- October 29, 2021
- Catagory Security
Security Policy Must Keep in Mind How People Work in the Hybrid Office
If the hybrid workplace is here to stay, then security policy must put people first—understanding how the human element plays are role in protecting data is essential, but so is making sure any security measures don’t get in the way of their productivity.
People can be part of the problem but also part of the solution—cultural changes that go hand and hand with security policy can positively influence employee behaviours to make your hybrid office more secure.
Humans make mistakes
Quite often, people put the organization at risk and violate security policy unintentionally. Privileged users can unknowingly let their credentials get compromised, which allows threat actors to access systems and sensitive data. Although it’s usually an accident, occasionally a disgruntled employee may compromise the organization intentionally.
Human beings also fall for phishing scams, both on their personal devices and corporate workstations; in the hybrid office, this device can be one and the same. Scams that employ socially engineered malicious messages that encompass tax-themed phishing, dodgy downloads, fake payment and delivery, and invoice phishing, have become even more common during the pandemic and will likely continue apace in the hybrid office.
Some people are just plain careless, despite security policy guidance, by letting credentials lapse or not using multifactor authentication. Cybersecurity technology isn’t effective on its own without keeping people in mind. Yes, they need to be held accountable, but you must also meet them where they are. The hybrid office means your employees are moving between their work and personal lives more fluidly, including the devices they’re working in—this must be reflected in your security policy.
Remote work is here to stay
Meeting people where they are means your security policy outlines how they can help to keep their organizations securie without getting in the way of their productivity. Your security policy should assume that the hybrid office is here to stay for the foreseeable future and understand the impact of continued remote work.
IT teams must be prepared to support remote workers, who are likely to have less traditional schedules as they embrace flexibility, and adopt collaboration tools to work across different departments, including human resources as they onboard new workers who will be working remotely, on-site or a combination of both. The hybrid office has also meant a shift to “hoteling” as employees come to work a few hours a day or a couple of days week without their own dedicated workspace.
Remote work always had implications on security policy, even before the pandemic, but there has been an increase in malware incidents, data breaches and other poor security behaviors as more people work from home. Despite this spike, it’s important keep security simple for employees and engage regularly with through awareness training so they can help protect their hybrid office from threat actors.
A clear and concise security policy allows employees to be productive no matter where they are working so that security is not a barrier to productivity.
Sanjeev Spolia is CEO of Supra ITS
- July 30, 2021
- Catagory Security
Hybrid workplace security must account for the human element
The hybrid workplace may be the new normal, but the high number of data breaches due to the pandemic don’t have to be. The solution is recognizing that people can be the cause of security incidents but also play a part in preventing them.
The “human element” is involved in as much as 85 percent of all data breaches, according to Verizon’s 2021 Data Breach Investigations Report. That’s actually good news—it means there are cultural changes that can be made to influence employee behaviours that will improve hybrid workplace security.
People still fall prey to scams
There are several areas where security is vulnerable because of how people behave, often without any intent to put cybersecurity and data privacy at risk.
The first is around privilege abuse, according to the Verizon study, wherein users have access to IT systems, data and applications that over time leads to compromised credentials that allow threat actors to access sensitive information. In most cases, the privileged user isn’t intentionally looking to cause their organization harm and the data exposure is accidental. However, a disgruntled employee can cause a lot of damage.
In the meantime, employees still fall for phishing scams, and the number of instances where people fall for these socially engineered malicious messages rose significantly during the pandemic, according to Verizon’s analysis. Examples of these scams include payment/delivery scams, invoice phishing, tax-themed phishing, and downloads. Remote workers are more likely to fall for phishing scams, which makes their prevention especially critical for improving hybrid workplace security.
Many data breaches are accidental, but these accidents shouldn’t be confused with carelessness, which can include credentials that aren’t regularly updated or failure to use multifactor authentication. Cybersecurity technologies only go so far without having a standard of behaviour throughout the organization. Employees must be held accountable—effective hybrid workplace security depends on culture as much as technology.
Meet people where they are
The hybrid workplace solidifies the need for every employee to do their part to foster company-wide security rather than putting on the onus on a small group of IT experts to implement and manage cybersecurity technologies. This where the human element becomes part of the solution, not just the potential cause of data breaches.
While it’s critical that remote workers do their best to secure their home office environment, it can be overwhelming for them. Communication and training go a long way to helping them develop good security habits, as well as streamlining the process as much as possible. It’s also important to remember that in the hybrid workplace not all remote employees are the same. Some are experienced road warriors and power users who innately understand they need to secure their mobile endpoints, while other users have got a tad complacent over the years because they’re always online.
Employees who have traditionally worked in offices and felt comfortable leaving their workstation unsecured for a few minutes may not fully appreciate that hybrid workplace security requires a shift in behaviour. There are also always employees who value efficiency over all else, so if they perceive security measures as a barrier to productivity, they will always find shortcuts and workarounds.
Make people part of the solution
Hybrid workplace security needs tools and processes with a short learning curve for all employees to they can be easily adopted and understood as an enabler.
Balancing the human element and technology is critical to securing the hybrid workplace due to its inherent flexibility—employees are shifting constantly between their work and personal lives throughout the day, and that includes the devices they’re working on. Each device along with the software and operating systems they’re running now fall under the purview of corporate security.
From a technology perspective, it means technologies such as Identity and Access Management (IAM) tools are more essential than ever, as are robust security protocols and employee training. However, these must be seen as an enabler, not a roadblock to getting things done. The least technologically savvy employee must be able to blend their daily task with good security habits without a steep learning curve.
Hybrid workplace security requires the creation of a security-first culture that puts people at its centre by enabling them to improve their workflow while doing their part keep the business secure.
- February 11, 2021
- Catagory open source
Why you need access to open source skills
A significant trend running parallel to cloud adoption has been the increasing use of open source software, and whether your applications and data on are on-premise or residing with one of the many cloud service providers, understanding open source technologies is essential.
A fall 2020 survey of 3,440 professional developers and managers conducted by O’Reilly Media and sponsored by IBM found that open source is maintaining and even increasing its influence. It’s become somewhat ubiquitous, with survey respondents expressing strong support for it in general and for specific skills in several open source technologies. For example, a whopping 94 percent view open source as being equal or better than proprietary software.
This preference extends to their cloud providers, with 70 per cent of respondents saying they prefer one based on open source technologies. Overall, those surveyed associate open source with more job opportunities, more professional opportunities, and higher wages. Linux in particular was highlighted in the survey as being an important technology, with 95 per cent of developers citing it as important to their career, as well as containers and databases. Linux is also highlighted as a critical technology for unifying hybrid cloud environments.
Given that containers and databases are critical enabling technologies in cloud environments, it’s not surprising that open source flavours are popular, especially as they can be spooled up quickly and easily.
Open source powers the cloud
Being able to rapidly and easily spin up computing, network and storage resources is enabling cloud adoption, so it makes sense that open source would ride its coattails, as it appeals to organizations looking to be able to respond nimbly to business requirements without expensive investments in on-site, proprietary technologies that eat up the time of in-house IT staff.
Another benefit of open source noted by the O’Reilly Media survey is vendors and cloud providers can rapidly apply updates, patches and other bug fixes, which improves overall reliability and security, while end users always have the latest and greatest applications on any device, especially mobile ones that use the cloud as their supporting backend. In the meantime, the cloud computing providers are also enjoying the same benefits of not being bogged now with licensing and administrative costs that go along with proprietary technologies.
As already mentioned, Linux is seen as a critical building block for unifying hybrid cloud environments as a common platform, and turn, innovation in the cloud is contributing to the development of the Linux kernel, which a collaborative process of millions of developers. Ultimately, open source technologies are what make the cloud possible.
Ensure you have open source expertise on tap
If open source is powering the cloud, and you’re at any stage of embarking on your cloud journey, then you need to think about the open source skills you have on staff as well ensure your managed service provider is making the same investments.
The O’Reilly Media survey makes it clear that developers and their managers are fiercely loyal to open source technologies, and that other third-party cloud services are increasingly turning to them to solve technical and business problems. In addition, the collaborative nature of open source means there is a constant loop back to improving and evolving open source technologies, particularly the Linux kernel. For businesses this means there are many benefits to being aligned with open source trends and acquiring relevant skills.
For developers and other IT workers, open source represents opportunities for professional advancement and interesting projects; for businesses, it means cost savings and agility because it reduces the potential for vendor lock-in. If you wan to realize the competitive advantages of open source, you need access to the right experts and skills, which not only means having those people on staff, but also accessing them through an experienced managed services provider.
Sanjeev Spolia is CEO of Supra ITS
- October 15, 2020
- Catagory cybersecurity
Cybersecurity Awareness is Everyone’s Responsibility, Especially in the Remote Work Era
The shift to remote work means cybersecurity awareness across your organization is more important than ever for maintaining ongoing business operations and regulatory compliance.
Even before the pandemic, most organizations had become rather porous in nature from a network security perspective thanks to the Bring Your Own Device (BYOD) movement, adoption of cloud computing, distributed locations, and an already increasingly mobile workforce. But while security technology has emerged to keep up with these trends, it’s not a silver bullet. Every employee needs a heighten level of cybersecurity awareness.
Remote work means that how an employee manages their device at their home office can have an impact on the organization’s entire network. Their cybersecurity awareness means understanding their workstation is an endpoint that must be configured properly as to contribute to the overall security posture of the organization.
Training is critical to maximize cybersecurity awareness amongst your employees, especially remote workers. But it’s easy to lose their attention if training isn’t clear and engaging. If you’re doing regular phishing tests for your employees, try to have a sense of humour with the email content you’re creating as part of the test, for example, but also make sure employees understand the lesson without being made to feel stupid.
Cybersecurity awareness training should be done regularly as part of regular operations, and at least quarterly, rather than being big annual event, because threats to the organization are ongoing as hackers automate their processes to optimize their chance of success. You should also involve the executive team in your training, so everyone understands that cybersecurity awareness is critical to the success of the business. You might have the CEO do a short video, which is easy to share with remote workers.
The training shouldn’t be solely the responsibility of the security team, either. Lines of business leaders should help to spearhead cybersecurity awareness, and it should be a part of your remote work strategy.
It’s important to remember that cybersecurity awareness isn’t only about protecting against threat actors, malware and ransomware, and malicious data theft. Employees need to understand that good security also helps the organization stay compliant with government privacy legislation and meet regulatory obligations that apply to their industry. Data breaches not only have the potential to cripple business operations and negatively affect customers, but also lead to financial and legal penalties that can profoundly affect the long-term health of the organization.
Most people have adapted to remote work for the past seven months, but because organizations are more distributed than ever, there’s a potential for cybersecurity awareness efforts to lapse, even as be bad people around the world continue to take advantage of the new work-from-home reality. Those doing remote work as part of a connected organization must continue to be vigilant about security as part of their daily work habits.
Sanjeev Spolia is CEO of Supra ITS.