Sponsored

The human security risk

When hackers and cybercriminals are out to exploit every weakness, your employees might be the biggest of them all.

You can patch all your systems, guard your perimeter, secure your endpoints and harden your network, yet there's one vulnerability that's almost impossible to fix: the people you have using all this stuff. No matter how you lock everything down, they're out there misusing your systems, disregarding secure practices and doing deeply silly things that render your network security irrelevant. For many companies, people are the weakest link in the security chain.

Advertisement - Article continues below

Verizon's 2017 Data Breach Investigations Report makes a convincing case for never trusting an employee with your security. 25% of the breaches covered in the report involved internal actors in some capacity. Errors were causal events in 14% of breaches, with another 14% involving the misuse of privileged accounts. 81% of breaches leveraged weak or stolen passwords, while 43% involved a social attack.

On the one hand, you may have employees that can't be trusted because they're deliberately working against your interests. In cases involving insiders, the Verizon report found that 60% of the insiders stole data in the hope of converting it into cash at a future date, with taking it to a rival employer or a new startup the aim of a further 15%.

On the other, you could have employees who shouldn't be trusted because they're incapable of following smart security practices or simply don't see why they should. Verizon's survey found that 66% of malware involved in a breach was installed via malicious attachments, and that 95% of phishing attacks that led to a breach were followed by some form of software installation. Why is it, then, that so many users will still happily click on a link or open an attachment when they get an unsolicited email? One moment of thoughtless could result in a download of malware that replaces their PC's BIOS, giving hackers control of its most fundamental functions and a backdoor into the corporate network?

Advertisement
Advertisement - Article continues below
Advertisement - Article continues below

Verizon isn't alone in its findings. The Ponemon Institute's 2016 State of Endpoint Report found that Negligent employees (users) and the devices they used in the workplace continue to be the greatest source of endpoint risk. 81% of respondents say the biggest challenge is minimising the threat of negligent or careless employees who do not follow security policies, a slight increase from 78% of respondents in 2015.'

Those who click on links in phishing emails are just one part of the problem. There are the employees who use the same password across numerous accounts, both work and personal, so that when their account for a gaming or online dating services is hacked, the hacker gets the keys to their work email and any cloud-based services as well.

Then there are the employees who'll pick up a USB memory key in the car park and plug it into their laptop without thinking. An experiment by researchers at US universities found that when USB keys were dropped around six campus locations, over 45% of them were plugged into a computer by the person that found them. And what about the employees who use consumer-grade cloud services for business purposes, then get a nasty surprise when these aren't properly secure?

Advertisement - Article continues below

Plugging holes

What can CIOs and IT teams do with this mixture of deliberate misuse and absent-minded behaviour? Well, some or all of the following should help:

Improve endpoint security: Strong network security is a good thing, but it's at the endpoints where end-users have the most impact. Any hardware, software or policies you can put in place to enhance endpoint security should help tip things in your favour.

Have clear policies: Translate security policies into clear, jargon-free English and make it clear why each one matters. Employees need to understand that plugging unauthorised USB memory sticks into a PC isn't sensible behaviour, but also why.

Advertisement
Advertisement - Article continues below

Secure shadow IT or replace it with business-grade alternatives: Employees might have good reasons for using insecure consumer-grade cloud services in addition to corporate IT services, but you need to either secure them, dissuade them from using them or provide great, secure alternatives that they'll be happy to use instead.

Advertisement - Article continues below

Review access rights: One issue for too many companies is that those employees with access to the network enjoy access to too much of it, meaning they can open folders and view documents beyond their job requirements. By reviewing access rights and putting proper controls in place you can ensure that data isn't widely available to anyone who can log-on to a server.

Invest in training and support: The more training and support your teams have in security and sensible practices, the more likely they'll be to follow them. Again, it's about making sure they know what's important and what's at stake if they make a serious error.

Use software to aid security: A wide range of tools can help you build a better security program, ranging from password managers that can help users handle multiple complex passwords to SIEM tools that can help you track events and incidents and get real-time alerts of aberrant behaviour. Some manufacturers, like HP, even produce their own tools specifically to help companies manage their PCs, laptops, mobile devices, printers and network infrastructure.

Advertisement - Article continues below

Move to Windows 10 Pro: Not only is Windows 10 Pro the most secure version of Windows ever, with strong built-in defences and a range of features that stop malware programs from executing and spreading, but its Windows Hello authentication empowers companies to boost security without adding complexity for end-users. By combining or replacing passwords with another factor, such as fingerprint or facial recognition, it makes it easier to confirm identities and ensure that only those authorised to access sensitive data can do so.

Advertisement
Advertisement - Article continues below

Hardware Solutions

All of the above will help reduce the human factor in security, but there's one other simple and effective step that can cut down those vulnerabilities even more: choosing hardware built with enterprise grade security in mind. That's why CDW works with HP PCs and laptops to deliver the most secure IT solutions on the market.

HP's ProBook and EliteBook laptops and ProDesk Mini PCs might be sleek and beautifully designed computers, but they also include features designed to spot, intercept and prevent the spread of malware at the lowest levels of operation. For example, HP SureStart monitors the BIOS, looking for signs of intrusion and self-healing, recovering to a last-known golden' BIOS if it finds any. BIOS whitelisting ensures that only an approved and validated HP BIOS can be installed.

Advertisement - Article continues below

HP WorkWise, meanwhile, partners a desktop app on the laptop or PC with an app for iOS or Android smartphones. It can be set to lock and unlock the PC automatically when the phone is in range, so that users can't leave their ProDesk Mini available for anyone to access while they wander off to get a coffee, while real-time alerts mean they get a notification when their EliteBook laptop is moved on the desk or has the lid opened. HP's EliteBook 840 can even be supplied with an integrated HP SureView electronic privacy screen, so that if employees will insist on working on sensitive forward-looking documents while on the train, you can be sure that the passenger in the next seat isn't getting an eyeful.

These features work because they enhance security without adding complexity, enabling ProBook and EliteBook laptops and ProDesk Mini PCs to fix-themselves and support secure policies without asking much of the average end-user. Can you eliminate the human factor entirely? Probably not, but with HP, Microsoft and CDW working with you, there's no reason why you can't minimise its impact.

Find out more about how CDW can enhance your businesses security with HP laptops and PCs running Windows 10 Pro.

Featured Resources

Top 5 challenges of migrating applications to the cloud

Explore how VMware Cloud on AWS helps to address common cloud migration challenges

Download now

3 reasons why now is the time to rethink your network

Changing requirements call for new solutions

Download now

All-flash buyer’s guide

Tips for evaluating Solid-State Arrays

Download now

Enabling enterprise machine and deep learning with intelligent storage

The power of AI can only be realised through efficient and performant delivery of data

Download now
Advertisement
Advertisement

Recommended

Visit/business/business-operations/355147/amazon-and-microsoft-join-nhs-project-battling-pandemic
Business operations

Amazon and Microsoft join NHS project battling pandemic

27 Mar 2020
Visit/business-strategy/mergers-and-acquisitions/355117/hp-uses-cover-of-covid-19-to-shut-the-door-on
mergers and acquisitions

HP claims Xerox takeover would be "disastrous" during coronavirus crisis

26 Mar 2020
Visit/operating-systems/microsoft-windows/355105/microsoft-puts-windows-development-on-lockdown
Microsoft Windows

Microsoft puts Windows development on lockdown

25 Mar 2020
Visit/software/backup-software/355104/windows-file-history-and-backup-review-useful-but-limited
backup software

Windows File History and Backup review: Useful but limited

25 Mar 2020

Most Popular

Visit/software/video-conferencing/355138/zoom-beaming-ios-user-data-to-facebook-for-targeted-ads
video conferencing

Zoom beams iOS user data to Facebook for targeted ads

27 Mar 2020
Visit/infrastructure/server-storage/355118/hpe-warns-of-critical-bug-that-destroys-ssds-after-40000-hours
Server & storage

HPE warns of 'critical' bug that destroys SSDs after 40,000 hours

26 Mar 2020
Visit/software/355113/companies-offering-free-software-to-fight-covid-19
Software

These are the companies offering free software during the coronavirus crisis

25 Mar 2020
Visit/mobile/mobile-phones/355088/apple-lifts-iphone-purchase-restrictions
Mobile Phones

Apple lifts iPhone purchase restrictions

23 Mar 2020