Fixing The Achilles Heel Of Endpoint Security
Prasad Ramakrishnan is the Chief Information Officer at Freshworks Inc., and is responsible for the IT vision and strategy of the company and its execution. He has over three decades of experience in the Information Technology sector and is an executive board member of OptimEyes AI.
When the Western Allies of World War II began storming Normandy, Ger¬man Field Marshal Erwin Rommel was at home celebrating his wife’s birthday. Several others, too, were away, not expecting an amphibious invasion to happen during one of the choppiest days that season. Hitler’s formidable army was deceived as much by the Allies as their own false sense of invincibility.
That kind of self-deception is a great leveler. It can take down hardened defences, a reality that even the most cyber-secure companies are confronted with in today’s forever-on digital era. Companies not only have to be well-armed and on high alert 24x7 to be truly secure, but also need their employees to be educated on cyber vulnerabilities.
Not too long ago, we lived in a period of relative cyber tranquility. Employees would work on desktop computers in secure environments, data centers were located within office buildings, and all tech properties were locked to those data centers. Theoretically, companies could build moats and strong defences to stave off external attacks.
Then the walls came down.
As we propel toward a SaaS-only world, pretty much everything is on the Cloud. Employees use company laptops and their own smartphones to access business applications as well as personal emails, social networks, and online entertainment. Each device, or endpoint, with remote access to corporate networks is a potential point of entry for cyber attackers. There are millions of these endpoints around.
Companies have little choice but to invest heavily in securing these. So much so that the global end¬ point security market is set to nearly double to about USD 10 billion by 2026, according to a Fortune Business Insights report. And yet, about 70 percent of all cyber attack breaches originate at the endpoints.
Let’s begin with the principal culprit- a sense of complacency. All companies have antivirus and anti-malware systems, and several believe that’s
good enough. That’s akin to what employees do to protect their home computers, and leads to a false sense of security.
Endpoint security requires companies to think about how robustly they can secure the common assets their employees have access to. Even if a company has checks and balances for its machines unless it can shield against threats from the myriad shared networks employees access, such as at cafes and airports, it will not have a secure posture.
Enterprise mobility management enables companies to encrypt corporate assets such as laptops, set up secure containers in mobile phones, and manage the encryption keys of these devices. If a computing device is lost or compromised, the device can be rendered useless (or bricked, in IT parlance) via a remote signal. This is all the more important with several companies adopting a BYOD (bring your own device) policy.
Endpoint security requires companies to think about how robustly they can secure the common assets their employees have access to
The other major threat is the smug casualness among employees about cyber threats. About 60 percent of the vulnerabilities come from inside enterprises. That’s mostly a result of employees being casual about security and lethargic about passwords. Normandy redux.
The primary way to combat this is by constantly reinforcing the need for vigorous security. Some companies do this with creative approaches to awareness building. Freshworks conducts mock phishing campaigns, refresher courses, and sends reminders to employees to update software patches. Awareness building needs to be a constant factor in endpoint security.
An extension of this approach is the zero-trust model. Consider every machine to be vulnerable, every person to be a threat actor.
Using artificial intelligence, a company can identify patterns for individual users, such as when they log into its network, from where, and from which IP address. If a user deviates from a known pattern, the security system would kick in and challenge them for additional identity checks. It will not trust any user without correlating a bunch of additional parameters.
This should help companies also identify high-risk employees and behaviors. Employees who travel frequently and use public Wi-Fi, or those who recklessly download from the internet. Companies need to put the onus of security on their employees, making them primarily responsible for ensuring a good security posture.
Companies could also control how employees access their networks. Amazon’s virtual desktop in-frastructure model permits controlled access to a particular application or property. Through VDI, a company can secure a particular session until it ends. Nothing is stored in the machine.
The wave of the future is delinking a company’s properties from machines and securing those in cen¬tralized environments. From an end-user perspective, the machine is secure to the extent that it needs to be secured. Employees access only what they need to.
Devices such as the Chromebook, which hosts only the operating system and relies on centralized infra¬structure for all the applications a user needs access to, are enabling this transition. This seems like déjà vureminiscent of the legacy computing model where the centralized computer was the brain behind the operations and the access to this was using a dumb computer terminal.
In essence, companies need to factor for human errors and their own complacency. Without that, all their efforts and investments in innumerable security tools would only be in vain.