IT weaknesses - the barrier to enterprises becoming security-first
April 2019 by Justin Calmus, Chief Security Officer at OneLogin
Enterprises are increasingly recognising the benefits of embracing a cloud infrastructure to support on-premise networks, but often create complicated network environments in the process. Recent OneLogin research revealed that 94% of global CIOs are in agreement saying the corporate technology stack is becoming increasingly complex – with more apps (both cloud and on-prem), data, devices and transactions than previously known. Running systems via the cloud offers efficiency and productivity to better support large distributed workforces, no matter where an employee is based. As a company evolves it can often outgrow its on-premise network. Consequently, IT strategies must be created to futureproof networks, as well as protect customer and employee data.
The influx of new applications onto enterprise networks shows no sign of abating, threatening networking security posture. OneLogin research found that two-thirds of UK enterprises expected to deploy up to 100 new commercial SaaS and on-premise apps in the last year. This high frequency of large-scale app deployment to enterprise networks means it is critical that enterprises develop a security-first strategy to encourage healthy hybrid-network environments. Such strategies are imperative to calm chaotic networks overwhelmed by the constant on-boarding of applications. Just like spinning plates, it is only a matter of time until a chaotic and fragmented hybrid network wobbles and the entire enterprise network collapses.
To ensure enterprises’ networks remain agile and secure, IT decision-makers and professionals should consider the following points to encourage a companywide security-first culture:
1. Single source of truth
Multiple directories mean multiple vulnerabilities. Whether directories are in the cloud, on-premise, or both, they need to be managed from one unified system that’s adaptable and scalable.
2. Manage access for employees and end-users
81% of hacking-related breaches involve stolen or weak credentials. Single sign-on (SSO) and multi-factor authentication (MFA) work together to strengthen credentials and protect data from unauthorised access - across all users’ devices and apps.
3. Onboard and offboard efficiently and securely
As enterprises continue to grow, HR and IT departments are tasked with getting new employees onboarded quickly, and offboarding ex-employees just as fast, if not faster, to stay secure. With large enterprises hosting 250+ employees, new staff need to be added every week and, likewise, staff also leave every week - placing a strain on HR and IT teams. To simplify processes, run them most efficiently and put security-first, enterprises should invest in automated processes and tools. An “instant kill switch” for deprovisioning and real-time directory synchronisation can dramatically reduce time spent on IT administrative tasks and greatly reduce the risk of ex-employees leaving with sensitive information that could be sold to competitors.
4. Security versus usability – getting the balance right
To encourage employees to follow security protocols and buy into a security-first culture, additional security processes must make the tools they use to do their jobs easier to use. Otherwise, employees will be reluctant to adopt them and will find a way to circumnavigate security protocols, essentially leaving the business they work for open to malicious cyber criminals.
It can be all too easy for employees to sign-up to and download new applications on corporate and even personal devices they use to work. Some employees even pay for these applications out of their own pocket to circumvent going through tedious HR and IT protocols.
To succeed in 2019, enterprises must find a balance between usability and security to become a security-first organisation, or face becoming security-last and at the mercy of cyber criminals. Not only will an organisation’s inability to prioritise security cost the company its sensitive data, but it will also incur regulatory fines for not complying with data privacy laws, such as the European General Data Protection Regulation (GDPR) or the US’ Data Privacy Shield. Google recently, and publicly, came under regulatory scrutiny by the French National Data Protection Commission (NCIL) following two breaches of GDPR compliance due to a lack of transparency around how to access data policies and Google’s lack of valid user consent regarding the personalisation of ads. As a result, Google has received a fine of €50m, the largest fine since GDPR came into force. The impact beyond the fine is on Google’s reputation among consumers and Google users.
With this in mind, a security-first strategy and posture must be reflected in an organisation’s vendor selection processes and positively influence the end-user experience every step of the way. If organisations fail to acknowledge the importance of a security-first culture throughout decision-making processes, they will risk circumvention and hefty regulatory fines, damaging their reputations.