The past two years have seen a series of big, targeted data breaches and high-profile cyberattacks against organizations, financial institutions, government services portals, and prominent people exposing personal information of hundreds of millions of people. The SolarWinds hack by supposedly Russian attackers accessed sensitive data belonging to several US government agencies and other public-service institutions such as hospitals and universities. Personal information of at least 5.2 million guests was stolen from the franchise partner’s account of Marriott International. The New Zealand stock exchange was hit by cyberattacks that halted its operations many times. These are just to name a few. The list is growing fast and fat.
What followed has been a rethinking of the cybersecurity paradigm, says Frank Dickson, program vice-president, cybersecurity products at IDC.
“Instead of more cameras on the door, let’s put a fence around the house so you can’t get to the door. Let’s reduce vulnerabilities. Let’s re-architect and fundamentally make the house more secure,” he says. This evolution has continued with the proliferation of cloud-based business solutions paired with an increase in remote work, trends accelerated by the COVID-19 pandemic. The old perimeter, he says, has disappeared, and previous conceptions around cybersecurity should disappear, too.
“Our applications, data and people have all left the premises,” he says. “And so when that happens you have to fundamentally take a different approach.” Protecting data in this context against breach, that moment where it leaves the control of the enterprise, requires the ability to detect and contain threats faster.
Personalize security by user behaviors
In a data landscape where the local coffee shop might serve as an office and mom’s work computer can double as a third grader’s game console, where should cybersecurity efforts be focused? The answer lies in understanding how people have become the new perimeter.
Preventing data from escaping the enterprise—what cybersecurity experts call staying “left of breach”—becomes a matter of understanding the digital behaviors of those with access to information. It’s a mindset that says, “Wow, I need to make sure I can understand behavior as it’s unfolding, not after the fact.” To turn the spotlights on and be in position to take action based on what’s being seen. It’s a continuous risk assessment, like putting a heart monitor on and taking the pulse of everyone trusted to be on the network.
It’s also a framework that is proactive and adaptive in a world that demands both Automated tools help establish “normal,” not just for the organization as a whole but for the digital behaviors of individuals as well. When those behaviors are safe, security should work entirely in the background. If that changes? As the risk-score shifts upwards, it allows the tool sets to adaptively enforce policy to the individual, not on a universal, all-or-none perspective. Being as frictionless as possible to the end user is critical until friction is warranted.
Make security invisible
Fundamental to staying left of breach is the partnership between employer and employee. Building a culture that believes security is important is everyone’s responsibility. The enterprise can provide a user experience around security that is as seamless as the ones employees use in their personal lives, whether ordering groceries online or streaming video. It can move as they move, from location to location, app to app, device to device.
Users, in turn, understand the security infrastructure around them is designed to protect the enterprise by protecting them from mistakes (clicking on a bogus email or sending unsecured files, for example) that might unwittingly allow unauthorized access. It’s a way to build trust in how the concept of monitoring and the concept of continuous assessment has the appropriate framework in place for people.
In this context, the idea of “friction” itself evolves. Security is invisible until needed and, when needed, is a safeguard, not an impediment. A great user experience means employees are far less likely to bypass security measures in the name of efficiency and productivity, significantly lowering the risk of breaches.
The goal is for security and usability to work in concert, not opposition. To IDC’s Dickson, favoring one over the other represents something of a false choice. “Let’s do both right,” he says. “Let’s improve security by making it easier to use. Let’s create the incentives, so people actually want to use the platform we’re using because they improve the user experience.”
And when user experience and security converge in the most ideal way, what does that look like? According to Dickson, it doesn’t look like anything, and that’s exactly the point. The measures we take to improve our security are so embedded and ingrained into our applications, we don’t even know they’re there. They are free and enabling.