The younger generation of ‘digital natives’ entering the workforce simply expect the same flexibility in their work life, as they are used to in their personal life.
Meanwhile, cyber threats are becoming more sophisticated, targeted and insidious − viruses, malware, spyware
and phishing attacks are being tailored to exploit the security holes created by these new devices and online tools.
To protect itself, an organisation needs to create an extended security model that secures not only the network infrastructure, but also the new “end-points” being used to access the corporate nework. Several areas need to be considered:
- Enhance endpoint security
- Control network access
- Mitigate risk via corporate HR, IT and legal policies
- Educate employees
1) Enhance endpoint security
Today’s employees may use a range of devices in their work: a laptop in the office, a smartphone on the weekend and a netbook while travelling - each one is an “endpoint”. It is when employees take devices out of the office that they become an exploitable leak in the organisation’s system.
An unsecured endpoint may allow a cybercriminal to access a device or corporate network by collecting and re-using an authorised account and password, or by taking advantage of the user’s access when he or she is logged in. To combat this, organisations need to approach endpoint security from a combination of angles covering the device, network and data.
• Restrict access to the device itself by one of the many access management and identity authentication tools available, including strong passwords, biometric scanners, smartcards and security fobs.
• Use host-based firewalls, anti-virus, anti-malware and identity management software to better secure the endpoint. In addition, whitelist or behavioural-based threat protection can identity known and unknown threats so that they can be quarantined and eliminated.
• Consider using encryption technology to provide an extra layer of protection for highly-sensitive data downloaded to and stored on devices.
2) Control network access
Network access control (NAC) provides a layer of protection against improperly used, infected or rogue endpoints attempting to connect to internal network segments.
NAC does this by requiring devices to prove they are safe to connect to the network (pre-admission), and dictates where endpoints are authorised to go and what they are authorised to do. If the endpoint doesn’t meet the entrance criteria, NAC technology can quarantine and remediate non-compliant, infected or miss-configured systems.
3) Mitigate risk through policies
Technology is only part of the security solution. Update corporate policies to define and mandate the behaviour required of employees. Take a comprehensive approach by involving not only IT, but also human resources, legal, risk and senior management teams to setting and managing policy. Polices and employee education programmes should cover:
• Where and when devices can be used.
• Securing devices used to access the corporate network.
• Rules for copying sensitive data on to external media such as USB devices, DVDs and CDs.
• Password management.
• Data ownership and surrender/access, distinguishing between applications and data of the organisation and the employee.
• Appropriate use of technology in the workplace, including HR issues such as workplace bullying, confidentiality breaches and so on.
• Appropriate behaviour, confidentiality and disclosure on social networking sites, and
• Consequences for breaching policies or programme guidelines.
4) Educate employees
Use an ongoing communication programme to educate and remind employees about the potential security threats and the role they play in protecting company infrastructure and data. Employees need to be conscious of their responsibility to protect and secure devices that enable access to the corporate network or sensitive information. Not only do they need to be familiar with the corporate polices, they need to understand that they are mandated and the consequences for not complying with them.
Balance security with productivity
While consumer IT in the workplace is an unstopable trend, it doesn’t mean it needs to be a free for all. Productivity fundamentaly involves employees using their time efficiently and effectively. This requires tools and access to resources and information, when and where employees need them.
When assessing what consumer technology is appropriate for the workplace the IT department needs to measure the productivity benefits of technology against the security risks and costs. Monitor and audit the current IT environment to determine how workers are using their time, how productive they are, the response time of the network and applications and how well the security model is protecting technology.
Consider an employee’s role requirements to determine if they have the technology for them to do their jobs effectively. To do this, survey employees about their needs, whether they use the IT tools they’ve been given and if they see potential benefits enabled by other tools including consumer technology. Then IT can determine what degree of mobility and selection of consumer technologies can be offered to staff.
With many mobile IT devices readily available, the growing popularity of social networking sites and web 2.0 applications and younger-generation employees entering the workforce, it is inevitable that employees will demand access to more consumer technology. Organisations can harness the productivity benefits by embracing the trend while proactively managing the potential security risks.
Brett Hodgson is managing director of Unisys New Zealand.
Join the CIO New Zealand group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.