From efforts to infiltrate corporate networks to identity theft and innocuous-looking spoof emails designed to elicit information or payments from employees, the threat vectors facing internet users have become ever more diverse.
One thing is for sure. As software, networks and operating systems become more secure, hackers and cybercriminals are increasingly turning to social engineering to achieve their dubious aims. While people have always been the weak link in cybersecurity, as many of the obvious backdoors and exploits are plugged, exploiting human behaviour is increasingly central to the hacker’s craft.
Good security hygiene is the only answer to that. No matter how much awareness there is around the threat of phishing attacks, at least some people will still click on links or open attachments they think are legitimate. In addition, it is just human nature to choose a password that is easy to remember and therefore, easy to crack.
The zero-trust environment is attracting buzz in the market. This is an IT security concept increasingly in vogue that assumes that no one is trusted inside or outside of the organisation’s network. Identity verification is required of everyone, and access to resources is controlled and regularly reviewed.
This is different to the traditional castle-and-moat view of security, which held that everyone on the network was automatically trusted and the focus was on protecting the network perimeter and keeping unauthorised people out.
The new threat landscape suggests that, with more subtle efforts to infiltrate the network by way of the organisation’s own people, organisations need to be more zealous about internal security. The problem is that this requires a range of policies and technologies to the applied effectively, particularly as data is no longer stored in one place. It may be on-premise and in the cloud and stored on numerous mobile devices.
While many organisations are keen to pursue a zero-trust approach to security, many of them are unsure about how to do it. There are questions around how organisations can implement multifactor authentication to verify identity and integrate data loss prevention (DLP) software to keep control of sensitive data, which are tenets of a zero-trust environment. This isn’t always obvious in the context of existing IT systems.
Part of the problem is the complex nature of software licensing. Take Microsoft for example. Many customers are hesitant to invest in E5 licences for Microsoft 365, which brings together Office 365 and Windows 10 with enterprise mobility and security capabilities. That’s because the licences are significantly more expensive. But we often see organisations opting for a lower tier of Microsoft licence, while continuing to maintain and pay for antivirus, firewall and other security software that is actually built into the top-level E5 licence. With an E5 licence, users gain access to identity and access management, threat protection and advanced information protection that isn’t built into the other licences, and they could save money by doing so.
The key to a more cost-effective way to secure IT systems is to start the conversation early with a trusted partner. With many organisations moving to cloud computing systems, the pre-cloud discussion in particular needs to canvas existing security requirements and how they will change in the move to the cloud, the technology needed, and the licences required to get the full functionality required to keep the network and all of its users secure.
Jaen Snyman, Practice Manager – Modern Workplace, Empired