Box: We're in the business of protecting companies from themselves

CIO Paul Chapman explains why he launches phishing attacks against his own company

"We're 30,000 employees, we're the size of a small village... there will be crime, or there will be people that do things that they shouldn't do."

Box CIO Paul Chapman recalls a conversation he once had with a company executive, who broke the mould somewhat by being more concerned by the actions of rogue employees than threats coming from the outside.

Advertisement - Article continues below

This was at a time when cyber security simply meant protecting against external threats. That doesn't mean to say the executive wasn't bothered with external attacks, only that he identified that plenty of development had already gone into creating robust outward-looking defences over the years, while little attention was paid to the workers.

In today's environment, we are seeing time and again that the biggest threat to security is often a company's own employees. According to Box, around 55% of breaches are due to negligence in the workplace.

"People often say, 'what's the thing that worries you the most?' Actually it is what we would call 'negligent users'," Chapman explains. "People don't wake up and say 'hey, I think I'll be a negligent user today', they're just doing their work and what happens is risk builds... part of what keeps me awake is users doing negligent things, without knowing they're doing them."

Safety net

Jeetu Patel, Box's chief product officer, shared a few examples of what the company considers common negligent actions. The first was sharing content to personal email accounts. So, for instance, Rachel wants to invite John into an internal folder full of private company documents. She begins typing 'Jo' into the search bar and his email addresses pop up. She picks the first one which happens to be John's personal Gmail account, sending company documents to a non-company account.

Advertisement
Advertisement - Article continues below
Advertisement - Article continues below

In a second example, John, who is working remotely, might decide to download company documents on a personal device. He doesn't select the specific documents he needs and instead puts the whole folder onto his unsecured personal device. Without realising, John may have placed sensitive company info, such as financial details, on a device that sits outside the company's firewall.

It's this concern that led Box to develop its Shield platform, released in August this year. It aims to fix the many problems and risks that crop up when sharing and collaborating. While it is mainly marketed as an external-facing security product, Box Shield is actually just as useful for preventing these types of human errors filtering through - whether accidental or intentional.

Force preview, for example, gives users access to files in preview before they are given permission to download. So if somebody receives an email with a malicious attachment, it will be flagged by Box's security system before it's ever downloaded to a company's network.

Advertisement - Article continues below

Although the employees should be aware of basic security practices, software needs to account for laziness, according to Box.

"We know it's better to point to content, we know its better to use links to control content and chain of custody over content, but you still have in an organisation of 20,000 - 35,000 people and someone who goes 'oh, I think it's easier to send an attachment', and off he goes," Chapman says.

In-house phishing

Chapman and his team at Box accept that we can't all be experts, particularly when it comes to digital security. And, as clever and intuitive as Box Shield is, it's not going protect you from everything.

"To me, Box is a piece of the jigsaw puzzle, it's not the jigsaw puzzle when it comes to how to think about security potential," he says. "It's partners, it's integrations... you have to have people inside your organisation that are thinking through what the architecture is... you can't just put it in Box and be done. It's how you configure Shield, how you set it up, it's a combination of things."

Advertisement
Advertisement - Article continues below
Advertisement - Article continues below

The workforce at Box is subjected to regular tests from Chapman and his team. They are even tested using dummy internal phishing attacks as a way to train people on how to identify and deal with threats as they arrive. This is the same tactic we've seen deployed across other security-savvy organisations, only, as a security specialist, Box is able to take it one step further.

"There are different levels of sophistication, but it is surprisingly scary how easy it is to spoof people," he says. "We've got a red team that will actually try to break everybody's passwords at least once per month. We will do our own phishing attacks, we look at the results, share them with the company, we don't do a wall of shame or anything, but we do have a security 'hero'."

We're only human

These 'heroes' seem to be in short supply if the latest figures are anything to go by. According to Telstra's 2019 Security Report, 89% of cyber security risks are now internal. Add to that, a recent Carbon Black report that suggests that hacking and data breaches are becoming the "new normal", with hackers now turning their attention to vulnerable end-users, rather than trying to break through company firewalls directly.

Advertisement - Article continues below

What's more, it only takes one lapse in concentration, or one employee to not know the danger, for your business to be crippled by malware. Many towns and cities in the US have been plagued by ransomware attacks that have been specifically designed to target employees that are, for the most part, illiterate in cyber security. For example, Florida's Riviera Beach lost control of its entire municipal network after a single police department employee opened a malicious email attachment.

In 2017, the average worker made 118 mistakes a year, according to a report from Identity Guard. Predictably, many of those errors revolved around technology and as more and more businesses adopt digital services, that trend is only going to continue. After all, we're only human.

Featured Resources

Top 5 challenges of migrating applications to the cloud

Explore how VMware Cloud on AWS helps to address common cloud migration challenges

Download now

3 reasons why now is the time to rethink your network

Changing requirements call for new solutions

Download now

All-flash buyer’s guide

Tips for evaluating Solid-State Arrays

Download now

Enabling enterprise machine and deep learning with intelligent storage

The power of AI can only be realised through efficient and performant delivery of data

Download now
Advertisement
Advertisement

Recommended

Visit/security/355013/10-quick-tips-to-identifying-phishing-emails
Security

10 quick tips to identifying phishing emails

16 Mar 2020
Visit/business-strategy/mergers-and-acquisitions/354941/panda-security-to-be-acquired-by-watchguard
mergers and acquisitions

Panda Security to be acquired by WatchGuard

9 Mar 2020
Visit/security/internet-security/354417/avast-and-avg-extensions-pulled-from-chrome
internet security

Avast and AVG extensions pulled from Chrome

19 Dec 2019
Visit/security/354156/google-confirms-android-cameras-can-be-hijacked-to-spy-on-you
Security

Google confirms Android cameras can be hijacked to spy on you

20 Nov 2019

Most Popular

Visit/infrastructure/server-storage/355118/hpe-warns-of-critical-bug-that-destroys-ssds-after-40000-hours
Server & storage

HPE warns of 'critical' bug that destroys SSDs after 40,000 hours

26 Mar 2020
Visit/software/video-conferencing/355138/zoom-beaming-ios-user-data-to-facebook-for-targeted-ads
video conferencing

Zoom beams iOS user data to Facebook for targeted ads

27 Mar 2020
Visit/software/355113/companies-offering-free-software-to-fight-covid-19
Software

These are the companies offering free software during the coronavirus crisis

25 Mar 2020
Visit/mobile/mobile-phones/355088/apple-lifts-iphone-purchase-restrictions
Mobile Phones

Apple lifts iPhone purchase restrictions

23 Mar 2020