The Three Biggest Security Problems Today
There are three major threat areas to organizations today when it comes to the most prevalent causes of breaches - users, devices and access to applications.
Through social engineering, users are easily phished, giving out their passwords through spoofed websites and convincing emails. Weak, default or stolen passwords were involved in 63% of reported breaches, according to the Verizon 2016 Data Breach Investigations Report (DBIR).
If not phished, they may be brute-forced with password-guessing tools or stolen by malware equipped with keylogger components. Equipped with a user’s password, an attacker can log in and access your data and environment undetected, posing as an authorized user.
Users want to use what’s easy and what they know to access work applications as they work remotely and from home. That means they may turn to their own devices - tablets, laptops, mobile phones, etc. that aren’t managed by your IT department. These devices provide an entry point for any attacker into the corporate network, as attackers use known vulnerabilities to get access to the devices, targeting out-of-date software.
Users’ devices aren’t always updated in a timely manner, and may not have certain security features enabled, leaving them wide open to intruders and malware. It only takes one compromised device to breach your entire organization.
Cloud-based web applications are becoming more popular as they can be easily accessed via a web browser and Internet connection - convenient for users working from anywhere and using any device, but also convenient for malicious hackers that also want easy access.
Protecting all of the applications that provide entry to your enterprise environment is key to ensuring full coverage and closing any security gaps.
The Problem With Bolted-On Security
Previously, traditional security models would use a separate, siloed and piecemeal approach to securing each area. The Defense in Depth approach encourages using many different layers of security controls in an information security strategy.
But this soon gave rise to Expense in Depth (a term coined by a Forrester analyst) - an infosec market saturated with ineffective, bolted-on security solutions and products that were largely ineffective against the major and most common threats.
I recently had a conversation with a CISO who told me, ‘I am sick of spending money on the latest flavor of the day security solution. I am done.’ I agree, we should go on a technology investment detox. - Rick Holland’s Blog, Forrester
A New Holistic Security Approach
Instead of bolted-on security, we need to think of security by design. We need a holistic security solution designed to work within your ecosystem of people, managed and unmanaged devices, and different mix of on-premises, cloud and custom applications.
With a solution that gets insight into your users and devices and uses that data for custom access security policies and controls, you can ensure your company is protected against a hacker that often will exploit multiple vulnerabilities and target more than one area in a single attack.
This new approach ensures trusted users, devices and access to applications. Find out more about Duo’s Trusted Access platform in What is Trusted Access?
And, download the Duo 2016 Trusted Access Report to get an in-depth analysis of the security health and risk of endpoint devices based on Duo’s dataset of two million devices worldwide - and how Trusted Access can help.