Box: We’re in the business of protecting companies from themselves


Bobby Hellard

10 Oct, 2019

“We’re 30,000 employees, we’re the size of a small village… there will be crime, or there will be people that do things that they shouldn’t do.”

Box CIO Paul Chapman recalls a conversation he once had with a company executive, who broke the mould somewhat by being more concerned by the actions of rogue employees than threats coming from the outside.

This was at a time when cyber security simply meant protecting against external threats. That doesn’t mean to say the executive wasn’t bothered with external attacks, only that he identified that plenty of development had already gone into creating robust outward-looking defences over the years, while little attention was paid to the workers.

In today’s environment, we are seeing time and again that the biggest threat to security is often a company’s own employees. According to Box, around 55% of breaches are due to negligence in the workplace.

“People often say, ‘what’s the thing that worries you the most?’ Actually it is what we would call ‘negligent users’,” Chapman explains. “People don’t wake up and say ‘hey, I think I’ll be a negligent user today’, they’re just doing their work and what happens is risk builds… part of what keeps me awake is users doing negligent things, without knowing they’re doing them.”

Safety net

Jeetu Patel, Box’s chief product officer, shared a few examples of what the company considers common negligent actions. The first was sharing content to personal email accounts. So, for instance, Rachel wants to invite John into an internal folder full of private company documents. She begins typing ‘Jo’ into the search bar and his email addresses pop up. She picks the first one which happens to be John’s personal Gmail account, sending company documents to a non-company account.

In a second example, John, who is working remotely, might decide to download company documents on a personal device. He doesn’t select the specific documents he needs and instead puts the whole folder onto his unsecured personal device. Without realising, John may have placed sensitive company info, such as financial details, on a device that sits outside the company’s firewall.

It’s this concern that led Box to develop its Shield platform, released in August this year. It aims to fix the many problems and risks that crop up when sharing and collaborating. While it is mainly marketed as an external-facing security product, Box Shield is actually just as useful for preventing these types of human errors filtering through – whether accidental or intentional.

Force preview, for example, gives users access to files in preview before they are given permission to download. So if somebody receives an email with a malicious attachment, it will be flagged by Box’s security system before it’s ever downloaded to a company’s network.

Although the employees should be aware of basic security practices, software needs to account for laziness, according to Box.

“We know it’s better to point to content, we know its better to use links to control content and chain of custody over content, but you still have in an organisation of 20,000 – 35,000 people and someone who goes ‘oh, I think it’s easier to send an attachment’, and off he goes,” Chapman says.

In-house phishing

Chapman and his team at Box accept that we can’t all be experts, particularly when it comes to digital security. And, as clever and intuitive as Box Shield is, it’s not going protect you from everything.

“To me, Box is a piece of the jigsaw puzzle, it’s not the jigsaw puzzle when it comes to how to think about security potential,” he says. “It’s partners, it’s integrations… you have to have people inside your organisation that are thinking through what the architecture is… you can’t just put it in Box and be done. It’s how you configure Shield, how you set it up, it’s a combination of things.”

The workforce at Box is subjected to regular tests from Chapman and his team. They are even tested using dummy internal phishing attacks as a way to train people on how to identify and deal with threats as they arrive. This is the same tactic we’ve seen deployed across other security-savvy organisations, only, as a security specialist, Box is able to take it one step further.

“There are different levels of sophistication, but it is surprisingly scary how easy it is to spoof people,” he says. “We’ve got a red team that will actually try to break everybody’s passwords at least once per month. We will do our own phishing attacks, we look at the results, share them with the company, we don’t do a wall of shame or anything, but we do have a security ‘hero’.”

We’re only human

These ‘heroes’ seem to be in short supply if the latest figures are anything to go by. According to Telstra’s 2019 Security Report, 89% of cyber security risks are now internal. Add to that, a recent Carbon Black report that suggests that hacking and data breaches are becoming the “new normal”, with hackers now turning their attention to vulnerable end-users, rather than trying to break through company firewalls directly.

What’s more, it only takes one lapse in concentration, or one employee to not know the danger, for your business to be crippled by malware. Many towns and cities in the US have been plagued by ransomware attacks that have been specifically designed to target employees that are, for the most part, illiterate in cyber security. For example, Florida’s Riviera Beach lost control of its entire municipal network after a single police department employee opened a malicious email attachment.

In 2017, the average worker made 118 mistakes a year, according to a report from Identity Guard. Predictably, many of those errors revolved around technology and as more and more businesses adopt digital services, that trend is only going to continue. After all, we’re only human.