2 Comments

Summary:

Relentless attempts to access critical corporate or personal data won’t let up. What could change is who companies will rely on as their last line of defense: You and me.

It’s no secret that the security teams charged with protecting corporate data are over matched. Just ask Target, Neiman Marcus or the NSA.

A central security group of a large company cannot keep up with all potential threats, said Nick Stamos, founder and CEO of nCrypted Cloud, a Boston-based security vendor.  “A regulated health insurance company might have 200 people in information security trying to deal with 40,000 end users and there’s no way they can keep up,” Stamos said.

So what’s the solution? One increasingly prevalent view is that end-users be enlisted to the cause, first by educating them about safe practices, about corporate security policies and regulations (and the penalties for breaking them) and finally by enforcing those policies.

Let’s face it, if you are a knowledge worker, you need to collaborate with others, sometimes  contractors, partners outside the firewall — and should have a good idea of who is to be trusted with documents and work product.

Up till now nCrypted Cloud let people add another layer of encryption to their Dropbox files and to control who could see them and for how long. They could also restrict recipients’ ability to copy or share documents down the line; and revoke access when needed.  I could, for example, share my personal financial docs with my accountant and then shut him down when the taxes are done.

Update: This week the company, which competes with AeroFS  which just added a new iOS client, and BoxCryptor,  will extend those capabilities to Google Drive, Microsoft SkyDrive (now renamed OneDrive), and Box as well. NCrypted Cloud provides the audit trail corporate needs to keep taps on who sees what when and who provides access, Stamos said.

Other vendors have come to same conclusion about user responsibility. Stu Sjouwerman, CEO of KnowBe4, even told CSO Online that any employee who clicks on a phishing link should be punished and KnowBe4’s software alerts HR when employees click on such links.

A 12-month KnowBe4 survey of 291,000 employees across 400 companies found that 16 percent of the workers tended to click on bogus links: Once the test group was held responsible for such clicks, that percentage dropped to just over 1 percent. Accountability seemed to work

Some aren’t sure that it’s realistic to expect staffers to sniff out ever evolving threats. The burden of data protection remains right where it has for years — with IT, which must deploy layers of security from intrusion detection and firewalls to content filtering services to stop potential threats before they get to a user’s device, said Richard Stiennon, chief research analyst for IT-Harvest.

After all, informed people make a mistake once in awhile. “Even RSA Security employees — who know what they’re doing —  succumbed to a malicious attack,” he said.

Note: This story was updated at 5:04 a.m. January 27 to reflect that Microsoft has relabeled SkyDrive as OneDrive.

Feature photo courtesy of Shutterstock user Valeriy Lebedev

  1. Great article on the required shifting on end user accountable security and controls. The current approach of central IT making all the decisions has not and will not scale and resulted in “ShadowIT” activities in companies.

    The solution to this asymmetric war to protect sensitive and regulated corporate data, while not impeding business productivity needs a new security model, and the end users/employees must be viewed as part of the solution, not part of the problem. The new security model should empower end users to share files and folders securely, while at the same time, holding end users accountable for their actions.

    Though this may sound crazy, it is already in place at several large Fortune 500 corporations, and has been successful. Extending these capabilities into the cloud storage such as Dropbox, Google Apps/Drive, SkyDrive and Box, is only a natural evolution.

    Share
  2. Anica Wensman Monday, January 27, 2014

    While it’s less than ideal that security measures are getting pushed down to end users, they are 100% the most vulnerable link. No one ever really tries cracking passwords; they call all the employees at a company until one will just tell them their password.

    More education, more training, and security moving further down the org is a VERY good thing (at Synata, we train our team on best security practices and encourage the use of secure password management tools like Lastpass).

    Share

Comments have been disabled for this post