October is Cybersecurity Awareness month, which puts a spotlight on end-user knowledge and application of practices such as using strong passwords, MFA, and the ability to spot phishing scams. But what is the actual role of the end-user in the overall pursuit of cybersecurity? Where do IT tools and processes end, and where must the end-user take on a higher level of responsibility? In our latest ThreatTalk podcast, Infoblox CIO Brad Bell and Infoblox CISO Ed Hunter joined host Bob Hansmann to explore the threats, defenses, and pros and cons of user awareness from the endpoint perspective.
In our new work-from-anywhere reality, endpoint security has come into focus like never before, and that was the starting point for the discussion. What follows is an excerpt—slightly edited for clarity—of the full podcast: Defending the Endpoint—Sharing Responsibility Between IT and End Users. Bob set the context as a matter of: what’s the capacity of users today for learning about and becoming knowledgeable about endpoint security?
Bob: Where are users today? How capable are they of bringing value to the security picture?
Brad: Well, great question, Bob. I think, first of all, are they capable of learning? Yes, you bet. I think where it gets a little more tricky, though, is do users understand the potential impact of what a security breach might look like? Or impact them in a way that’s negative? I don’t think they understand the risk or the impact. And so, while users can learn, they may not be able to determine what action to take as a result. Which is why I think it’s imperative, as we do in most corporate environments, to create a continued learning environment. We need to ensure that people have an opportunity to understand what these threat vectors look like and what the remediation efforts look like.
Ed: Yeah, certainly: email is one area we should focus on as a primary vector to get an initial foothold. It’s up to the user to really be the first line of defense. We can implement all these technical measures on the back end, and they could be 99% or 99.9% effective. But there’s always the first line, right? Email still comes in from the internet. And it’s up to the user to look at that email and kind of evaluate and determine the right thing to do.
Bob: About 20 years ago, I was at a company where we did a survey of our enterprise customers—it was a survey of their users. One of the questions was about if your end point, if your company-issued laptop was to become infected, how responsible do you feel? It was really an interesting survey because the responses varied widely. A fairly high number of users in Asia responded that they had somehow failed their company if their machine became infected. In Europe and the Middle East, the responses were mixed. But when you got to North America the responses were more of “well, my machine shouldn’t have gotten infected in the first place.” This was 20 years ago, but here in the U.S., that attitude that the end user had little or no sense of responsibility was prevalent. Are we still living in the that environment?
Brad: I think it’s changing. I also think, and you point this out, there’s a geographic and cultural element with attitudes toward personal responsibility for endpoint security. I’d say there’s also an age differential. I think the folks that are probably a little older, like myself, are listening and trying to comply with security policies. With younger folks, though, social platforms and engagement platforms are a part of their lifestyle. And so, I do think there is a different attitude that comes with a greater awareness around “how can this possibly hurt me?” Perhaps a greater insight into the potential ramifications or risks with digital endpoints.
Bob: Question for you Ed: as a CISO, you’re responsible for putting in place programs to address these concerns. Are your users more accepting of that, or are you seeing pushback?
Ed: That’s an evolving question and answer. I’ve seen it really change over time as the endpoints themselves have evolved. Back in the old days, we really had two separate devices., Hey, this is your work machine. You only do work there, and if you need to go look at your personal email, you need to do that on your personal device. Whereas now we have kind of a fair use policy. With most companies it’s okay to do a little bit of limited surfing or personal use now. Within Infoblox, for instance, we have a large, mobile sales staff. They’re traveling a lot, right? They don’t want to bring two laptops. They don’t want to have two phones. So today, I’d say, there’s, there’s kind of an intermix of requirements and what people want to do and need to do, especially when they’re traveling. From the CISO perspective, I’d say as long as what you’re doing with your endpoints doesn’t introduce a lot of risks to the company, we’re okay with that. When we give you a machine, we do our very best to make sure it’s patched, that it has security controls on it, that we’re monitoring it for malware and that sort of thing. We can’t do that on your home machine, obviously. So, we try to advise our users to really do your work on your work machine and do your personal stuff on your personal machine.
Brad: I’d just add that I’m seeing a growing awareness that you have a responsibility towards your fellow employees in the company or coworkers. Similar to when you’re driving a car, you wear a seatbelt, same kind of thing. We have to engage our employee base through all these different modalities to get the word out. We need to make sure that everybody understands that this is not something that’s passive anymore. We all have to be active in our approach to helping reduce risk in the company around security
Ready to learn more about best practices for actively reducing endpoint risk and strengthening your security posture overall? We’ve got two full seasons—more than 25 podcasts!—of expert advice that can help you do just that. The ThreatTalk series brings together experts from a broad range of security disciplines to help listeners to stay on top of the security landscape. Give them a listen here.