it affects productivity or usability – and they will then find ways to work around it, creating even further headaches for organisations.

A transformation is needed, of both company mindset and user behaviour. It entails recognising security risks and taking the appropriate action. But how can this be implemented across an organisation from top to bottom?

A new approach to security

For many enterprises, their approach to IT security has changed significantly over the last 25 years as threats have become more complex and sophisticated. In the days when distributed denial of service (DDoS) attacks were rare and difficult to orchestrate, it was enough to simply install a firewall and some basic anti-virus software. But now the role of Chief Security Officer (CSO) – or even 'chief data officer' – is increasingly common as firms acknowledge the need to strategically plan threat mitigation.

However, change is only effective if it is continuous, which means IT security – and attitudes to it – must also evolve. This can only be achieved by placing security at the forefront of the business.

As part of this, it is important to be strategic. Firms must plan ahead for the coming years, rather than just looking at current security risks.

One approach could see businesses building security into employee inductions. By introducing this method at the very beginning of an employee’s time at a company, a proactive attitude to security can be baked in.

Another option is the recruitment of ex-hackers, or 'white hat' hackers, to test the resilience of the business network and reveal any weak points. This is becoming an increasingly common practice. Last year, KPMG research revealed that over half of all UK businesses would consider hiring a hacker, or someone with a criminal record, to keep ahead of the game.

An additional method of mitigating security threats is to choose a Managed Service Provider that can offer robust security solutions, and advise on executing a solid strategy.

Security threats are only going to get worse and this leaves many firms in need of a helping hand. An expert, such as a Managed Service Provider, can act as a responsible third party. They can also take on a consulting role, providing training and education for both employers and employees on the best practices around IT security.

As multiple devices continue to enter the workplace – some of which are inherently insecure – it must be clear that security is the responsibility of each and every employee.

It is time for a proactive approach; user complacency must not be allowed to grow in any firm. This makes strategic planning for security issues in the years ahead integral for every modern business.

Compromises cannot always be avoided. But if users are educated sufficiently and continuously, it can go some way to protecting the business, now and in the years ahead. 

Sourced from David Ellis, head of Technology and Services EMEA, Arrow ECS

Avatar photo

Ben Rossi

Ben was Vitesse Media's editorial director, leading content creation and editorial strategy across all Vitesse products, including its market-leading B2B and consumer magazines, websites, research and...

Related Topics

Data
Data Breach