- October 29, 2021
- Catagory Security
If the hybrid workplace is here to stay, then security policy must put people first—understanding how the human element plays are role in protecting data is essential, but so is making sure any security measures don’t get in the way of their productivity.
People can be part of the problem but also part of the solution—cultural changes that go hand and hand with security policy can positively influence employee behaviours to make your hybrid office more secure.
Humans make mistakes
Quite often, people put the organization at risk and violate security policy unintentionally. Privileged users can unknowingly let their credentials get compromised, which allows threat actors to access systems and sensitive data. Although it’s usually an accident, occasionally a disgruntled employee may compromise the organization intentionally.
Human beings also fall for phishing scams, both on their personal devices and corporate workstations; in the hybrid office, this device can be one and the same. Scams that employ socially engineered malicious messages that encompass tax-themed phishing, dodgy downloads, fake payment and delivery, and invoice phishing, have become even more common during the pandemic and will likely continue apace in the hybrid office.
Some people are just plain careless, despite security policy guidance, by letting credentials lapse or not using multifactor authentication. Cybersecurity technology isn’t effective on its own without keeping people in mind. Yes, they need to be held accountable, but you must also meet them where they are. The hybrid office means your employees are moving between their work and personal lives more fluidly, including the devices they’re working in—this must be reflected in your security policy.
Remote work is here to stay
Meeting people where they are means your security policy outlines how they can help to keep their organizations securie without getting in the way of their productivity. Your security policy should assume that the hybrid office is here to stay for the foreseeable future and understand the impact of continued remote work.
IT teams must be prepared to support remote workers, who are likely to have less traditional schedules as they embrace flexibility, and adopt collaboration tools to work across different departments, including human resources as they onboard new workers who will be working remotely, on-site or a combination of both. The hybrid office has also meant a shift to “hoteling” as employees come to work a few hours a day or a couple of days week without their own dedicated workspace.
Remote work always had implications on security policy, even before the pandemic, but there has been an increase in malware incidents, data breaches and other poor security behaviors as more people work from home. Despite this spike, it’s important keep security simple for employees and engage regularly with through awareness training so they can help protect their hybrid office from threat actors.
A clear and concise security policy allows employees to be productive no matter where they are working so that security is not a barrier to productivity.
Sanjeev Spolia is CEO of Supra ITS
- September 30, 2021
- Catagory Security
Remote work technology continues to be a prime target for cybersecurity attacks.
Recent research released by Tenable in collaboration with Forrester found that nearly three quarters of organizations have traced recent cyberattacks that have impacted their businesses to vulnerabilities in remote work technology. Even before the pandemic began, the traditional perimeter around enterprise IT infrastructure had become rather porous due to increased mobility of workers and cloud adoption. With a hybrid workforce that has fully embraced remote access tools, cloud services, and personal devices, that perimeter is pretty much gone.
The Tenable / Forrester research found that 80 per cent of security and business leaders say remote work has put their organizations at higher risk because IT teams lack visibility into remote employee home networks as more than half of remote workers use a personal device to access work data. This has meant three quarters of cyber attacks are targeting remote employees. Threat actors are also exploiting third-party software providers or leveraging vulnerabilities in those products, with 65 per cent respondents linking those compromises to recent cyberattacks.
For small and medium-sized businesses, it can be challenging to invest a great deal of money in security technology and dedicated IT staff, but there several core things that can help to better protect remote work technology from cybersecurity attacks.
- Use a Virtual Private Network (VPN): Implementing a VPN for anyone accessing corporate data and applications via the Internet provides an additional layer of security via multi-factor authentication and should be required for anyone looking to access valuable company intellectual property and other sensitive data.
- Use complex passwords: Many employees opt for simple passwords they can remember and use them for more than one application or website, which means once a hacker guesses one of them, they have access to a great deal of private information. Since these can be difficult to remember, consider implementing password encryption software that stores usernames and passwords without the need to know what they are because the information is encrypted from the start.
- Educate everyone: Having the right technology in place only goes so far; you need a culture where all employees understand the need for complex passwords, log in via VPNs, and recognize phishing attacks and other suspicious emails. In addition to employee training, set aside a budget for your cybersecurity team to attend webinars and other courses that help them keep up with an ever-changing threat landscape.
- Keep everything up to date: Whether it’s hardware or software, getting behind upgrades and patches is sure fire to create vulnerabilities that threat actors will support. While much of this can be automated, you should have a program in place to verify all necessary updates are done on schedule.
- Pick a reputable cloud service provider: A great deal of security misconfigurations that lead to data breaches are the result of connecting with the many cloud services available to businesses today. Make sure your chosen providers have a solid track record on the security front and understand what they’re responsible for securing and what must be done at your end.
Keeping ahead of cybersecurity attacks has always been a challenge and the remote work era hasn’t made it easier. Consider seeking out a managed security services partner who can help you evaluate your security posture, implement new technologies and policies, and automate where possible so that your business is a less appealing target for threat actors.
- July 30, 2021
- Catagory Security
The hybrid workplace may be the new normal, but the high number of data breaches due to the pandemic don’t have to be. The solution is recognizing that people can be the cause of security incidents but also play a part in preventing them.
The “human element” is involved in as much as 85 percent of all data breaches, according to Verizon’s 2021 Data Breach Investigations Report. That’s actually good news—it means there are cultural changes that can be made to influence employee behaviours that will improve hybrid workplace security.
People still fall prey to scams
There are several areas where security is vulnerable because of how people behave, often without any intent to put cybersecurity and data privacy at risk.
The first is around privilege abuse, according to the Verizon study, wherein users have access to IT systems, data and applications that over time leads to compromised credentials that allow threat actors to access sensitive information. In most cases, the privileged user isn’t intentionally looking to cause their organization harm and the data exposure is accidental. However, a disgruntled employee can cause a lot of damage.
In the meantime, employees still fall for phishing scams, and the number of instances where people fall for these socially engineered malicious messages rose significantly during the pandemic, according to Verizon’s analysis. Examples of these scams include payment/delivery scams, invoice phishing, tax-themed phishing, and downloads. Remote workers are more likely to fall for phishing scams, which makes their prevention especially critical for improving hybrid workplace security.
Many data breaches are accidental, but these accidents shouldn’t be confused with carelessness, which can include credentials that aren’t regularly updated or failure to use multifactor authentication. Cybersecurity technologies only go so far without having a standard of behaviour throughout the organization. Employees must be held accountable—effective hybrid workplace security depends on culture as much as technology.
Meet people where they are
The hybrid workplace solidifies the need for every employee to do their part to foster company-wide security rather than putting on the onus on a small group of IT experts to implement and manage cybersecurity technologies. This where the human element becomes part of the solution, not just the potential cause of data breaches.
While it’s critical that remote workers do their best to secure their home office environment, it can be overwhelming for them. Communication and training go a long way to helping them develop good security habits, as well as streamlining the process as much as possible. It’s also important to remember that in the hybrid workplace not all remote employees are the same. Some are experienced road warriors and power users who innately understand they need to secure their mobile endpoints, while other users have got a tad complacent over the years because they’re always online.
Employees who have traditionally worked in offices and felt comfortable leaving their workstation unsecured for a few minutes may not fully appreciate that hybrid workplace security requires a shift in behaviour. There are also always employees who value efficiency over all else, so if they perceive security measures as a barrier to productivity, they will always find shortcuts and workarounds.
Make people part of the solution
Hybrid workplace security needs tools and processes with a short learning curve for all employees to they can be easily adopted and understood as an enabler.
Balancing the human element and technology is critical to securing the hybrid workplace due to its inherent flexibility—employees are shifting constantly between their work and personal lives throughout the day, and that includes the devices they’re working on. Each device along with the software and operating systems they’re running now fall under the purview of corporate security.
From a technology perspective, it means technologies such as Identity and Access Management (IAM) tools are more essential than ever, as are robust security protocols and employee training. However, these must be seen as an enabler, not a roadblock to getting things done. The least technologically savvy employee must be able to blend their daily task with good security habits without a steep learning curve.
Hybrid workplace security requires the creation of a security-first culture that puts people at its centre by enabling them to improve their workflow while doing their part keep the business secure.
- July 15, 2021
- Catagory Security
As offices move to a mix of remote and office work, hybrid security takes on a new meaning. It’s no longer just about securing public cloud services along with on-premises data centers, but also securing the hybrid office.
While many organizations want to go back to pre-pandemic office occupant levels, some are looking at easing into the return to work. The hybrid office will see fewer workers on-site at a time, with employees splitting their time between home and work. Not only do IT teams need to secure remote workers, but they must also be able to secure a workforce that’s even more dynamic. In some ways, every worker is becoming a road warrior that must be kept track of.
Keep tabs on hybrid office traffic
The pandemic brought on a very sudden shift to remote work, but the easy part was every employee was in one place all the time. The hybrid office means workers will be back and forth a lot, and the flow could be uneven and unpredictable, especially if they’re hot desking while on-site.
Hybrid security means you need full visibility and control over all traffic in both your on-premises data center and public cloud platforms, with a clear understanding who is responsibility for security and what the available tools and functions are, but with the added context that many mobile workstations are moving back and forth between two locations. Streamlining applications and platforms, and the tools need to secure the hybrid office, will help to make these traffic patterns clearer. More dashboards to stare at aren’t better.
Employee cybersecurity training and awareness remains key in the hybrid office era. Most business users are not security experts, but people are a critical factor when securing staff who can work anywhere. You need to have policies and controls to govern access to corporate applications, data and infrastructure while also making it easy for people to do their work, so they don’t try to circumvent hybrid security measures. Again, you want to reduce complexity, while still controlling access.
Hybrid security should take a Zero Trust approach
If you want to fully secure your hybrid office, consider taking a Zero Trust approach as to limit user and device access to the applications required to complete work functions.
A Zero Trust architecture assumes everyone is a threat unless they can verify their identify. Requiring employees to do so no matter where they’re working will go a long way to strengthening the security of your hybrid office. Even when employees are in the office—inside the perimeter, so to speak—robust user identification, authentication, authorization, and access permissions remain essential.
In addition to Zero trust approach, you need to always think about security in tandem with networking by leveraging SD-WAN, next-generation firewalls, and advanced routing capabilities. When your employees can work everywhere, your networking becomes a key factor in your hybrid security, just as it does in a hybrid cloud or multi-cloud environment.
Think about flexibility and the future
Many workers want the flexibility of the hybrid office, so you need to consider the future of work as part of your overall security strategy.
Connectivity is key to embracing new cloud platforms and supporting workers wherever they want to work, but it must always be paired with security. You should assume the hybrid office is here to stay and that it will guide your cloud, mobility, and security strategies. A managed security service provider can help you architect your business for the future of work and help you to secure the hybrid office at scale as technologies and threats evolve.
- June 17, 2021
- Catagory IT infrastructure
The move to remote work was a stark reminder of how legacy IT infrastructure can thwart agility and responsiveness. With hybrid workplaces expected to be the new normal, these issues must be dealt with.
These legacy IT infrastructures can comprise software and systems architectures that have been in place for years or possibly decades. Not only do they make it more difficult to securely support hybrid workplaces, but they can also be a barrier to customer-centric commerce and an organization’s digital transformation efforts.
However, legacy IT infrastructure can be upgraded so you can evolve your platforms to effectively support hybrid workplaces and future proof the organization to meet the challenges of your industry and bolster your security posture.
Legacy IT adds risk to hybrid workplaces
Legacy IT infrastructure is more common in some industries than others, and their impact on the ability to be nimble and flexible in delivering products, services, and support employees at the office and at home can vary widely.
One example that illustrates this digital divide is in the financial services sector, where young fintech companies can challenge large incumbent financial institution. They’re embracing a customer-centric, iterative approach to software development and adopting cloud computing and Software-as-a-Service (SaaS) offerings to meet the needs of business users. Regardless of industry, companies embracing these technologies successfully made the sudden shift to remote work at the start of the pandemic and are in a better position to support hybrid workplaces because they are not anchored by legacy IT infrastructures.
These companies have also avoided what is called “technical debt,” which research firm IDC defines as “work left to do.” If an organization accumulates too much of this debt because of budget pressures and deferred technology investment, legacy IT infrastructures can become brittle to the point where it has a significant impact on business operations.
Technical debt is often left undiscovered until the organization looks to implement major changes as part of their digital transformation efforts or respond to a sudden shift such as the move to remote work or hybrid workplaces. Not only is it hard to identify, it’s also hard for IT people to explain the liabilities and consequences of technical debt to business leaders. Even worse, the phenomenon of “bimodal IT,” wherein legacy systems are maintained while modern technologies and development approaches are adopted concurrently, makes technical debt worse because you end of up two different streams of IT. You have one that’s nimble and responsive and one that has legacy IT infrastructure that is difficult to manage and secure.
If organizations want to avoid serious consequences and be able to support hybrid workplaces for the long term, they need a plan to migrate away from legacy IT infrastructures completely and avoid bimodal IT.
Legacy IT infrastructures place a heavy burden on security, which is already a serious challenge in the remote work era. Whether your goal is to embrace digital transformations or support hybrid workplaces, you need to leave legacy IT systems behind.
While it may not be possible to fully eliminate legacy IT infrastructures immediately or completely, a managed cloud services provider can help identify low hanging fruit, applications and data that can be lifted and shift to the cloud, and help you build a modern architecture that better secures remote and supports hybrid workplaces.