A central security group of a large company cannot keep up with all potential threats, said Nick Stamos, founder and CEO of nCrypted Cloud, a Boston-based security vendor. “A regulated health insurance company might have 200 people in information security trying to deal with 40,000 end users and there’s no way they can keep up,” Stamos said.
So what’s the solution? One increasingly prevalent view is that end-users be enlisted to the cause, first by educating them about safe practices, about corporate security policies and regulations (and the penalties for breaking them) and finally by enforcing those policies.
Let’s face it, if you are a knowledge worker, you need to collaborate with others, sometimes contractors, partners outside the firewall — and should have a good idea of who is to be trusted with documents and work product.
Up till now nCrypted Cloud let people add another layer of encryption to their Dropbox files and to control who could see them and for how long. They could also restrict recipients’ ability to copy or share documents down the line; and revoke access when needed. I could, for example, share my personal financial docs with my accountant and then shut him down when the taxes are done.
Update: This week the company, which competes with AeroFS which just added a new iOS client, and BoxCryptor, will extend those capabilities to Google Drive, Microsoft SkyDrive (now renamed OneDrive), and Box as well. NCrypted Cloud provides the audit trail corporate needs to keep taps on who sees what when and who provides access, Stamos said.
Other vendors have come to same conclusion about user responsibility. Stu Sjouwerman, CEO of KnowBe4, even told CSO Online that any employee who clicks on a phishing link should be punished and KnowBe4’s software alerts HR when employees click on such links.
A 12-month KnowBe4 survey of 291,000 employees across 400 companies found that 16 percent of the workers tended to click on bogus links: Once the test group was held responsible for such clicks, that percentage dropped to just over 1 percent. Accountability seemed to work.
Some aren’t sure that it’s realistic to expect staffers to sniff out ever evolving threats. The burden of data protection remains right where it has for years — with IT, which must deploy layers of security from intrusion detection and firewalls to content filtering services to stop potential threats before they get to a user’s device, said Richard Stiennon, chief research analyst for IT-Harvest.
After all, informed people make a mistake once in awhile. “Even RSA Security employees — who know what they’re doing — succumbed to a malicious attack,” he said.
Note: This story was updated at 5:04 a.m. January 27 to reflect that Microsoft has relabeled SkyDrive as OneDrive.
Feature photo courtesy of Shutterstock user Valeriy Lebedev