In a previous analysis, we discussed zero trust from an endpoint security perspective. Although concepts like zero trust and endpoint security may appear intuitive to those of us working in cybersecurity and the broader field of information technology (IT), they might not be as readily understandable to business colleagues. In this analysis, we will explore three core concepts that you can use to frame endpoint security for colleagues who are not well-versed in IT.
1. Attack Vectors
When discussing endpoint security with non-IT peers, it’s helpful to start with the concept of attack vectors. Attack vectors are pathways that malicious actors can take to compromise an organization or introduce risk.
Each endpoint, be it a mobile device, laptop, Internet of Things (IoT) device, or some other device, offers the opportunity to be an attack vector for malicious actors. This means that, just as in a home, each entrance is a potential pathway for an intruder. (Although a door may make a more logical path than a window, it also doesn’t mean malicious actors don’t, and won’t, use the other pathways or vectors if they are available to them.)
In the context of endpoints, attack vectors may include the software on the device, the connection the device uses, or even the user themselves, in the case of phishing, for example.
Which companies are the most important vendors in cybersecurity? Check out
the Acceleration Economy Cybersecurity
Top 10 Shortlist.
2. Malicious Software
Modern endpoints are rife with software. Applications serve a near-endless number of purposes, from communications and collaboration to mobile banking and social media. These applications exist on devices such as mobile phones, which may be used for personal purposes but also to engage in various business activities. Each piece of software offers an opportunity for malicious actors to compromise an endpoint and pivot into the enterprise environment.
Explain the concept of malicious software to non-IT peers in such a manner that helps them remain vigilant about the number, type, and source of applications and software they place on their endpoints. Help them understand the security benefits of using known software over random applications of unknown origin. You might want to use an example, such as how a distributed, well-known application like the Wells Fargo banking application poses significantly less risk than some obscure gaming application from a mobile application marketplace.
3. Security Culture
Much as every member of the organization contributes to its purpose, either directly or indirectly, so does each contribute to an organization’s security culture. This security culture can permeate and serve as a front line of defense, or it can become the weak link in a chain that ultimately brings an organization to its knees. Even the most technically proficient and knowledgeable organizations still suffer from security incidents due to IT and security staff performing actions that introduce risk.
Individuals who aren’t involved in IT and security generally aren’t involved in incident response activities, which makes them less inclined to consider the potential impact of their actions. It’s critical that these individuals gain awareness of the impacts of their actions and how they contribute to security culture. Their contributions range from the way they take phone calls or engage with links in emails or text message to not allowing someone they do not recognize to physically piggyback or follow them into a facility.
An ounce of prevention is worth a pound of cure, as they say, and teaching cybersecurity fundamentals to employees in a non-IT workforce can go a long way in helping them understand the secure use of their endpoints. Organizations can build a security culture through efforts such as security awareness training which is often required, brown bag learning events, or social events with a specific theme.
Bringing It Together
It is no easy task to try and help non-IT people understand the risks associated with endpoint security. Often endpoints are seen as nothing more than a means to an end, something that enables them to perform their organizational functions and interact with the technologies required to do so. Helping them understand the role of attack vectors and malicious software, as well as cultivating a security culture, can ultimately bolster organization-wide cybersecurity.
Want more cybersecurity insights? Visit the Cybersecurity channel: