Today’s young professionals have a more mobile, just-in-time work style. However, many companies find their current security models slow to adapt to these
modern scenarios. A great analogy I heard in a recent security conference compares life to the famous candy that melts in your mouth—not in your
Hard crunchy shell, chewy center
Not long ago, companies operated from one building: the headquarters (HQ). All activities, systems, and information funneled through this centralized building.
From an information technology (IT) standpoint, HQ was like a single M&M candy: As long as you harden the crunchy exterior shell against attacks
(with a firewall), you protect the chewy center (the inner workings of the company within). But as companies grew to add satellite offices, outsourced
partners and a mobile workforce, IT needed to harden each new access location.
Attack surface models have changed
Due to the ubiquity of the cloud and smart devices, the "HQ as M&M" analogy quickly stales. If anything, the mobile multi-nationals and agile startups
of today are more like spilling a bag of M&Ms on the table. Every worker in these organizations becomes what security experts call an attack surface—essentially
a potential target for cybercriminals to hack and steal identities and valuable data. Today's IT teams have to secure distributed teams spread across
multiple locations, time zones, and operating systems. Workers in these teams often access information from cloud-based enterprise resource planning
(ERP), customer relationship management (CRM), and email systems. Whether a worker uses a smartphone, tablet, or laptop—sometimes all at once—each
device and system it accesses becomes its own M&M. Now imagine a thousand M&Ms lying in a random pattern on the table; each one exposing an
identically-vulnerable attack surface just as the headquarters once did but multiplied many times. So how do you protect against the bad guys when
one surface has now become a thousand or more? How do business owners or board members know who is accessing what, when, and from where?
Keep Data Under Lock & Key
Just as we protect our physical treasures with a lock, key, and box we can also employ the same model in the digital space. In the digital world the system of lock, key, and box matches that of identity, authentication, and device. The interplay between lock and key, each containing half of the secret to unlock the treasure is in fact the physical version of identity and authentication. Having one and not the other gets you nowhere, so you need to use all three in unison.
Today, identity is more than just the username/password. Mobile numbers, security phrases, token generating devices, biometrics or any combination of those form your composite identity. The box, which forms the physical shell in the past is now your device whether a tablet, smartphone, laptop or other connected device. This is the physical manifestation that houses your treasure: the digital version of your company's secret sauces. Devices such as smartphones and laptops, the digital box, can also be encrypted. Even if the bad guy manages to crack the shell, and extract your data, it remains useless gibberish to most criminals (state-sponsored super hackers not withstanding) if encrypted. A combination of encrypted device data and good practices go a long way to defending against breaches and theft.
Defending the Identity and the Device
Most modern cloud platforms come with two-factor authentication or multi-factor authentication,
both go beyond requiring just a username/password pair for authentication. Choosing either two or multi-factor authentication uses additional means
to confirm your identity. For example, some systems may text you a code (used by banks for consumer-grade authentication), call your phone with an
automated message, send you an email or request biometric data such as a thumbprint. Multi-factor authentication and biometric security is built into
many Microsoft business services, which is why adopting Microsoft Office 365 sets you and your organization in a positive direction. Windows Hello,
a facial recognition system built into Microsoft Surface devices and premium PCs, just wants to see your smiling face, is accurate to 99.999% and continues
to learn the more you use it.
Adding these simple processes and technical safeguards go a long way to securing your M&M against bad actors that lurk just outside the candy shell.
Continue your cybersecurity journey diligently, and pop us a note or question anytime at firstname.lastname@example.org. We'd love to hear your stories and experiences.