When Job Functions Are Not Cybersecure

Aviv Grafi


February 1, 2021

In today’s connected, cloud-based computing environment, you often hear that security is part of everyone’s job. Unfortunately, not all parts of all jobs can be entirely secure—particularly when operational policy and security solutions are directly at odds. 

In these circumstances, companies have to accept risky activity that they might otherwise prohibit. Employees are all aware—or should be—that opening attachments from outsiders poses a potential threat to the corporate network. Major breaches have resulted from phishing attacks in which employees thoughtlessly clicked on an attachment or link. This can happen even when attachments come from a trusted source, who could be sending a file that has been compromised with or without their knowledge.

Yet some employees have no choice but to open attachments from outsiders. Human resources professionals, for example, routinely open prospective employees’ resumes when looking for new hires. Financial managers review spreadsheets from outside organizations while negotiating deals. What choice do they have but to click on an email, or open the file? Their job function demands it.

Security Solves Some Problems and Exacerbates Others

Companies have implemented many different mitigation strategies to quell the risks of opening malicious documents, often inadvertently impacting employee efficiency as a result. Tools like antivirus software and sandboxes have been used to try to protect businesses from malware-laden documents. Companies have implemented security awareness training to teach employees to identify attacks before they can cause problems. And yet, they do not make allowances for employees when these strategies impact job function efficiency. In turn, organizations find themselves frustrated by the workarounds employees ultimately feel they need to use.

Employees should not have to choose between doing their jobs or allowing malicious content into their organization’s network. Relying on employees to stop incoming breaches not only prevents them from operating at maximum efficiency, it also puts organizations at the whims of human error. Even if 99% of an organization’s users take every precaution, a 1% miss rate leads to a guaranteed chance of infection—which means 100% of these users will have misallocated time and resources on an ineffective security policy.

Fear of the Unknown Obscures Answers

Security practitioners are aware these threats exist, but too often their knowledge ends there. A recent Ponemon Institute survey found that IT security professionals’ biggest concerns are unknown threats, which continue to rise as exploits of known vulnerabilities fall. However, the traditional security measures are clunky and inhibit productivity in the current landscape—and more than half of respondents say their endpoint security solutions are ineffective at detecting attacks. Rather than pulling out safe elements of a file, these solutions pinpoint the file’s malicious aspects instead. This can fall short when new malicious activity enters the cyber ecosystem faster than the security tools meant to combat attacks.

Antivirus tools, which are designed to counter known threats through signature-based threat identification, cannot keep pace in a fast-moving cloud environment rife with mobile access, third-party software, storage services like Dropbox, and a variety of collaboration platforms like Slack and Zoom. All of these can introduce threats. Background processes increase latency, causing machine slowdown and affecting user productivity. These tools block files unnecessarily, and users may still open flagged files accidentally. Ponemon’s survey also found that antivirus tools missed 60% of attacks on average, while producing a high volume of false positives.

Next-generation antivirus software takes a proactive approach and adds tools such as artificial intelligence, but also produces a high rate of false positives, which can disrupt business processes and waste users’ time, and still looks for known vulnerabilities and anomalous behavior. Minerva Labs found that 86% of the exploit kits that cybercriminals deploy to attack system vulnerabilities use evasive techniques that can get around those security solutions.

While it has been known to catch some attacks, there are even downfalls with sandboxing, which isolates malware before it gets into a production environment. Large files can cause bottlenecks in the sandbox, slowing down operational workflow and reducing productivity. As a result, users are left waiting to receive files from the sandbox. In addition, this technology requires extensive IT resources, time and money.

Empowering the Enterprise and Employees

Security should not be about building fences to keep out bad actors and malicious activity at the expense of the user. Instead, we should strive to build bridges to allow safe information to travel freely within an organization and among the partners and third parties it works with. Organizations must figure out how to let their people work without compromising on security. To this end, some gaps in traditional technologies can be filled with new innovations that break down and reconstruct incoming files, removing threats before they get to the network. Rather than identifying threats and malware, this kind of technology seamlessly recreates files in a clean state, maintaining the file’s usability. Implementing such a process builds trust between management and the employees who must open documents as part of their job function.

Beyond technology, company leadership must also implement more holistic solutions to fill gaps and keep the workforce both secure and efficient. No solution is one-size-fits-all, and robust programs require various tactics to be used in tandem. As a first (and free) step, cybersecurity experts recommend that enterprise leadership connect with IT and security teams to audit what is working and what is not, from both a technical and a procedural perspective. This initial step is key, because gaps cannot be properly filled without understanding where they are.

An additional mapping exercise should focus on productivity and increasing alignment between employees and the security team. In many cases, employees are averse to security protocols that hamper their day-to-day work productivity, and this may lead some to use an ecosystem of shadow IT solutions to get around restrictive security measures.

With this in mind, it is imperative for enterprises to develop a cybersecurity culture in which security leadership behaves as business enablers instead of business blockers. This can be achieved through determining and proactively altering the instances in which employees are being blocked from doing their task because of security policy. Organizations need to prioritize both productivity and security when developing their cybersecurity culture. They must continue to assess employees’ attitudes toward the corporate security policy and their ability to perform job functions. 

Communicating about company security is not a one-and-done activity. In fact, one of the best ways to address security gaps is to instill better communication on the topic throughout the company. When executives facilitate better communication and collaboration between IT and other departments across an organization, they enable employees to better understand what threats they might encounter on a daily basis and the security resources available. In addition, opening the door directly to IT and allowing them to engage with employees throughout the company allows employees to become much more comfortable and knowledgeable about where to seek guidance if they encounter suspicious activity.   

However organizations choose to protect their network, leaders and IT must accept that some job functions are not cybersecure, and that the onus cannot be reliably placed on end users to navigate an insecure environment. To stay ahead in the age of digital business, companies must prioritize productivity and efficiency in concert. For enterprise leaders, identifying a way to fold top-level security into this new landscape with minimal impact on operations is not only critical, it will soon be unavoidable.

Aviv Grafi is founder and CEO of Votiro.