I don’t want to “gain complete control over every endpoint,” what many endpoint security firms are offering.
I do want control over the data that matters. I do want endpoints authenticating securely to corporate apps, servers, services. But “complete control” over every endpoint, especially BYOD endpoints?
Fool’s errand.
More than a decade ago, IT security teams assumed responsibility to securely manage BYOD devices because IT was already in the position of managing corporate laptops and enterprise smartphones -- and keep in mind, enterprise smartphones back then were Blackberry and Palm, not iPhone and Android.
Since that time, we’ve learned the hard way that Endpoint Management scope becomes unreasonable when it includes personal devices outside of IT’s direct control. Yet corporations frequently paint their IT security teams into a corner by assuming it should be as easy to manage a BYOD endpoint as it is to manage an IT-managed endpoint. The endpoint security market encourages the groupthink that employees are hopelessly, permanently oblivious to endpoint security risk.
That’s five-years-ago thinking. No one's oblivious. Your employees have first-hand or second-hand experience with a targeted phishing attack, with the consequences of clicking on links that install malware and hijack the browser, with ransomware messages that ask for a bitcoin payment, with the grimness of identity theft.
Employees aren't daft on identity, privacy, and web security. They understand the Internet is a threat. Grandma uses a Tor browser and a VPN to anonymously buy meds on the Dark Net. Sensible parents keep pictures of their kids OFF social media. Laptop camera lenses are covered.
Employees (humans) have already become endpoint security practitioners. Adblock Plus browser plugin has many hundred million downloadsk. Ghostery is deployed massively to block web site tracking cookies. Apozy’s Chrome plugin runs vuln scans on web sites. Mozilla's Lightbeam add-on for Firefox reveals and visualizes web site interactions during browsing.
While employees may not understand the nuances of cross-site scripting (XSS) vulns (OWASP.org), they do understand that a website can be loaded deceptively, can contain harmful code, can steal their login credentials. They do understand privacy.
Employees are engaging in BYOD and browser security, blocking and tackling in parallel with IT security teams. Instead of ignoring the trend, why not take advantage? Rely on the employee more, rely on the endpoint vendor less, to secure the data that actually matters on the endpoint.