With a few exceptions, particularly in the most sensitive sectors, it is often the case that people use their workstations for some (if not all) personal purposes. Especially when it comes to a mobile phone. Yet it is these stations that constitute the most “effective” vector for malicious attacks against organisations’ ISs. So can we imagine a world where professional and personal digital uses are strictly separated?
Workstations: an open door to the entire IS
As a matter of principle, malicious attacks against companies or administrations generally have two objectives, often coupled: money and information. And in all cases, they are carried out using industrial methods, ensuring efficiency and reproducibility for the attackers. Among these methods, hacking into unprotected Wi-Fi networks is effective but requires physical access. Attacks on poorly protected servers can cause damage, but often remain confined to their application environments. It is also possible to attack the organisation’s VPN-SSL if it is vulnerable. But nothing compares to the success of targeting users, by e-mail (phishing) or surfing (planting malware on computers via corrupted websites).
Even when well protected, the user workstation remains by far the most vulnerable because, by definition, it is connected to the company’s Active Directory (the most common directory tool on the market). And this solution, despite the efforts of developers, remains subject to numerous vulnerabilities allowing remote access and elevation of privileges from a user account. This opens the door to the famous “Admin access” and to all the company’s data.
Proactive and transparent cybersecurity for the user
To protect oneself as much as possible against these risks, nothing could be simpler: in addition to dedicated cybersecurity software, it would be sufficient to keep one’s workstations up to date, to avoid the exploitation of known flaws. This is true, but it does not take into account Zero Day vulnerabilities, on which cyber attackers are becoming increasingly productive. To counter these risks, the implementation of solutions capable of blocking non-routine actions of applications or the system remains an effective, proactive practice. In essence, malware has very specific behaviours, looking for any kind of opening to enter and modify systems.
In all cases, however, these tools must be as transparent as possible for the user, so that he or she can carry out his or her daily tasks with peace of mind and not lose productivity due to permanent blockages. This should in no way prevent him or her from remaining vigilant!
Beyond user charters, towards a strictly professional use of workstations?
Apart from a few sectors handling sensitive data where workstations are highly locked and limit usage to the strict minimum, many users use their workstations for personal purposes. Often, they even allow their children to use it, or to play on a network with it. This situation is undoubtedly exacerbated by the acceleration of teleworking, when it is not the company that asks the employee to use his or her personal machine so as not to have to pay for a professional machine. Although a number of organisations have put in place usage charters and IT tools for their employees, in practice, few of them apply sanctions in the event of imprudent behaviour, even if this results in particularly serious situations for the entire information system (loss, theft of data or ransomware, etc.).
With the development of home computing (smartphones, tablets, PCs, internet access), associated with ever-increasing digital risks for organisations, perhaps it is time for these to strictly limit the digital tools made available to their employees to professional uses.
In this case, we would speak of digital service tools (for professional use only) and no longer of digital function tools (for “global” use by the employee). This will not solve all cybersecurity problems, but it could at least help make employees more cyber-responsible and thus improve usage.