Is it fair to burden users as the 'last line of defence' against hackers?


The security industry is going around in circles. Users have been walking an insecure tightrope for decades, clicking on links, opening attachments and downloading unchecked files without a safety net in place. However, organisations are still surprised when attackers manage to successfully breach an endpoint via an employee who’s attended a compulsory “security awareness” seminar. Our recent survey found that 99 per cent of CISOs see users as ‘the last line of defence’ against hackers – but is this really fair to end users? Ultimately, no matter how much training is offered to organisations, there will always be someone who clicks on something malicious. It seems naïve to think that this will ever change.

It takes just one bad apple to spoil the bunch

According to research from the SANS Institute, 75 per cent of attacks on endpoints initially entered via malicious email attachments; and another 46 per cent of attacks were executed by users clicking web links in emails. The best way to protect against these kinds of phishing attacks – or so industry rationale goes – is to educate and train employees to aware of the risks. This is a perspective shared by most CISOs according to our research, which revealed that virtually every CISO (99 per cent) believes that user education, policies and procedures are essential to ensure employees understand their role as the last line of defence in keeping the business secure.

This logic makes sense. Well except for the fact that it just takes one person (our bad apple) to get it wrong and spoil the whole bunch with a breach. According to Verizon’s DBIR, 30 per cent of phishing messages get opened by targeted users, with 12 per cent clicking on malicious items multiple times. What’s more, because they are successful, these attacks are also becoming more sophisticated, with hackers utilising a wide range of tactics to try and fool employees into making a mistake – whether it is through spear-phishing with a CEO’s email address, or leveraging infected USB drives, insecure hotspots, man-in-the-middle attacks or polymorphic malware. The odds are undeniably stacked against the user.

An unworkable fix

The idea of making employees responsible for security simply isn’t practical. Even after training and education, human beings are prone to making mistakes that leave the enterprise exposed to risk. Even the most security-conscious employees get tired, overworked, busy or distracted. When this happens, it’s all-too-easy for an employee to then take a short cut, and fall into a hacker’s trap. Often these mistakes are unconscious decisions. Employees across the business are being asked to assess risk vs value every time they visit a webpage or open an email attachment – something they likely do dozens if not hundreds of times a day. In some cases their behaviour is just habit, and sometimes they decide the value of that activity is more important than the risk.

To counter human behaviour, many businesses are turning to technology to prohibit users, but this often causes more problems than it solves. For example, a number of companies restricted social media websites following the 2012 LinkedIn breach, as they see these sites as vulnerable points of entry for an attacker. But, often these sites are critical path for departments like marketing, sales or HR, who are then unable to carry out essential tasks as a result of denied or limited access. Employees still need to do their jobs, and this puts them at odds with prohibitive security practices.

A new approach: Application isolation and containment

Modern threats need modern solutions. Instead of putting the responsibility and the blame on end users, who should never have had to shoulder the burden in the first place, there are other ways to approach the problem. The vast majority of the IT security industry is focused on stopping the symptoms, rather than creating a cure. Alternative approaches help minimise cybersecurity risks more effectively, and in a scalable manner, which are far less restrictive on the business and its employees. In fact, a new approach to security can become a competitive advantage because your users can get back to work and stop being afraid.

Imagine, instead of wasting time trying to stop users clicking on potentially harmful links, or trying to detect malware before it has a chance to launch, you let it execute. Here’s the catch: it’s executing in a protected virtual environment. This ensures that each user task is contained within its own fully isolated and disposable virtual machine.

As a result, any malicious activities are trapped within that virtual machine, posing no risk to the rest of the computer or the network. If a user discovers a malicious email or document, they can simply close the window (or browser tab), and the threat disappears forever. The logic is simple: if a user is opening a downloaded document, working with an application or clicking on a web page because they need to get their work done, then why not isolate those high-risk activities in a completely isolated, controlled environment? This gives CISOs the ability to trust end users because safety net they need is in place. They can click with confidence.

We’re only human

For cybersecurity to improve, there have to be smarter ways to deliver protection. Application isolation offers a profound solution. Today’s patient-zero, detect-to-protect approach still allows for vulnerability. And the cybercriminals haven’t been locked out yet. They are still having tremendous success. As long as exploiting end users remains profitable, hackers will continue seeking to pound away at earnest employees.

Today the hackers are winning, but it doesn’t have to be that way. While organisations waste time and money educating employees, trying to break habits that are based on human nature, the bad guys keep getting through. Businesses that are using application isolation are finding they no longer pin their hopes on solutions that work only after a breach has been detected. This allows end users to click with confidence, can restore productivity, and even allow for innovation because end user prohibition is no longer a security strategy. Instead, employees can focus on getting work done.

Fraser Kyne, EMEA CTO, Bromium
Image Credit: Den Rise / Shutterstock