Protecting the enterprise from the growing number of cyberthreats is a priority for most CIOs and many are looking for the best defense strategy.
Traditional controls like firewalls, intrusion detection systems and endpoints were designed to help protect networks with defensible walls. However, those tools lack visibility outside the firewall and are nearly impossible to deploy on digital channels.
"That means attackers can compromise the network by targeting employees and customers directly," said Elias Manousos, CEO and co-founder of RiskIQ.
A number of recent studies indicate that employees are indeed the weak link when it comes to enterprise cybersecurity.
"Most loss of sensitive data is caused by employees using insecure means to transmit data—whether the leak was intentional or not," said John Lane, Chief Information Security Officer at Biscom.
To help prevent employees from accidentally opening the doors to the company network, some companies are taking the approach of limiting employee access to websites.
Pros and cons
Limiting employee access to websites can help organizations reduce their attack surface area and the chance of infection. It may also reduce the risk of losing sensitive data including PII, PHI and intellectual property.
In addition, limiting website access may have the added benefit of helping increase employee productivity by removing distractions and allowing employees to focus on work.
"Site access controls can be helpful, but smart, creative employees will figure out workarounds to accomplish their goals, resulting in the rise of shadow IT," said Manousos.
There are some cons to limiting website access as well. First, the approach is by no means foolproof. Some major, legitimate sites have been compromised to contain things like drive-by malware. In addition, imposing limitations, in some cases, may encourage employees to find a work around to getting access to restricted sites.
"Security teams are usually the last to know, and traditional information security is not equipped to secure modern digital channels," Manousos said.
A company may also unintentionally block access to legitimate work-related websites, reducing employee productivity and increasing frustrations.
"Choosing websites to block is not only difficult, but hard to implement," said Lane. "The matter can quickly become subjective, fraught with emotion."
Employees also prefer fewer restricted and typically have trouble understanding why sites are blocked.
"By limiting access to sites, you may be decreasing employee morale with an attitude that 'big brother is stopping us,'" said Lane. "It's important to note, in most cases, employees are not trying to cheat company time or do something wrong. Instead, for example, they may simply be trying to make a purchase in their spare time."
Another option is a middle-ground approach. For example, a company might perform a basic filtering of websites to block offensive sites. It can then use next-generation firewalls, which use technologies like Unified Threat Management, as well as up-to-date browser software. Companies can also eliminate plugins like Java and Flash to help increase the company's overall security posture.
"For example, companies could use next-generation firewalls to give access to Facebook but restrict access to Facebook games," said Lane. "Additionally, companies may want to consider a flexible policy that grants access to websites based on the employee's role in the organization. Marketing groups, however, will typically need access to social media sites, and finance departments may need access to e-commerce sites."
No matter the approach, educating employees about what to watch for and avoid when using the Internet remains a vital component of a good defense strategy as well.
"Educate employees on threats like phishing, drive-by downloads, exploit kits and malware targeting them, and the potential consequences to the enterprise," said Manousos. "Digital channels—Web, mobile and social—are the new attack surface, so education and awareness is key."