Placing employees at the forefront of cybersecurity

• Pervasiveness of mobility opens up organisations to a host of cybersecurity challenges 
• Cloud protection should now be the new first line of defence for organisations

THE advancement of technology is profoundly transforming the way we work, learn and collaborate. Technology gives us the flexibility to work remotely, simplify collaboration between different parties and empower teams to work together in new ways than we could have possibly imagined.

Following this, companies all around the world are gradually welcoming the emergence of a mobile workforce with Malaysia being placed as one of the countries that ranks above the global average in terms of work flexibility. Regus Global Economic Indicator revealed that 53% of Malaysia’s employees work remotely for at least half a week. 

As millennials are poised to form 50% of the global workforce by 2020, collaboration and mobility technologies will further become indispensable. Growing up with laptops, tablets and smartphones, they consider work flexibility as one of the key elements that will determine their continued employment in a company.

In optimising efficiency, millennials' seek accessibility to emails, productivity applications and collaboration tools on cloud powered devices to enable them to conveniently work and connect with each other anywhere, anytime.

This pervasiveness of mobility opens up organisations to a host of cybersecurity challenges as applications and data no longer reside strictly within the enterprise walls. With remote working becoming a norm, networks become wider and more open thereby increasing attack surfaces that can be exploited by adversaries.

Recently, MyCERT has revealed an increase of botnet drones and malware attacks from 2.7 million in 2015 to 3.15 million incidents in 2016 in Malaysia.

Employees can be your weakest link in cybersecurity

Against a backdrop of increasing vulnerability, organisations’ security posture will only be as strong as their weakest link – employees.

Their habit to conduct work on multiple work stations or endpoints including personal laptops, tablets and smartphones necessitates organisations to protect multiple devices in order to ensure corporate data security.

Instead of enhancing security at each endpoints, employees can fortify their cyber security defences by accessing corporate data through the organisation’s Virtual Private Network (VPN) which in turn extends company’s network perimeter security solutions such as next-generation firewall and secure Web gateway appliance to users’ devices.

However, it is alarming that according to Gartner’s estimates, network perimeter security is blind to 25 per cent of corporate data traffic since more than 80 per cent of mobile workers bypass their organisations’ VPN and connect directly from mobile devices to the cloud. This findings reveal that a bulk of users rely only on endpoint security solutions such as their devices’ firewalls, proxies, and anti-virus (AV) to protect them from incoming threats.

Clearly, this cannot adequately protect them and their network from system compromise or data breaches. With users and traffic increasingly moving outside the enterprise onto mobile devices and accessing cloud services, IT and network security administrators have limited or zero visibility into the threats targeting these users.

Securing the weakest link

How then should organisations secure themselves as an increasing number of corporate data traffic bypasses enterprise security controls? Today's unique set of challenges call for a new approach to security. Cloud protection should now be the new first line of defence for organizations, providing visibility and control right at the edge of the internet.

Organisations have to expand existing security measures beyond the network perimeter and extend it to the Domain Name System (DNS) layer creating a secure internet gateway in the cloud. This allows defenders to block any current and emergent threats over all ports before it reaches endpoints or network ensuring users with a secure access to the internet anywhere they go, even when they are off the VPN.

While organisations can have multiple layers of security measures in place, employees can still jeopardize corporate and personal data by engaging in risky IT behaviour.

A Cisco research reveals that 46 percent of employees admitted to transferring files between work and personal computers when working remotely. Other risky behaviours include unauthorised application usage and the misuse of corporate computers. An alarming 70 percent of IT professionals believe that unauthorised application usage have resulted in as many as half of their company’s data loss incidents.

Taking this into account, employees will need to have exemplary cyber hygiene habits to defend against sophisticated social engineering threats, such phishing or baiting attacks. Companies can begin by nurturing a culture of cybersecurity awareness within the business through three stages – evaluate, educate, and mandate.

Organisations first need to evaluate their employees’ behaviour and assess potential risks based on factors such as the threat landscape. This intelligence can used to develop a holistic security training and relevant regulations that educate employees on cybersecurity best practices.

Subsequently, organisations need to mandate their employees to apply cybersecurity hygiene to their usage of the network, computers, mobile devices, applications and data by creating a code of business conduct that covers cybersecurity practices and data protection.

As the demand for flexible work arrangement increases, there is great pressure for Malaysian organisations to meet the requirements of this dynamic workforce while ensuring that their security posture is not compromised.

In order to effectively defend against cyberattacks and prevent data leakage, companies not only need to have an intelligent, integrated security infrastructure in place but also a workforce that has a high level of cybersecurity awareness.

The goal is for everyone, from IT professionals to executives to employees at every level, to believe that security is critical, understand the policies and procedures for achieving a secure environment, and be vigilant in their daily activities.