Companies struggle to protect their IT infrastructure when employees access the web. Checking personal web mail or running online shopping errands from the office helps workers to maintain work/life balance, but it also puts the business at risk from web-borne threats.
Organizations scramble to put policies in place to protect themselves. But policies that are too restrictive can negatively impact productivity and workplace climate.
For our InfoSec Luminary Lineup blog discussion series, we asked: “How can companies balance IT security with users' need to access personal web resources at work?” In this post, cybersecurity startup leaders, experts and influencers share their thoughts, tips and insights on how companies can solve this dilemma.
The main takeaway: As information security industry insiders, we use terms like “black hat” and “white hat” to describe hackers. But there’s no black-and-white when dealing with employees and how to protect them when they access the web.
Ill-conceived approaches lead to IT security managers and individual users “playing cat and mouse” (John Ackerly). We describe how such cat and mouse games put IT security at risk in the Authentc8 whitepaper IT vs. Users? How Law Firms Maximize Security While Granting Access to the Web.
More secure, with a healthier work culture, are those companies that manage, in Joseph Raczynski’s words, to “choreograph the dance.”
“Minimizing the attack surface is the key” (Alan Sharp-Paul)
While no forward-thinking company would propose restricting personal access on work devices for productivity reasons, limiting such access for security reasons is a given today.
Such policy needs to be carefully thought through, though. The impact on employee satisfaction needs to be weighed almost as carefully as that on security risk, with the threat of a company's losing its best and brightest ever present.
Companies that want to strike the right balance between employee freedom and IT security have several options. Minimizing the attack surface for devices is the key.
One option is the move towards netbook-style computers for employees who have no need for a full featured desktop. Google's Chromebooks are the best example of this.
A modern, minimal, always updated OS that is effectively only a browser represents a massive reduction in risk for internet connected employees.
An even more secure option is to completely isolate corporate and personal web traffic by making use of a service like Authentic8's Silo, a disposable browser that protects the enterprise network from any unwanted side effects of “personal” browsing.
Employees are kept happy as they retain the freedom to browse personal and not work-related sites from their company devices. Security managers are happy because no footprint of that access is left on the company network.
After more years than he'd care to count working in Financial Services IT, Alan Sharp-Paul cofounded and is now Co-CEO of the IT Risk Management platform, UpGuard. UpGuard is the only company that provides businesses a complete picture of IT Risk. It does so by scanning a company's network and infrastructure both internally and externally, aggregating risk into a single, credit like score - the CSTAR score.
“Ensure that employees can take care of their life’s business” (Christopher Burgess)
Employers who provide their employees with the ability to work remotely are also allowing their employees always to be tethered.
The solution to allowing the work-life balance to be truly balanced is to ensure that employees can take care of their life's business on the margins of their employer's business. There are a couple of solutions.
Issue “official business use only” devices
For those companies that wish to avoid having their employees accessing their personal web spaces, be it social networks, email, banks, or browsing for pleasure, the cleanest solution is to provide the employee with the requisite device(s) and prohibit through policy and technological enforcement the personal use.
The device falls under the control of the company's mobile device management (MDM) controller. Essentially, this keeps employees from conducting personal business during the workday. They carry a separate, personally owned device that is not connected in any manner to the employer's infrastructure, is not used for business, and is not required to have the security protocols or standards of use policy.
Allow a Bring Your Own Device (BYOD) environment with shared responsibility
An often used method is to let employees use their personally owned devices for both work and personal use.
The BYOD approach requires the employer to have a well-defined strategy which encompasses not only securing the physical device that is now accessing the corporate infrastructure. It also must ensure that both content and applications on the device are secure and free of malware.
There are two ways to accomplish this. The first is to require the user to load to their device a specific suite of applications/tools which bifurcate the device into two parts, the company instance and the personal instance. MDM controls the company instance.
The second way is to allow commingling. The employee voluntarily provides MDM oversight on their device, and their actions may indeed put any sensitive data on their devices at risk.
Christopher Burgess (Twitter: @BurgessCT) is CEO of Prevendra, Inc. He is also an author, speaker, advisor, consultant and advocate for effective security strategies, be they at the office or home for you and your family.
“Choreograph the dance” (Joseph Raczynski)
Business can absolutely choreograph the dance between users’ work and play while keeping secure.
Companies of all sizes grapple with employees having access to personal web resources while at work, as that can create security holes. Speaking with companies all over the US about this topic, I see two solutions to this dilemma.
One organization I consulted with went through two iterations before finding solution one. First, they completely denied all personal web access for their users. That led to a near-revolution at the company, so they embarked on stage two – only allowing access to sites like Facebook when given permission by HR.
Not too long after this policy was invoked, eventually everyone had the same “special” dispensation to visit personal sites.
Finally, the company decided on creating a DMZ, essentially a server as a “De-Militarized Zone” outside of their primary network which the users accessed via a unique browser shortcut on their desktops. The siloed server allowed them to access Gmail, Facebook and many others.
Ultimately the company reached a perfect balance between the needs of the business for security and keeping their employees happy. The only limitation with this DMZ was that staff could not copy and paste or print.
The second solution would be to use “break the link” software tools. In essence, such products work like this: If you click on a link in your email, the link goes to another safe server between you and the end site. The application checks the content of the site to see if it contains malware or viruses. If free of such things, it returns the webpage, if infected a warning is displayed that the site is unsafe and denies access.
Joseph Raczynski (Twitter: @joerazz), technologist and futurist, is an innovator and early adopter of all things computer related. His primary bent is around the future of law and legal technology. He also focuses on several fields including machine learning, mobile, security, Blockchain, and robotics (drone technology).
“Millennials seem to balk at bans” (Jeffrey Brandt)
Social media sites and personal email can be the route through which your corporate network can be compromised. There are really two ways (assuming you don’t count ignoring it) to address this issue - ban such sites and services, or shift them.
Many organizations have taken to banning such sites to help preserve the integrity of the corporate systems. Millennials often seem to balk at such bans, thinking this access is their “right.”
Under the “shift approach,” access to these sites can be granted by a guest WiFi network and employees using their personal devices.
There are also ways to create a virtualized zone where browsers are insulated from the corporate network system. Services like Authentic8’s Silo provide such a virtualized browser. Microsoft just announced its Edge browser will start running in a virtual machine under Windows 10.
Jeffrey Brandt (Twitter: @jeffrey_brandt), is the Chief Information Officer at the law firm of Jackson Kelly PLLC and has over 30 years of experience in the field of legal automation. Jeffrey is also editor of the popular PinHawk Law Technology Daily Digest, a respected thought leader in the legal technology community and a frequent educational speaker at industry conferences.
“Use personal web resources without playing cat and mouse” (John Ackerly)
It's a fact of corporate life that employees are going to use their own personal web services, like Gmail or Dropbox, at work.
While this gives many CISOs pause, it's not necessary for businesses to make a choice between corporate security and employee convenience.
Personal web resources are not inherently more insecure, especially if you leverage technologies such as Authentic8 to access these resources. In addition, services like Virtru can provide audit and control for corporate information, even if employees choose to share business content using their own services.
A company doesn't need to block corporate assets from leaving their network / cloud service; rather, it can mandate encryption and audit how the assets are being used when shared externally.
This combines the best of both worlds - employees can use personal web resources without playing cat and mouse with the security group, and businesses can continue to protect their intellectual property and other sensitive information.
John Ackerly is the CEO and Co-Founder of Virtru, a digital privacy company based in Washington D.C. Prior to founding Virtru in 2012, John was responsible for privacy and technology policy at the White House National Economic Council and was the Policy and Strategic Planning Director at the U.S. Department of Commerce. John holds an MBA from Harvard Business School, was a Rhodes Scholar at Oxford University and graduated from Williams College.
PS: Do you / does your company want to be included in future InfoSec Luminary Lineup discussions on the Authentic8 blog? Connect with us through one of the links at the top of this page or use the comment form below!
Check out this recent InfoSec Luminary Lineup blog discussion: Ransomware in 2020: Still a Threat?