Sponsored For those at the coalface of the security industry, the feeling of metaphorically banging one’s head against a brick wall, of continually educating, re-educating and correcting misinformation, mischievous or otherwise, will feel all too familiar.
Take the comments from Home Secretary Amber Rudd around WhatsApp following the terror attack in Westminster. Following the disclosure that the messaging service was used moments before the attacker struck, Rudd’s remarks – “there should be no place for terrorists to hide” – were met with a certain level of dismay in the industry.
Graham Cluley, a long-standing independent security analyst, put it this way. “There is a danger that politicians will take ghastly incidents of terror as a platform to push forward their agenda of weakening encryption,” he wrote. “It makes them sound tough in the fight against terror – at least to people who don’t know much about technology. But it won’t make a blind jot of difference to bad guys.”
With other technologies, such as cloud and Wi-Fi, a similar effect occurs. Last month David Linthicum, a highly-respected cloud thought leader, wrote about how the battle for cloud security in enterprises is increasingly not a technological one. “The truth is that competent cloud security technology is available, and most IT organisations’ cloud teams are good at finding and using it,” he wrote in InfoWorld. “To achieve solid cloud security, departments across IT need to come together, both those that focus on legacy and those that focus on cloud computing.
“In reality, this union has proven to be difficult. Why? The people down the hall are dead set against you driving change.”
One firm which looks at how employees deal with these situations is mobile connectivity provider iPass. The company issues a yearly report around mobile security, with last year’s revealing that almost two thirds of organisations ban their mobile workforce from accessing free Wi-Fi hotspots. In addition, 94% of respondents said free Wi-Fi was either ‘very much’ or ‘somewhat’ of a threat to their company. This is backed up elsewhere; Xirrus, in a recent report, found that 91% of Wi-Fi users did not believe it was secure, yet 89% continued to use it anyway.
Raghu Konka is vice president of engineering at iPass. He argues that ‘all security challenges are both organisational and technological to varying degrees’, but adds a caveat. “Education is hugely important, and employees need to understand that security is their responsibility as well, not just those in IT,” he explains. “However, relying on employees to do this for themselves, and to always follow best practice, is a sure-fire way to get hacked.”
One element of best practice which should be – but is not always – followed is around VPNs. The iPass study found that only one in five (21%) US firms polled were ‘fully confident’ their workforce always used the company’s VPN. “Employees still need to be more aware of VPNs as commonly the ‘last mile’ is where a user’s data is most vulnerable. However, by using a VPN, data is masked and encrypted, protecting people from the infamous ‘man in the middle’ attacks, and unwittingly exposing their online data to malicious activity,” says Konka.
“In today’s ‘Wi-Fi first’ world, it is imperative that mobile workers are equipped with the requisite tools to get online and remain productive, while simultaneously ensuring the security of corporate data from wherever it is being accessed,” he adds.
All that said, the onus is not entirely on the employee. Konka argues that employers taking actions such as simply banning public Wi-Fi will be a stop gap as workers will just find a way around it. “Getting employees to use VPNs, for instance, should primarily be a technology issue,” he says. “Employers need to provide zero touch technology solutions to cover employee misuse and mistakes, as well as any inevitable gaps in education, training and awareness.”
Sometimes, however, it’s a question of watching the watchers. Last week, an article on Motherboard debunked a service calling itself MySafeVPN, after it spammed a database of media player provider Plex. Among the various issues which led people to suspect the service was not entirely legitimate, the company’s sign up page had no SSL, its headquarters was traced to a Vietnamese restaurant, and some users reported visiting the website triggered an anti-virus warning.
As the Motherboard story argues, the emergence of operations such as MySafeVPN may well be linked to new US legislation which allows internet service providers to sell users’ browsing history to the highest bidder.
Konka hopes VPN services – reputable ones, that is – will see an uptake following the vote, which was passed in the House of Representatives by 215 votes to 205, but is not entirely confident. “General awareness around VPNs is likely to rise as a result of the ISP privacy vote, but we can’t rely on there being an instantaneous surge in VPN use,” he says. “When privacy and security are concerned, apathy regularly trumps reason.”
For those in the security industry, it’s a continual goal to make reason trump apathy.
This post is brought to you by TheBestVPN.com. Find out more about them here.