Not too long ago, I was speaking with the CIO of a large company (some details have been changed to protect the innocent) about one of my favorite topics: how to define security policies that balance user productivity and business risk. Before long, the CIO said, “Trust me, I know all about that.” I stopped talking and started listening. He proceeded to tell me about an incident from a previous November. Apparently, during a small window between meetings, he decided to take advantage of the free time to do some online holiday shopping. We’re all crushed for time, he knew exactly what he wanted, it took just a few minutes, and then he was off to his meeting. Only he didn’t make it very far before the head of security approached to report a security policy violation. “Can you believe it?” The CIO said. “My online shopping was flagged!” I had a feeling I knew where this story was going. “I got flagged for violating my own policy!” he said.
The CIO then explained, “It was the middle of summer, and we had just had a small security scare. At the time, the only thing I cared about was doing everything in our power to prevent a bigger incident from happening. By the time the holidays rolled around, I’d forgotten all about it.” To balance employee productivity, satisfaction, and corporate risk the company decided to allow access to a few selected shopping sites during November and December.
His story got me thinking. Could the company have established a more flexible policy back in the summer if the policy team had properly explained the pros and cons of the restrictive “no shopping ever” policy? Maybe. There is no way to know definitively. One thing’s for sure: the experience itself clearly made an impression on the CIO. I’m a big believer in learning through experience, but since we can’t learn every lesson by living through it.
No matter how hard you work to educate your employees about the constant and evolving threats to your company, even the most conscientious employee may unknowingly open infected files or click on malicious web links. The best strategy includes securing across all attack vectors and putting policies into place for reviews and change management within your organization. Windows 10 and Microsoft 365 offers security solutions that address these attack vectors and will enable you to discover, analyze, and neutralize threats before they cause harm.
Windows Defender Application Guard (Application Guard) is designed to help prevent old and newly emerging attacks to help keep employees productive. Designed for Windows 10 and Microsoft Edge, Application Guard helps to isolate enterprise-defined untrusted sites, protecting your company while your employees browse the Internet. As an enterprise administrator, you define what is among trusted web sites, cloud resources, and internal networks. Everything not on your list is considered untrusted.
If an employee goes to an untrusted site through either Microsoft Edge or Internet Explorer, Microsoft Edge opens the site in an isolated Hyper-V-enabled container, which is separate from the host operating system. This container isolation means that if the untrusted site turns out to be malicious, the host PC is protected, and the attacker can’t get to your enterprise data.
Constantly evolving threats to your company data can cause even the most conscientious employee to unknowingly open infected files or click on malicious web links. Security breaches are inevitable. You need to discover threats quickly, remediate immediately, and mitigate the impact of malware and breaches. Many common types of threats target these key attack vectors: devices, email, network, and user credentials.
To help secure these vectors:
- Protect identities—Detect suspicious activities across the network attack surface by signing in to the Azure ATP workspace portal with your Azure AD user account.
- Protect email—Configure Office 365 ATP and Exchange Online Protection in the Office 365 admin center to protect against malicious links and phishing attacks.
- Protect endpoints—Set up the endpoints in your organization so that Windows Defender ATP, which is built in to Windows 10, can get sensor data from them. You do this by onboarding your endpoints to the service and by configuring the individual security controls.
Access a free trial, and review in your environment.
Experience is one of our great teachers. As the CIO in this story learned, some security rules look good until they get in the way of executives. And some security measures may seem costly and unnecessary, but when weighed against massive reputational damage or material financial loss, those investments calibrate as frugal and wise. You don’t have to make your CIO a cyber ninja to have a productive conversation.
Learn more about Microsoft Security for your organization.