In a recent conversation with the person owning information security at an enterprise account - let's call him "Steve", I heard an interesting story. In general, he feels that they handle security pretty well, but he detailed one challenge that I felt was worth sharing.


As is typical of many businesses today, this company supplies its knowledge workers with notebook computers. Previously they used desktops, but the company finds that using notebooks enables employees to work outside - as well as inside - the office. In the case of the company in question, this means that around 40% of their 1,200 employees now use notebook computers outside the office.

From a business perspective, this change enabled the company to increase customer satisfaction because employees are now more responsive to customer needs regardless of time or location, in addition to increasing productivity, as many employees now work in the evenings and at weekends.

But from the perspective of the information security team, the change has not gone so well. To explain why, Steve walked me through an average Monday morning in this new business model. As employees arrive into the office and start connecting to the network, security alerts begin to come in to Steve's group at a rapid rate…

It turns out that while their employee laptops have a standard build that includes endpoint security, once users leave the office, they also leave the protection of the company's on-premise Web security solution and venture into the Internet largely unprotected. In the office, effective Web security will block access before anything bad can happen. While this is good news, it can also create a learned behavior in users that it is okay to click on almost any link you wish, as the Web security tool will ensure that you will not come to any harm. This is where the problem starts.

In the course of the weekend, employees connect to the Internet - often through public WiFi networks, many of which are unsecured - and surf the Web. While sites that users visit in their normal browsing habits may not harbor threats, the fact that they are outside the office environment can lead to them connecting to sites containing 'inappropriate' content. Additionally, users may also click on links contained in phishing emails. In most cases, endpoint security tools are completely ineffective in detecting and blocking such threats, because their threat definitions are updated on a periodic basis rather than in real-time.

With Web security effectively turned off, the user is unprotected, but they do not necessarily realize this. As a result, when they connect to risky web sites or click on links in emails, they can easily fall prey to cyber threats such as drive-by malware, phishing, or exploit kits. Once this happens, the device can be easily compromised, with valuable data either being exfiltrated directly from the machine, or installed malware being programmed to "lie dormant" until the device is connected into the corporate network so that it can begin work then.

This brings us back to where the story began, with Steve's incident management system filling with alerts on Monday mornings. While it's labor-intensive to rebuild the affected machines and users are unproductive while this happens, that is not the worst of the problem. Steve is more worried about the compromised machines that he hasn't found yet…

The bottom line

In today's business and technology model, where users connect to resources inside and outside the traditional network perimeter - from where they are and however they can manage to connect - information security must follow the user/device, to provide a 'clean' network connection at all times. Anything else is a recipe for a bad case of the 'Monday Morning Blues'.

distributed by