Cybersecurity strategies for the hybrid workplace
As cybersecurity professionals, it’s important to recognize that the relationship between the shape of a business and the shape of the technology that supports it is a two-way street.
Specific business needs trigger the establishment and expansion of systems to meet them. For example, a separate data storage space for the finance team. For this type of solution, the infrastructure reshapes the functionality it supports, such as enabling flexible working arrangements due to secure remote infrastructure architectures, where previously confidentiality requirements would have necessitated in-office work.
That relationship is particularly important to highlight, as it explains some of the specific challenges that CISOs now face as remote and hybrid working become a long-term norm. Through the disruptions of the pandemic, many CISOs and other cybersecurity professionals may have held out hope that the building blocks for a secure stance in this new reality are already in place and well-tested.
Multifactor authentication, for example, adds a defensive layer to data protection, and enabled identity verification on users’ personal devices in a way which somewhat levelled the security playing field between in-office and at-home working.
Zero trust security methodologies emerged in response to rapidly diversifying network architectures and the frictions that can be created by silo and perimeter approaches. Zero trust’s more flexible, always-on approach is particularly applicable in a new reality where network administrators cannot reliably predict when or from where any given resource will be accessed.
In other words, while the pandemic certainly had a decisive impact on the shape of an organization, those changes were prefigured, and partly already underway. Which makes it perhaps surprising to learn, as NTT found in our most recent Global Workplace Report, that 81% of IT leaders report having more trouble spotting risks from remote employees. Likewise, just half of organizations strongly agree that their current cybersecurity controls are effective for distributed workplaces.
Does that mean advancements in cybersecurity technologies are not suitable in the new workplace reality after all? Or perhaps that these technologies still haven’t seen the whole-hearted adoption needed to manage these new challenges?
A new focus: the human element of cybersecurity
While there may be a grain of truth in these responses, I think that the best place to start in improving the situation involves refocusing on the human element of cybersecurity. Technology and the business culture it supports, after all, are in a two-way relationship, and a shock on the employee experience side will need to be addressed on the technological side.
Today, IT teams and the users who rely on them exist at a greater distance from one another than ever. Without the watchful (technological and human) eye that comes from physical proximity to IT professionals, users are more liable to develop insecure behaviors.
At the same time, CISOs need to be more acutely aware of the user experience they are establishing: repeated, intrusive authentication may help protect data, but at the cost of ease and productivity. Secure but unhappy users are no more beneficial to a business than vulnerable systems.
Proactive cybersecurity requires continual, relevant training
What all of this points to is the need for effective, impactful security training. Particularly as norms around how and where we use data change, it’s important to establish best practice which lines up with the organization’s technological cybersecurity posture.
Specifically, training efforts should go beyond the well-worn paths of password policies and phishing identification. A shared company-wide concept of cybersecurity which rests on pillars of visibility, identity, authentication and authorization, gives employees a mental framework for understanding risk, rather than simply mandating certain behaviors without explaining why.
Similarly, while any large organization will now have established cybersecurity training schemes, CISOs shouldn’t assume that the true outcomes of these programs are the same as the apparent outcomes. The ground truth of the situation can often be quite different from training scores. Taking independent paths to understanding how staff behave, including measuring incident rates and conducting user testing and research programs, will indicate real-life behaviors and highlight actual risks.
Ultimately, as the knowledge and skills of the employee base are raised, the tools we now have available to manage and secure distributed working environments will only become more effective. The CISO’s remit has to be to see both sides of this coin.