The IT manager responsible for information security at an enterprise account — let’s call him “Steve” — recently shared an interesting story. In general, he felt that they handle security pretty well, but he detailed one challenge that they haven't yet been able to solve — users roaming outside the office security perimeter.
As is typical of many businesses today, this company supplies its knowledge workers with laptop computers. Previously they used desktops, but the company found that using laptops rather evidently enables employees to work when they're out of the office, and not just in it. In the case of the company in question, this means that around 40% of their 1,200 employees now use notebook computers outside the office.
From a business perspective, this change enabled the company to increase customer satisfaction, because employees are now more responsive to customer needs regardless of time or location, in addition to increasing productivity, as many employees now work in the evening and on weekends.
But from the perspective of the information security team, the change has not gone so well. To explain why, Steve walked me through an average Monday morning under the new model. The most marked event every Monday morning for Steve and his security colleagues is that as employees arrive at the office and start connecting to the network, security alerts begin to come in at a rapid rate…
It turns out that while their employee laptops have a standard build that includes endpoint security, once users leave the office, they also leave the protection of the company’s on-premise Web security solution and venture onto the Internet largely unprotected. In the office, an on-premises Web security gateway inspects traffic and blocks many transactions, covering up for user "bad behavior" or inadvertent misfortune. While this is good news, it can also create a learned behavior in users, that it is okay to click on almost any link you wish, as the Web security tool will ensure that you will not come to any harm. This is where the problem starts.
Over the course of the weekend, employees connect to the Internet — often through public WiFi networks, many of which are unsecured — and surf the Web at will. While sites that users visit in their normal browsing habits may not harbor threats, the fact that they are outside the corporate perimeter and without the filter of corporate gateway security policies can lead them to connect to sites containing ‘inappropriate’ and potentially malicious content or exposed when possibly clicking on links contained in phishing emails. In most cases, endpoint security tools are ineffective in detecting and blocking such threats, because their threat definitions are updated on a periodic basis rather than in real-time.
With Web security effectively turned off, the user is unprotected or is at a minimum operating with a far lesser degree of protection, but they do not necessarily realize this. As a result, when they connect to risky web sites or click on links in emails, they can easily fall prey to cyber threats such as drive-by malware, phishing schemes, and new exploits. Once this happens, the device can be easily compromised, with valuable data either being exfiltrated directly from the machine, or installed malware being programmed to “lie dormant” until the device is connected to the corporate network so that it can begin work then.
This brings us back to where the story began, with Steve’s incident management system filling with alerts on Monday mornings. While it’s labor-intensive to rebuild the affected machines, and users are unproductive while this happens, that is not the worst of the problem. Steve is more worried about the compromised machines that he hasn’t yet found…
The bottom line
In today’s business and technology environment, where users connect to resources inside and outside the traditional network perimeter — from whereever they are and however they can manage to connect — information security must follow the user, to provide a ‘clean’ network connection at all times. Anything else is a recipe for a bad case of the ‘Monday Morning Blues’.
We recommend you do a quick 30-second test of your Web security when both in your office and when roaming outside of your office, and compare the results.