This approach is working for small companies that are forced to trust and empower their employees due to limited resources, according to Sorin Mustaca, Avira product manager and security author.
“This approach will work for any business of any size because people are often the biggest problem when it comes to security,” he told Computer Weekly.
Traditionally, companies secure assets against all attack vectors, which includes laptops, workstations, servers, storage entities and software.
“But it is no longer enough to protect these assets alone because experience shows the most vulnerable elements in the enterprise are actually the employees,” said Mustaca.
“They are attacked using drive-by downloads of malware, phishing websites that steal identity and financial information and privacy agreements that do not limit the amount of information shared,” he said.
At the same time, the extensive adoption of third-party file synchronization services, such as Dropbox, Skydrive, Box and others, make it easier than ever before to get data in and out of the enterprise.
The BYOD phenomenon, said Mustaca, brought an entire chain of security policy changes, which failed to solve the problem.
More on consumerisation
“Software and hardware that enforce these policies are too expensive to buy, too complex to be set up and too hard to maintain,” he said.
Success, Mustaca believes, lies in recognising that most critical enterprise attack vector is the human element, and taking steps to protect employees wherever they are and whatever device they are using.
“Protecting and educating employees is a much cheaper and more reliable way of achieving higher levels of security than attempting to control people through onerous policies,” he said.
To support this employee-centric approach to security, Avira has adopted a per-user software licensing model to cover all data and devices used by employees, including their personal devices.
Education of users in enterprises can be managed in the same way as for consumers, according to Mustaca.
“In the end, it is the same person who works in two different environments. The same advice applies to both environments such as do not click on links received via email or instant messaging,” he said.
Similarly, in both environments, people should not execute binaries received via email, not plug in just any memory stick they find, not deactivate your antivirus software, and keep all software up to date.
“Of course, education has additional facets when we are talking about enterprises. But, in my opinion, there is nothing common sense and education cannot solve,” said Mustaca.
Like a growing number of small businesses, all businesses should trust and empower their employees by educating them about the risks and how to respond to them, he said.
“Businesses should also motivate employees to act responsibly by making them aware that the risks they expose the enterprise to are the same as they risks they face personally,” said Mustaca.
To adapt to the new world of working, businesses first need to create security awareness, he said.
Next they have to establish exactly what devices and services employees are using and implement security solutions around each.
“The security challenge is not as great as many think because there is a finite number of devices and operating systems that have to be supported,” said Mustaca.
“And if users understand the risks to the business and themselves, they are more likely to install security software and act responsibly,” he said.