Partner Insight: Why security is a human problem first

Fears about cybersecurity have risen in recent years, as stories of malign state actors, black hat hackers, organised criminals, industrial espionage and opportunistic attacks on high-profile platforms have spread. And with the media stoking fear of new technologies, it's easy to live in a state of constant paranoia and mistrust.

All of the above problems certainly exist, but to read many of these stories risks forming the impression that security is largely a technology problem, targeting technology flaws and chinks in the corporate armour. As a result, the response might be that it can be fixed with yet more technology, with little need for human oversight and intervention.

The human angle

However, the fact is that today's enterprises are only as secure as the least informed person in the organisation allows them to be.

Not because they are incompetent, lazy or unprofessional (though any individual might be), but because there has been a failure of security policy, management, communication and control - problems worsened by using preset, predictable or guessable passwords.

The organisation may also deepen its challenges by accepting more and more unsecured Internet of Things devices into the corporate network, some of which may have been rushed to market with insufficient security protocols built in.

IT leaders need to approach security first and foremost as a human problem, supported by standards-based technology. That means it needs to be tackled by drawing up a robust, forward-looking security policy that is read and understood by everyone from the chief executive to the most junior support workers who have access to core systems.

The coronavirus crisis

That challenge has itself been amplified by the COVID-19 crisis, which has forced the vast majority of employees to work from home using their own devices and networks. Both the policy and supporting infrastructure need to address those behaviours, in terms of secure authentication and access control.

This shift in employment culture and workflow is likely to have long-lasting effects - many of them permanent, as the financial, property, time and healthcare advantages of remote, agile working become increasingly attractive in an uncertain economy.

The end result is that the perimeter of the organisation now extends to every device and node that accesses, hosts or stores corporate data and applications.

Clearly, the extended, remote enterprise has now bypassed the long-established and limited concept of on-premises, perimeter-based security. As a result, organisations need a better way to gain insight into, and control over, a more dispersed and diverse network that is constantly morphing into new, user-driven shapes.

A new definition of trust

Visibility and control over that type of network means redefining trust by moving away from the concept of a trusted device, and towards the need for constant verification and authentication within the terms of an all-embracing security policy.

Arguably, there are risks in what some might see as an assumption of guilt - i.e. that every access attempt is a potential hack. But the reality is that in the new, dispersed, and more remote organisation, explicit verification based on user identity, location, device, data and application is essential in order to detect and prevent anomalous behaviour.

After all, while some anomalies may indeed indicate hostile intent, others may simply be accidental access by family members or friends, or by curious bystanders if a device has been left unattended in a cafe.

Regardless of whether an unauthorised access attempt is malicious or simply idle curiosity, the potential risk to corporate applications, data, communications and reputation is the same and needs to be minimised.

A no-trust policy

The new ‘no trust' environment should be focused on identity, device, sensitive data, applications, infrastructure, and the network itself.

Strong, multi-factor authentication is essential, as are policy-based access, automation, intelligence - including artificial intelligence (AI) - and the ability to classify and protect data.

The security policy, the supporting infrastructure and the verification regime all need to work in support of strategic business aims and day-to-day operations.

So how are IT leaders responding to these challenges? Computing Research spoke to 150 IT leaders across every key sector of the economy and asked them how significant a range of issues had been in terms of managing the IT estate.

Cybersecurity risks and breaches were their second biggest concern after remote working itself, with respondents averaging a score of 7.43 on a scale of 1 to 10 (with ‘1' meaning a marginal effect and ‘10' a very significant impact).

However, the good news is that security was also the number two driver for implementing cloud-based remote device management systems, cited by over half of respondents. Again, tackling the challenges of remote working provided the single biggest impetus for acquiring the technology - reinforcing the case for a multi-layered approach to security, starting with hardware, the use of intelligent end points with embedded AI, and robust cloud-based remote management.