Arraya Insights | October 11, 2016
A new study from NIST suggests that security fatigue could be putting businesses at risk. There is something futile in an end user’s attempt to keep your computing environment safe. After all, what could a non-technical knowledge worker possibly do to protect themselves and the company’s data against a hacker?
The fatigue and frustration comes in when users are confronted with the ways that IT has attempted to control the environment. Granted, it isn’t IT’s fault either, these are just the tools we’ve been given – passwords, security groups, firewalls, web proxies and other systems. What have we done?
The challenge for IT is clear. Hackers have gotten more intelligent and moved past just technical flaws and use social engineering to gain access and data. User education is a key strategy, but even that only goes so far and can contribute to fatigue.
There is another factor that compounds this problem. For a company, email and other business systems, which are the typical attack vectors, do not often directly impact the bottom line. These systems simply support the business. When you factor in the cost, many companies look the other way when it comes to security. In some cases, ‘good enough’ wins out over best practices because ‘it will never happen to me.’ Fatigue is not only a symptom of the individual, but entire companies.
While IT fights the good fight, end users are critical to security. Europol just announced recently that ransomware is the current largest threat to businesses. In case you haven’t heard of it, ransomware is where cybercriminals encrypt data and ransom off the keys to unencrypt the data for a fee. This can be devastating for a company depending on the ransom’s size or the amount of data affected.
Over the course of my IT career, I have seen fatigue creep into business processes in various ways. Consider shared accounts and passwords and the risk that they pose over the ease of use for the end user. How about the ease of NTFS permission sets and how quickly a file’s permissions can be nullified just by emailing that file around? Even the best laid security structure can be overthrown by a careless user looking to bypass the security system.
So, how do you reduce security fatigue while empowering end users to protect your company data in a non-intrusive way?
As Microsoft’s focus has shifted to a cloud first, mobile first world, they have invested in non-intrusive end user security platforms and analytics to give IT and end users a fighting chance. There is no silver bullet for security, but there is also no longer an excuse for not doing anything. With security tools that are easy to manage and built on Azure, IT doesn’t necessarily even have to worry about fronting the bill for physical infrastructure.
During the month of October (aka Cybersecurity Month), the Microsoft Practice at Arraya will be writing blog articles about the security innovations that Microsoft has built over the past year to help companies address security fatigue, protect sensitive data, and give IT insight into what risks might be happening on the network. The cloud removes all excuses against building a security posture.
For a starting perspective, I recommend watching Satya Nadella’s Enterprise Security speech from 2015. End user security fatigue and complacent attitudes can cost your business financially and potentially harm your reputation.