IT Weaknesses - The Barrier to Enterprises Becoming Security-First
By Justin Calmus, chief security officer at OneLogin
Enterprises are increasingly recognising the benefits of embracing a cloud infrastructure to support on-premises networks, but often create complicated network environments in the process.
Recent OneLogin research revealed that 94% of global CIOs are in agreement, saying the corporate technology stack is becoming increasingly complex – with more apps (both cloud and on-prem), data, devices and transactions than previously known. Running systems via the cloud offers efficiency and productivity to better support large distributed workforces, no matter where an employee is based. As a company evolves it can often outgrow its on-premises network. Consequently, IT strategies must be created to future-proof networks, as well as protect customer and employee data.
The influx of new applications onto enterprise networks shows no sign of abating, threatening networking security posture. OneLogin research found that two thirds of UK enterprises expected to deploy up to 100 new commercial SaaS (software as a service) and on-premises apps in the last year. This high frequency of large-scale app deployment to enterprise networks means it is critical that organisations develop a security-first strategy to encourage healthy hybrid-network environments. Such strategies are imperative to calm chaotic networks overwhelmed by the constant on-boarding of applications. Just like spinning plates, it is only a matter of time until a chaotic and fragmented hybrid network wobbles and the entire enterprise network collapses.
To ensure companies’ networks remain agile and secure, IT decision-makers and professionals should consider the following points to encourage a company-wide security-first culture:
- Single source of truth
Multiple directories mean multiple vulnerabilities. Whether directories are in the cloud, on-premises or both, they need to be managed from one unified system that is adaptable and scalable.
- Manage access for employees and end-users
Eighty-one per cent of hacking-related breaches involve stolen or weak credentials. Single sign-on (SSO) and multi-factor authentication (MFA) work together to strengthen credentials and protect data from unauthorised access – across all users’ devices and apps.
- Onboard and off-board efficiently and securely
As enterprises continue to grow, HR and IT departments are tasked with getting new employees onboarded quickly, and off-boarding ex-employees just as fast, if not faster, to stay secure. With large organisations hosting 250+ employees, new staff need to be added every week and, likewise, staff also leave every week – placing a strain on HR and IT teams. To simplify processes, run them most efficiently and put security first, companies should invest in automated processes and tools. An ‘instant kill switch’ for de-provisioning and real-time directory synchronisation can dramatically reduce time spent on IT administrative tasks and greatly reduce the risk of ex-employees leaving with sensitive information that could be sold to competitors.
- Security versus usability – getting the balance right
To encourage employees to follow security protocols and buy into a security-first culture, additional security processes must make the tools they use to do their jobs easier to use. Otherwise, employees will be reluctant to adopt them and will find a way to circumnavigate security protocols, essentially leaving the business they work for open to malicious cyber criminals.
It can be all too easy for employees to sign up to and download new applications on corporate and even personal devices they use to work. Some employees even pay for these applications out of their own pocket to circumvent going through tedious HR and IT protocols.
To succeed in 2019, enterprises must find a balance between usability and security to become a security-first organisation, or face becoming security-last and at the mercy of cyber criminals. Not only will an organisation’s inability to prioritise security cost the company its sensitive data, but it will also incur regulatory fines for not complying with data privacy laws, such as the European General Data Protection Regulation (GDPR) or the US’ Data Privacy Shield.
Google recently, and publicly, came under regulatory scrutiny by the French National Data Protection Commission (NCIL) following two breaches of GDPR compliance due to a lack of transparency around how to access data policies and Google’s lack of valid user consent regarding the personalisation of ads. As a result, Google has received a fine of €50 million, the largest fine since GDPR came into force. The impact beyond the fine is on Google’s reputation among consumers and Google users.
With this in mind, a security-first strategy and posture must be reflected in an organisation’s vendor selection processes and positively influence the end-user experience every step of the way. If organisations fail to acknowledge the importance of a security-first culture throughout decision-making processes, they will risk circumvention and hefty regulatory fines, damaging their reputations.