Information security starts with people. This statement, or a very similar one, sounds like the mantra of every IT security officer who regularly points out to his colleagues the importance of complying with the instructions in force. So-called “Security Awareness Training” is being offered for this purpose. However, it usually falls short when the users no longer remember what they have learned at the latest.
Organizational and Technical Measures
To increase IT security, companies and institutions have the choice between organizational and technical measures.
For example, employees can be asked to activate the firewall and install updates regularly when accessing their digital workspace. Organizationally, everything is fine in this case. The employees sign an agreement, and everything is legally for the company – until a security incident that can severely affect the company financially occurs due to carelessness—a classic example of a Layer 81https://en.wikipedia.org/wiki/Layer_8 problem.
As meaningful as organizational measures are, they are not sufficient for comprehensive protection against Hackers & Co.
To supplement organizational measures, technical measures are necessary to protect your data and resources from uninvited guests. However, a technical possibility is not always applicable, or a suitable technical solution is not always known to the respective decision-makers, which is why it is necessary, from time to time, to resort to organizational measures to ward off a greater evil.
Contextual Security as a Strong Technical Measure
I recently learned during a product demo that a certain company informs its employees with a text that a mission-critical application can only be used if the employee is at a specific location. This procedure reminded me of the “no trespassing” sign on construction sites. You shouldn’t enter, but the sign won’t stop you either. The security gain is equal to zero. My explanation of our “Conditional Application Access”, i.e. the possibility – during the session runtime (!) – of revoking access to (mission-critical) applications when the context changes was initially not thought possible and then commented during the demo with the following words: “Wow, that actually works live.”
I recently read another practical example that illustrates the “Power of deviceTRUST” in a German LinkedIn thread2https://www.linkedin.com/posts/tobias-dames_zerotrust-kisecurity-informationssicherheit-activity-7079769878009671680-2kI0.
It documented how a laptop was left unsecured on a train, i.e. without activating the lock screen, so that anyone could have had access to it, with all its applications and data. The comments were many and varied. It is clear that technical solutions, no matter how secure, such as VPN tunnels, are of no use if the user has not paid attention to the “Security Awareness Training” and forgets to lock the screen before leaving the seat. As a technical (context-based) option, deviceTRUST could have helped in this case. While it is possible to dynamically set the so-called “session idle time”, with our solution, depending on the location, there would also have been in place a strong technical measure to support even the most careless employee in terms of security.
To put it briefly: technical measures supplement organizational measures and deviceTRUST’s “Contextual Security” enormously reinforces conventional technical measures. The following link provides examples of application possibilities to help you to take your security to a new level: https://devicetrust.com/benefits/use-cases/