Emerging threats in the end user environment

New social networking technologies, mobile devices and a more flexible and tech-savvy workforce are leading to increasingly complex and diverse end user environments with many greater security challenges, says the Information Security Forum (ISF).

In its recent research, the ISF also found that vast differences in the knowledge, behavior and actions of end users create further security risks; and believes organizations need to empower employees to take more personal responsibility for protecting critical and confidential information.

Most organizations have many different end user environments, often across physical locations and comprising individuals who use a wide-range of technologies to handle information. These disparate end user environments are subject to factors such as diverse cultures and different operating conditions that make managing information security extremely difficult.

This problem is further compounded by the variety of corporate-issued and personally-owned devices and a blurring of the boundaries between work and personal computing. Furthermore, new Generation Y employees entering the workplace typically want to configure their own user environments, installing personal software such as applications for social networking, instant messaging, peer-to-peer networking and VoIP.

“Greater business and personal use of computing and communications and in particular, social networking websites are creating a major headache for information security professionals,” said Mark Chaplin, senior research consultant at the ISF.

“Either deliberately or unwittingly, it is all too easy for end users to share confidential information with unauthorized individuals or corrupt critical information needed to support key business processes. Organizations need to recognize that the information security function cannot provide all the protection necessary without a complete lock down. Instead, much of the responsibility lies in the end user environment where more focus needs to be placed on education and awareness to create a culture where employees are empowered to protect corporate information as well as their own personal data.”

“Another significant but often overlooked issue in the end user environment involves the widespread development and use of spreadsheets and desktop database programs by end users to create their own applications,” adds Chaplin. “In many cases these types of application are developed in an ad hoc manner, often outside of corporate control and are poorly protected. This can introduce significant risks when organizations become dependent on them (e.g. to support financial transactions or a manufacturing process) and they fail, for example, as a result of coding errors.”

In many cases it is not feasible, economical or practical to provide total protection for multiple end user environments. However, the ISF report draws on the views and experiences of its members, some 300 of the world’s leading companies and public sector bodies to identify the areas of greatest risk and present practical recommendations.

“The first step is to understand the broad range of security challenges associated with end user environments in an organization,,” says the ISF’s Mark Chaplin, “It is not unusual for management, including senior executives, to be unaware of the value of information that employees have access to and use; the threats this information is exposed to when not adequately protected; and the potential business impact if this information is compromised in the end user environment.”

Once the challenges are understood, organizations need to apply a balanced approach to protecting information in the end user environment. This involves establishing a security-positive culture; focussing on the organisation’s critical and confidential information; protecting equipment and applications, including those created using spreadsheets or equivalent; restricting connectivity; and addressing the physical security of the end user environment.