The New Security Perimeter Is Us
Not so long ago, firewalls and security gateways were the heart of security infrastructures. We saw the rise of Palo Alto Networks, which brought us the next-generation firewall — a very advanced piece of technology that still focused on securing networks.
And then we fell in love with our smartphones and our cloud apps and the convenient way to do things that once used to be cumbersome. Suddenly, it has become easier to share data, collaborate on projects and access anything, at any time and anywhere, including our sensitive work files.
And today, these new technologies are not new anymore. They have become fixtures in the workplace. They speed up productivity and enable today’s mobile and globally dispersed workforce to work conveniently and at all times. However, with that anywhere/anytime access comes a significant increase in breach exposure points.
The challenges in combating the growing data breach problem have been greatly complicated by the fact that the way we work has changed dramatically. We live in a world where the enterprise perimeter has been stretched so far that it has become nonexistent.
The New Security Perimeter Is Us
Hackers have followed the trends. While next-gen firewalls added layers and layers of new threat prevention technologies, hackers changed their attack vector to focus on us. When user credentials are the attack vector of choice, it becomes clear that the new security perimeter is us. We saw it with Yahoo not once, not twice, but three times over — and with each data breach, an incredible number of user accounts were compromised. We now see companies make the headlines on a regular basis for data breaches — breaches could impact hundreds of thousands or even millions of people. Hackers are targeting personal data such as healthcare records and tax returns, which have high ticket prices on the darknet. There is no end to breaches despite the best technology.
Interestingly, more often than not, data breaches can be prevented — or, at the very least, exposure to such data can be limited — if simple steps are taken by employees to show more care with company data.
As employees, we tend to favor convenience over security, which makes sense — we all want to succeed as we do our jobs as quickly and as efficiently as possible. But the price to pay could be high. As consumers, though, we often have different instincts regarding our data. We hesitate before sharing social security numbers, keep our tax returns confidential and make sure our accountants have secure communications. In other words, we try to safeguard our personal data much better than corporate data even though we rarely have the same security tools at home.
The reality is that we need to start treating corporate data as carefully as our own data. Whether we recognize it or not, we are consumers and users, and without a change in our own behavior, everyone’s user identity will at some point be exposed.
A Call To Arms
If the new security perimeter is us, how can a company possibly protect its sensitive information if it doesn’t have full support from every employee across the organization? Well, it can’t. We need a true call to arms — one that comes from the top right on down to all employees. We must treat corporate data as sacred, just as we would treat, or should treat, our own personal data. If we don’t feel a sense of ownership over the data we use to get our jobs done, chances are we may become exposure points for our employers. Until we collectively recognize and place value on corporate data, we’ll never win this war against hackers.
More importantly, we have to raise the next generation of users with this principle in mind. Those born with a device in their hand, who think that all data resides in the cloud. What we see as convenience is a way of life for millennials, and it is critical to educate and help change their behavior since they are becoming the employee base of tomorrow.
Employees, Not Just IT, Need To Be The Stewards Of Corporate Data
Last year, an HR employee at our company received an email from the CEO asking for all employees salaries to be sent to him immediately. This was an odd request, so the employee checked with the head of HR, who texted the CEO to confirm the request.
It was a social engineering attack.
Our IT department immediately drafted an email to the whole company to explain the incident and made every single employee aware of the attack and the possibility of other such incidents occurring. This was a perfect case of an employee flagging a suspicious request and an IT department taking immediate action to train the whole workforce. Since then, we have had many employees report suspicious data requests, emails or files. Security awareness training, strong password practices and access management policies will certainly help reduce the risk of a data breach, but it is critical that employees and IT work together to detect and prevent cyberattacks, feeding each other with potential security incidents and deploying immediate warnings.
We are all now part of the new security perimeter for the company we work for, and it is time to recognize that security is not just an IT responsibility. Ultimately, we are the principal key holders to the all-important “keys” to the kingdom — and, armed with security awareness tools, we can be the good corporate stewards of vital company data. Above all, executives need to lead by example and ensure that every single employee recognizes the value of corporate data and the important role that they have in keeping that data safe. Not only will this keep every user’s personal data safe, but it will certainly provide that much-needed layer of perimeter defense against the next lurking hacker.
This article was previously published on Forbes.com.