As businesses refocus on security (beyond just keeping the lights on) after almost two years of unprecedented and sustained disruption, the question many are asking is: “Is my security fit-for-purpose in the world of hybrid working?”That’s one of the questions we put to business leaders in compiling our recently published Global Workplace Report. Their responses yielded some interesting findings:
- 54.7% of IT leaders say they’ve had to completely rethink their IT security to accommodate new (hybrid) ways of working; another 38.2% say a partial rethink and adjustments are required.
- More than 60% of technology leaders say that cloud computing and cybersecurity are top technology tools underpinning workplace strategy
In understanding why many organizations’ post-pandemic security strategies aren’t going far enough, it’s helpful to revisit the journey that businesses found themselves having to embark on when the pandemic struck.
Government-sanctioned lockdowns across the globe forced organizations to enable and support work-from-home scenarios almost overnight. None had the luxury of time to plan out their remote workplace strategy.
Business continuity and employee productivity were the top priorities. Security, while not altogether an afterthought, was not strategic but ad hoc, to plug immediate security gaps and needs.
Now, many organizations find themselves facing a set of security challenges critical to the success of their hybrid workplace strategy.
First, an expanded digital footprint and more users connecting to the company’s networks, applications and devices from remote locations means the average business’s attack surface has increased exponentially. Detection of threats and vulnerabilities across the dynamic footprint is not straightforward. In fact, 80.7% of IT leaders say it’s more difficult to spot IT security or business risk when employees are working remotely. The ability to respond quickly and effectively across the distributed IT environment is paramount, since it’s not if but when an attack will occur, and your business is more exposed given that the right security is likely not yet in place.
Secondly, with many people still working remotely today, the productivity, collaboration tools and applications being used across the business remain heavily cloud-based. Cloud is a great solution for quick deployment and scalability, but a lack of proper security processes, protocols and management introduces a real risk of compromise.
Furthermore, the devices and locations from which people are accessing these tools add further complexity. Users are now accessing company data from a myriad of devices, both managed and unmanaged, and from a variety of locations. This means that simply securing the traditional perimeter – the corporate network – isn’t enough.
Data protection is also critical. Privacy regulations in every jurisdiction mandate strict control over how personally identifiable information (PII) is being processed. Each organization will also have intellectual property (IP) and sensitive information that must remain protected. And because data is being accessed from outside the corporate walls, there’s a greater risk of data breach.
While businesses grapple with these challenges, cybercriminals continue to exploit areas of weakness and gaps introduced by an expanded and disjointed technology ecosystem and networks that many businesses deployed when the pandemic hit.
In fact, according to our 2021 Global Threat Intelligence Report, cybercriminals have been opportunistic, successfully exploiting vulnerabilities that virtual working has created. In the last year, a large proportion of cyber incidents were directly related to the increase in the virtualization of networks due to an increasingly hybrid workplace. Specifically, remote working ushered in a spike in web and application attacks across all industries, accounting for 67% of all attacks, up from 55% in 2019 and 32% in 2018.
It’s a challenge for security teams to identify threats outside of the traditional security perimeter.
Dust off your security armor
As businesses consider their post-pandemic hybrid workplace strategies, they need to revisit and re-evaluate security from the ground up and assess where they may have unwittingly created gaps in their security armor.
We believe that businesses need a multi-pronged approach to rebuilding and, in some cases, fundamentally re-imagining their enterprise security.
Here are some of the key capabilities you should be exploring:
The zero-trust approach to security was growing in popularity well before the pandemic. But now, given widespread acceptance that hybrid working will become the de facto standard, the relevance and use cases of this model are becoming amplified and better understood.
With this approach, trust is not automatically granted to anything inside or outside a business’s perimeters, and access is granted on a least-privileged basis. People seeking access to devices, applications and data must verify that they are who they claim to be. Meanwhile, access is continually monitored for any unusual activity.
Secure Access Service Edge or SASE is an identity-centric service offer that has evolved through the convergence of Network-as-a-service (WAN, SD-WAN etc.) and Security-as-a-Service (firewall, Secure Web Gateway, etc) offers.
It brings a cloud-based approach to secure connectivity by brokering secure access between users and devices to the service edge and allows access to approved services and applications only. Being cloud-delivered, it’s just as scalable and flexible as other cloud technologies. It also allows for numerous other security capabilities to be more easily deployed, such as Secure Web Gateway, Data Loss Prevention, Remote Browser Isolation and Cloud Access Security Broker (CASB), amongst others – improving the agility of your security posture.
An organization’s security policies set the tone from the top. Policies that may have worked well in the pre-pandemic workplace will need to be addressed to ensure they’re fit-for-purpose and well suited to remote, virtual working arrangements.
Security policies need to be living and breathing documents at the best of times. So, it’s important to periodically revisit, update, and communicate them to people to ensure their continued relevance given the evolution of the threat landscape, new ways of working and regulatory changes.
There are several compliance frameworks that might apply to you (e.g., NIST, HIPPAA, PCD-DSS, GDPR) depending on your industry, and your security policies should take them into account. The policies you put in place must ensure you meet your regulatory and compliance obligations in a world where sensitive data might be dealt with outside the office walls and address what to do should something go wrong.
Secure by design
Finally, as you’re planning your hybrid workplace of the future, make sure that your organization is ‘secure by design’ – which means that security is built-in and not bolted on to your digital programs. In other words, as you’re building out your hybrid workplace of the future, ensure the security team is engaged early and an integral part of your digital transformation to save you cost, time, effort and most importantly, to minimize your risk.
If you’d like to find out more about how NTT can put you on track to building and operating a secure hybrid workplace, speak to your client manager or get in touch.