We all know that organizations going through the digital transformation revolution have to navigate significant technology, culture and workflow challenges. What’s becoming increasingly clear is that, as more of their business becomes digitized, they’re increasingly facing three major user-related challenges that can’t be ignored and require radical new approaches.
In this first of a two-part blog series, we present the challenges: prevention, productivity and privacy. The second blog will offer potential solutions.
The Prevention Challenge
Cybercrime is having a substantial and alarming impact on businesses and, as a result, on our society. Consequences include everything from business disruption and information and revenue loss to reputation and equipment damage. According to a recent study by Accenture, the total cost of cybercrime in 2018 rose to a new high of $13M per enterprise and it keeps growing, especially in the banking and utilities industries where an estimated value of $5.2T is at risk. The European Union is particularly vulnerable: Germany, the United Kingdom, France, Spain, and Italy are amongst the most-impacted countries worldwide.
How and where are cyberattackers breaking through? IDC says 70% of successful breaches originate on the endpoint. This includes malware, malicious insiders, phishing, stolen devices, and ransomware, amongst others. Not only are endpoint-based attacks the fast-growing and most expensive to resolve, they have evolved to target not only information theft but also data destruction and manipulation. As a result, enterprises are losing trust in their computing devices. The risks of this loss of trust can’t be overstated.
Promising endpoint security solutions for mitigating cyberattacks have fallen woefully short.
Innovations in endpoint operating systems (e.g., Windows) are not able to stop determined cybercriminals. Operating systems, middleware and applications have hundreds of millions of lines of code and endless legacy features that are exposed to malicious attacker inputs. Malware can leverage vulnerabilities/design flaws in this huge attack surface to execute code in the operating system’s kernel, bypassing any traditional OS-based security solution. This makes endpoints incredibly hard to secure, pushing enterprises to take extreme measures to protect their systems.
The sad truth is that preventing cybercriminals from infiltrating is impossible, regardless of the security technologies you layer on. That’s why many enterprises are focusing on mitigating potential damage. To do this, they are looking for containment solutions — a strategy advocated by Gartner, who mandates isolating and containing an attacker’s ability to do damage as a key part of an enterprise’s security strategy. Over the past five years, enterprises have doubled down here, spending as much as 25% of their security budget on containment technologies..
One of the triggers for this increased spend is new cybersecurity, compliance and regulatory requirements, such as GDPR. As an example of a containment approach, Microsoft issued guidelines for enterprise employees to use a separate dedicated Privileged Access Workstation (PAW) for all of privileged access. This includes IT administration and knowledge worker activities that involve M&A deals, financial reports, company social media presence, executive communications, trade secrets, sensitive research, or other proprietary or sensitive data. In a recent Hysolate survey, 59% of enterprise respondents said they either implemented PAW or are planning to do so. In addition, a Forrester study indicates that the majority of enterprise employees use three or more devices for work. However, having a separate secondary device just for privileged/sensitive work is expensive and dramatically reduces employee productivity due to the constant context switches and the difficulty in transferring data between the devices.
Other containment approaches are inherently limited: they cover only pinpointed gaps in the operating system “swiss cheese”, such as sandboxing the browser or specific office applications, while many other apps and the OS itself remain unprotected. These approaches also often suffer from compatibility and performance issues that end up degrading the user’s experience significantly. As a result, many enterprises are still searching for a comprehensive endpoint containment approach that is practical to adopt at scale.
The Productivity Challenge
As endpoint cyberattacks evolved over the last decade, organizations attempted to close the gap by restricting endpoints and adding an array of security agents on top of the endpoint operating system. This approach has obviously not been successful in stopping endpoint-based attacks. Worse, it has caused a significant hit on employee productivity. In most enterprises, employees are unable to browse the full web, use any cloud service, install apps, plug thumb drives, use conferencing add-ons, work remotely in an effective manner or use the device for personal purposes at home.
In a recent Vanson Bourne survey of 500 CISOs, 74% received complaints about productivity loss, 88% restrict websites/apps because of security and 81% see security restrictions as a barrier to innovation. IT helpdesk spends an average of 572 hours a year responding to user requests and complaints related to endpoint restrictions. The cost of employee time lost on partially-effective user security training mounts to $300K a year.
These are just a few indicators of the immense productivity cost that ineffective endpoint security solutions have. In addition, there is an invisible business cost of lost opportunities, the impact on employee innovation (e.g. for developers/researchers) and satisfaction, and the inability to communicate effectively with customers/prospects, close deals, etc.
The Privacy Challenge
Employers also face a major privacy challenge related to user devices. The same research above indicates that 60% of enterprise users mix personal and corporate usage on their endpoint, introducing a huge cybersecurity risk to the organization, both by internal and external actors.
To tackle this risk, some employers deploy endpoint monitoring tools that record keystrokes, screenshots, and other user activities. With GDPR, it becomes tricky or outright illegal for enterprises to process such data, especially as users mix personal usage with corporate usage on a single endpoint. Organizations are stuck in a lose-lose situation: they can either respect the employee’s privacy or risk an endpoint-based breach.
These protection, productivity and privacy challenges are daunting. But there are truly promising developments on the horizon. Stay tuned for our next blog on how to address the user challenges inherent in the digital transformation revolution that’s sweeping global business.