Skip to main content

Why your employees are the weakest link when it comes to security

The explosive growth of personal mobile devices, the huge shift toward cloud applications and the impact of the Internet of Things have been the catalysts for true ‘business without walls.’

But businesses face a constant battle between giving their employees convenient access to systems and information, while maintaining robust security. Flexible, always-on working styles are adding to this complexity, with the boundary between work and home becoming increasingly blurred, and devices being used for both purposes.

So how can businesses solve the ongoing issue of security versus productivity, and what technologies are available to make this easier?

Bring Your Own Threat?

Most start-up and small business owners have been quick to embrace the flexibility and cost benefits of letting employees use their own devices and apps to carry on working outside the four walls of the office. Yet for many this presents a dilemma. Fewer hardware overheads and greater employee accessibility have to be weighed carefully against the risk of losing control over the security and privacy of company confidential data.

Facing this, some have opted for enterprise focused Mobile Device Management (MDM) solutions. However, all too often the complexity and well-intended but heavy-handed policy enforcement can provide new barriers to employee productivity.

In the absence of any controls, many small firms have had no option but to trust employees to behave responsibly and hope they do not leave themselves open to a hack or breach. However with reports of hacking and cyber-attacks on small firms continuing to hit the headlines, doing nothing is scarcely sustainable.

Hackers are becoming increasingly sophisticated in their approach, using social engineering techniques to trick employees into opening realistic-looking but fraudulent emails, or using fake or re-directed websites. For small businesses especially, they may not have the corporate policies and training in place to ensure employees are aware of the risks their behaviours introduce, while at the same time being most vulnerable to attack due to hackers seeing them as an ‘easy target.’

Furthermore, there is evidence to suggest that employees have a rather cavalier approach to security on their own devices. According to recent research by AVG partner Centrify, one-in-three users neglects to secure their devices. Many also use basic, easy-to-guess passwords that put their employer’s data at risk. It is a very real problem – data breaches can cost smaller firms anywhere between £65,000 and £115,000 with the worst hit suffering up to six breaches a year.

The best of both worlds without costing the earth

Until now, smaller businesses have traditionally relied on MDM to protect their employees’ mobile devices. This works by ensuring all mobile devices are centrally authorised and asks employees to accept a raft of IT-defined policies before they can access company resources and data.

In exchange, IT administrators receive the privileges needed to perform security procedures such as issue remote locate, lock and wipe commands or check whether specific devices, networks and VPNs are company approved. Faced with this level of company intrusion and policy enforcement however, many employees are hindered and end up looking for workarounds.

An alternative solution that provides the best of both worlds – employee mobility and productivity via Bring Your Own Device (BYOD) as well as stringent security – is secure, standards based single sign-on technology (SSO). This enables IT providers to deploy secure mobile access and multi-factor authentication for their small business customers as a simple, cloud-based service that extends usability, security and compliance across all their mobile devices, plus their traditional Windows and OSX laptops.

This approach helps a small business owner, IT manager or an IT contractor to ensure company confidential data stays secure, private and within their control, even while it is shared with employee-owned mobile devices and externally hosted cloud services.

This new advancement in technology draws on elements of traditional Identity Access Management (IAM), Mobile Application Management (MAM) and Mobile Device Management (MDM). Originally developed for larger organisations, MDM and IAM technology have been too costly and complex for most small business. Traditional IAM is good at enabling enterprise users to easily access their various cloud applications, such as Salesforce or Office 365 via single sign-on.

Unfortunately, however it was designed for a desktop-centric business world, not a mobile one. Enterprise Mobility Management (EMM) meanwhile has helped organizations manage their ever-increasing array of mobile devices, but this approach is losing its influence as many key features become commoditized. A secure, SSO service offers the best of both worlds by combining elements of MDM, MAM and IAM in a turnkey, cloud service.

Users are the new perimeter

One of the advantages of SSO is that it is user-centric – managing employees first – and then all of the devices and applications they need to efficiently perform their jobs. Simply put, each employee is assigned a ‘user identity’ (either through Active Directory, LDAP or built in cloud directory) with specific permissions and security controls associated with that identity, which is then applied to all of that user’s devices.

The service also provides secure password management that interfaces with Active Directory or LDAP services, crucial for eliminating risk from easy-to-remember, reused and improperly managed passwords. Notably, multi-factor authentication validates the user’s identity to prevent unauthorized use of passwords. While adding new security layers, SSO will also improve end user productivity by eliminating the need to remember multiple passwords and reduces the volume of helpdesk calls resulting from forgotten passwords.

In order to ensure your employees are not the weakest link, this is the approach we would recommend taking to security – users first, then devices – with user identity the new security perimeter.

This strategy enables the small business to solve today’s security problems with a single platform that manages users by their applications, permissions, mobile and desktop devices, all in one secure and compliant service. It empowers small business by putting privileged identity at the heart of small business security.

In this approach, single sign-on, cloud identity, identity management and multi-factor authentication come together in a system that quickly and efficiently solves the BYOD headache.

Employees will continue to use a ’real world‘ mix of personal and company issued devices, but can now do business both inside and outside the four walls of the office.

Mike Foreman is Senior VP and General Manager at AVG Business.