In a never-ending cycle of high profile security flaws and breaches, enterprise security has never been more important. However, according to the latest PwC ‘Global State of Information Security Survey’ security spending has dropped by a third in the last 12 months. It’s clear that the threat is there, but the evidence suggests some businesses are still adopting a “security through obscurity” strategy; i.e. wrongly assuming their corporate data is of no interest to hackers because they are a small or medium-sized enterprise.
This lack of spending can often produce an unclear IT security strategy, with teams relying on manual processes such as password spreadsheets to keep accounts secure. This problem is exacerbated by the bring your own device (BYOD) culture and remote working which is making it difficult for companies who don’t have the right technology to have an all-encompassing view of their security. In many cases, this results in employees becoming the first line of defense against outside threats to protect company data. According our recent study with Ovum, more than half of IT executives surveyed rely on employees alone to monitor their own password behavior, subsequently leaving the company at risk. While it’s important that employees are adequately trained in security practices, it’s also crucial that IT teams make the right investment of time and resources to take control of company security.
With that in mind, here are 4 ways businesses can revamp their security policies in 2018:
Address the problem
This may sound like an obvious starting point, but many businesses are failing to address security failings within their organizations, even though they know they exist. For example, when it comes to password management, many IT teams hold the view if it’s ‘not our password, it’s not our problem’. Employee passwords are chosen by the employees, and so they should be the ones that manage and control them. However, according to Verizon’s 2017 Data Breach Investigations Report, more than 81 percent of breaches are caused by weak, compromised, or re-used passwords, so this isn’t a fool-proof approach. Furthermore, our recent survey found that more than three-quarters of employees reported that they have problems with password usage or management, at least once a month, with many saying they don’t have the support they need. Clearly, it’s time for IT teams to address the elephant in the room and take back control of password management for employees.
Take a holistic approach
It’s important that businesses understand that the lines between work and personal are increasingly blurred, and this extends to security too. IT teams need to acknowledge modern working behavior, as ‘bring your own device’ and working remotely becomes more popular, and tailor policies and practices to match this behavior. This will involve looking beyond an employee’s work log-in and not be limited to passwords that only relate to the company. One only needs to look at the Yahoo breach, where three billion passwords were stolen, to understand that there are a multitude of entry points for attackers to access business data. For example, if an employee checks their personal emails at work, and clicks on a link containing malware, the entire organizations network could be at risk. The sooner IT teams understand that they need a 360-degree view of employee security, the stronger the company defenses will be.
Educate your employees
Part of taking on the responsibility of enterprise security should involve educating employees in best practices. These should stress the importance of complex, unique passwords across all accounts, as well as the risks surrounding public Wi-Fi networks, and what employees should and shouldn’t access on them. Companies should draw up a security policy and regularly educate and re-educate both new and existing staff. A good way of engaging employees in security education is through gamification, which can incentivize them to understand and practice good habits. Gamifying security is also a way for organizations to understand the human element of security. For example, employees could be scored on the strength of their passwords, and the employee with the highest password score gets a prize.
Invest in technology – and make sure it’s up to date
Finally, there’s no excuse to be relying on manual processes to manage enterprise security. Tracking employee passwords in an excel spreadsheet, or sharing credit card details via pieces of paper, aren’t effective ways of managing security. Investing in technology which will allow you to easily manage confidential data should be a must for businesses of all sizes. Similarly, companies should ensure they turn on multi-factor authentication for users across all company accounts, which can be anything from biometrics, to a one-time passcode via app.