Box: We're in the business of protecting companies from themselves

CIO Paul Chapman explains why he launches phishing attacks against his own company

"We're 30,000 employees, we're the size of a small village... there will be crime, or there will be people that do things that they shouldn't do."

Box CIO Paul Chapman recalls a conversation he once had with a company executive, who broke the mould somewhat by being more concerned by the actions of rogue employees than threats coming from the outside.

Advertisement - Article continues below

This was at a time when cyber security simply meant protecting against external threats. That doesn't mean to say the executive wasn't bothered with external attacks, only that he identified that plenty of development had already gone into creating robust outward-looking defences over the years, while little attention was paid to the workers.

In today's environment, we are seeing time and again that the biggest threat to security is often a company's own employees. According to Box, around 55% of breaches are due to negligence in the workplace.

"People often say, 'what's the thing that worries you the most?' Actually it is what we would call 'negligent users'," Chapman explains. "People don't wake up and say 'hey, I think I'll be a negligent user today', they're just doing their work and what happens is risk builds... part of what keeps me awake is users doing negligent things, without knowing they're doing them."

Safety net

Jeetu Patel, Box's chief product officer, shared a few examples of what the company considers common negligent actions. The first was sharing content to personal email accounts. So, for instance, Rachel wants to invite John into an internal folder full of private company documents. She begins typing 'Jo' into the search bar and his email addresses pop up. She picks the first one which happens to be John's personal Gmail account, sending company documents to a non-company account.

Advertisement - Article continues below
Advertisement - Article continues below

In a second example, John, who is working remotely, might decide to download company documents on a personal device. He doesn't select the specific documents he needs and instead puts the whole folder onto his unsecured personal device. Without realising, John may have placed sensitive company info, such as financial details, on a device that sits outside the company's firewall.

It's this concern that led Box to develop its Shield platform, released in August this year. It aims to fix the many problems and risks that crop up when sharing and collaborating. While it is mainly marketed as an external-facing security product, Box Shield is actually just as useful for preventing these types of human errors filtering through - whether accidental or intentional.

Force preview, for example, gives users access to files in preview before they are given permission to download. So if somebody receives an email with a malicious attachment, it will be flagged by Box's security system before it's ever downloaded to a company's network.

Advertisement - Article continues below

Although the employees should be aware of basic security practices, software needs to account for laziness, according to Box.

"We know it's better to point to content, we know its better to use links to control content and chain of custody over content, but you still have in an organisation of 20,000 - 35,000 people and someone who goes 'oh, I think it's easier to send an attachment', and off he goes," Chapman says.

In-house phishing

Chapman and his team at Box accept that we can't all be experts, particularly when it comes to digital security. And, as clever and intuitive as Box Shield is, it's not going protect you from everything.

"To me, Box is a piece of the jigsaw puzzle, it's not the jigsaw puzzle when it comes to how to think about security potential," he says. "It's partners, it's integrations... you have to have people inside your organisation that are thinking through what the architecture is... you can't just put it in Box and be done. It's how you configure Shield, how you set it up, it's a combination of things."

Advertisement - Article continues below
Advertisement - Article continues below

The workforce at Box is subjected to regular tests from Chapman and his team. They are even tested using dummy internal phishing attacks as a way to train people on how to identify and deal with threats as they arrive. This is the same tactic we've seen deployed across other security-savvy organisations, only, as a security specialist, Box is able to take it one step further.

"There are different levels of sophistication, but it is surprisingly scary how easy it is to spoof people," he says. "We've got a red team that will actually try to break everybody's passwords at least once per month. We will do our own phishing attacks, we look at the results, share them with the company, we don't do a wall of shame or anything, but we do have a security 'hero'."

We're only human

These 'heroes' seem to be in short supply if the latest figures are anything to go by. According to Telstra's 2019 Security Report, 89% of cyber security risks are now internal. Add to that, a recent Carbon Black report that suggests that hacking and data breaches are becoming the "new normal", with hackers now turning their attention to vulnerable end-users, rather than trying to break through company firewalls directly.

Advertisement - Article continues below

What's more, it only takes one lapse in concentration, or one employee to not know the danger, for your business to be crippled by malware. Many towns and cities in the US have been plagued by ransomware attacks that have been specifically designed to target employees that are, for the most part, illiterate in cyber security. For example, Florida's Riviera Beach lost control of its entire municipal network after a single police department employee opened a malicious email attachment.

In 2017, the average worker made 118 mistakes a year, according to a report from Identity Guard. Predictably, many of those errors revolved around technology and as more and more businesses adopt digital services, that trend is only going to continue. After all, we're only human.

Featured Resources

Preparing for long-term remote working after COVID-19

Learn how to safely and securely enable your remote workforce

Download now

Cloud vs on-premise storage: What’s right for you?

Key considerations driving document storage decisions for businesses

Download now

Staying ahead of the game in the world of data

Create successful marketing campaigns by understanding your customers better

Download now

Transforming productivity

Solutions that facilitate work at full speed

Download now



University of California gets fleeced by hackers for $1.14 million

30 Jun 2020
cyber security

Australia announces $1.35 billion investment in cyber security

30 Jun 2020
cloud security

CSA and ISSA form cyber security partnership

30 Jun 2020
Policy & legislation

Senators propose a bill aimed at ending warrant-proof encryption

24 Jun 2020

Most Popular

Google Android

Over two dozen Android apps found stealing user data

7 Jul 2020

How to find RAM speed, size and type

24 Jun 2020

The road to recovery

30 Jun 2020