External threats continue to be a cybersecurity challenge. But it’s important to remember that the threat landscape is much broader. The recently published 2020 Global Encryption Trends Study reveals that 54% of business leaders see employees as their biggest security threat.
That’s followed by hackers (29%) and malicious insiders (20%), according to the study, which Is based on a survey of 6,457 leaders across multiple industry sectors in 17 countries/regions. The survey group consisted of individuals in IT operations (55%), security (20%), line of business (9%), compliance (8%), finance (5%) and other departments and disciplines (3%).
Meanwhile, these individuals see lawful data requests (12%) and government eavesdropping (11%) as the least significant threats, according to the study, which nCipher Security and Entrust Datacard sponsored and the Ponemon Institute independently conducted.
The fact that more than half of businesses see employees as their biggest security threat is particularly noteworthy today, as concerns about COVID-19 have rapidly expanded the work-from-home movement, and as sensitive data now resides in many more places.
The Increased Work-from-Home Trend Expands the Risk
People who normally work from home are more likely to have a more mature security posture and toolset. But those new to it may not be familiar with cybersecurity best practices or have taken the time to audit their network against them. Vulnerabilities and risks grow when employees lack – or must rapidly deploy and learn to use – good work-from-home setups.
We’ve seen a rise in data breaches during the pandemic. Phishing has been particularly troublesome. Well-intentioned employees might get fooled by – and click on – phishing emails, which download malware that can scoop data off their computers and seek a path into corporate networks. Employees who are out of their normal work environments and subject to a different set of distractions are more susceptible to such missteps.
Also, some of the resources and tools that workers took for granted when they were in the office may not necessarily be available now. That might cause them to take shortcuts or do things they wouldn’t normally do. For example, workers might dump sensitive documents onto a convenient and free public file share when collaborating with external vendors, without taking steps to ensure confidentiality protections via encryption and other access controls. Meanwhile, employees might be fighting for bandwidth at home, where their kids are streaming Netflix or using their Xboxes, and might decide to not to turn on important VPN protection.
Organizations Need to Set Expectations and Employees Should Follow Security Guidelines
Businesses can work to prevent such mistakes, oversights and questionable decisions if they set expectations with remote employees – and are clear on what is and is not allowed. And employees can help keep themselves and their employers safe by following these procedures.
Typical best-practice security guidelines include use of VPNs and two-factor authentication when logging into the network. Many security teams will have lists of services that are both approved for use, as well as ones that are not approved for use due to security concerns.
Some people set up Wi-Fi networks well with encryption and strong passwords. Others aren’t as technical and might just leave them on the factory default settings, or with no protection at all to make it easy for their kids and friends to use. But that can be just the opening an attacker needs, and absent of other tools that might alert the user to an access attempt, like what would be present on the corporate network, that can be a real problem.
Other cybersecurity best practices include turning on laptop hard drive encryption by default and making sure your machine is properly tuned up with antivirus and malware protection. People often think that implementing security best practices is overly complicated. But if you follow the basic recipe, it can prevent most threats. Attackers will always go after the easiest target.
Effective Cybersecurity Strategies Require an Understanding of Where the Data Lives
Encryption is one of the key ingredients in a good cybersecurity recipe. It helps protect data at rest and data in motion. Many organizations understand the value of encryption. Nearly half (48%) of those surveyed for the 2020 Global Encryption Trends Study said their organizations have an overall encryption plan that is applied consistently across their entire enterprise. And since this survey was established 15 years ago, there has been a steady increase in organizations with encryption strategies applied consistently across the entire enterprise.
But before you can protect data you need to find it. In fact, 67% of the survey group said data discovery is the biggest challenge in planning and executing a data encryption strategy.
Organizations typically don’t have much trouble identifying what data is important. That includes things like financial records and intellectual property. However, what they often can’t figure out is all the places that data lives and what applications have access to that data.
This is also challenging because most organizations are not only using the cloud, but are using multiple public clouds. Further complicating matters is that some mobile tools replicate data to laptops, smartphones, tablets, and other endpoints. Because organizations continue to adopt more and more tools that create more and more places for data to go, data discovery and security seem to get harder every year.
Because Data Now Lives in More Places, Encryption is More Important Than Ever
The work-from-home movement prompted by the pandemic only adds to the challenge. Depending on their connectivity and access to corporate resources, remote workers might be creating multiple copies of data.
Imagine that a business is designing a product. The data related to that intellectual property might live in eight storage locations, but the enterprise only encrypts it in five of those locations. Attackers are always looking for low-hanging fruit. They might find encrypted data and then try to worm their way to somewhere else on the network to find that same data in an unencrypted form. If the business has left that data exposed, the company has devalued its entire data protection strategy and policy.
With data in more places it’s important to have a consistent policy to ensure good encryption hygiene. For example, you’re supposed to re-encrypt data with a new key on a regular basis, depending on the algorithm and key length you use. Yet people often forget that encryption isn’t a one-time thing. Good encryption hygiene is even harder if you’re using six different encryption tools. Now your admins have to manage key rotations and updates using several different user interfaces, making it cumbersome as well as difficult to implement a consistent policy.
Encryption Management Is Hard, So Businesses Are Embracing HSM Solutions
Encryption management isn’t easy, but it is important. Businesses can make it easier by using hardware security modules (HSMs), which are purpose-built, tamper-resistant devices designed to safeguard encryption processes and securely create and manage keys associated with them. HSMs provide enterprises with assurance that the keys they generate are trusted and protected at all times – providing a much higher level of protection than when keys are generated in software and stored on more vulnerable application servers.
Research shows that a growing number of businesses are adopting and understand the value of HSMs. The Ponemon Institute expects HSM use for application-level encryption will soon be deployed in 51% of organizations represented in the 2020 Global Encryption Trends Study.
The report also highlights that about a third (33%) of the people who Ponemon surveyed back in 2012 said HSMs were an important part of encryption or key management. That percentage has now grown to 64%. That’s a significant rise from one-third to two-thirds in just seven years.
Cybersecurity Threats and the WFH Movement Are Here to Stay
Recent news reports suggest that the recently expanded work-from-home movement will persist even as we emerge from this public health crisis. For example, Facebook recently announced as much as half of its workforce would work from home permanently within a decade. And Twitter in May told its employees that they could work from home “forever.”
So, the investments organizations make today in layered cybersecurity strategies will deliver value well into the future. Guarding against external threats is important. But businesses shouldn’t forget about things that can happen internally.
Encryption is one of the most important weapons enterprises have in their cybersecurity arsenals to protect against threats. And HSMs are vital tools for encryption management.