David Steele, MD of SecuriCentrix and a principal security consultant, says there’s nothing personal in adopting security solutions for scattered staff.
Overnight, companies were forced to open their workforce to a distributed model, as Covid shook the world.
From localized access to systems and networks, employees were suddenly accessing everything remotely through the cloud on a range of devices – sometimes personal ones.
In the process, organizations opened themselves up to greater risks, as cybercriminals opportunistically took advantage of the situation.
Many companies geared themselves up quickly, but it’s an ongoing battle as threats become more and more sophisticated, using employees to get the necessary access information. Or use them to access data directly through the sneaky installation of malware, for example.
According to a KcKinsey survey from March 2022, companies are accelerating their adoption of cloud technologies.
The range of benefits is immense – from creating a more flexible infrastructure to getting digital products to market faster. But the risk to data is greater, without a doubt. The report says that 36% of companies accelerated their move to the cloud during the pandemic, and 86% of them expect to continue the trend post-pandemic.
Staff training is essential to mitigate cybersecurity risk
Unfortunately, staff will always be the biggest target of cyber-criminals.
Humans are much easier to manipulate than computers because we’re emotionally driven. And even if we are sharp when it comes to IT security, there’s still the possibility that we’ll inadvertently click something in our hurried and distracted busyness.
Security training is therefore critical to keeping the business safe.
This should be ongoing, as the threats change and evolve with constant new variants on the prowl.
From good password practices and being able to spot a fake email, to handling the event of a data breach, staff should be taught to be constantly on the look-out. It’s also a good idea to run simulations or provide real-life examples rather than purely theoretical approaches. This is something that really needs regular attention.
Have a VPN
A Virtual Private Network acts as a buffer between end-user and the network, by extending a secure private network across a public one via tunnelling protocols.
Access to infrastructure through a VPN is seamless, and it allows for secure remote access, increases functionality and security and makes management of the network easier.
Users will be able to access the organization’s network resources from home or over a public Wi-Fi point. In both of those examples, the company’s IT security team has no control over the level of security and accessibility, or network setup, but a VPN can bypass all of that.
This reduces the risk of an attack and allows staff to safely work in a distributed geography.
Control users’ access
Not all users need access to all systems.
Role-based access control (or RBAC) means that if a hacker does get into the network through a user’s credentials, they’ll be limited to the amount of damage they can do.
Every single member of staff – from CEO to admin – should have RBAC, even the network teams.
You don’t want one person to end up as the company’s point of failure. Temporary access with expiring credentials can be granted to users should they need access to systems outside of their usual sphere.
Monitor that network constantly
With a workforce in one location, it’s relatively easy to monitor the network.
But with employees based all over the show, it becomes a little more complex, with monitoring having to spread across all of those points.
An enhanced security program is therefore a must.
Monitoring allows for a proactive response rather than a reactive one, which, with a distributed workforce is more complicated. Communicating with staff when they’re all onsite is much easier than when they’re dotted about on a range of devices.
So ideally, you want someone watching that network every hour of every day to ensure immediate and proactive action can be taken in the case of a data breach.
Many organizations use a managed security solutions provider to monitor their network.
Physical security
While staff members are in the office, maintaining physical security is relatively easy.
However, an organization cannot control the security measures in place at their employees’ homes, for example.
It’s important to educate staff on the importance of keeping their device safe.
Leaving laptops unattended in a coffee shop, or even having a work screen open in a public place, creates opportunities for data thieves. Privacy screens, locks and general conscientious behavior to lock screens, should be incorporated into staff security training.
In case of policies
A Disaster Recovery (DR) strategy, including a protocol in case of a data breach, is critical.
It helps for all stakeholders to know their role in an emergency to ensure the least damage is incurred. Backups should form part of this strategy, to get everything back up and running as soon as possible and to minimize damage.
A DR strategy would have a large IT component, but it may also cover natural disaster events, if you’re in an area prone to them.
Keep work for work and private for private
While not always possible, ideally, employees should have separate devices for work.
Allowing the use of personal devices for work can place an organization at risk – you don’t want users accessing company resources through their own devices.
However, it’s not always possible to provide devices, in which case, it’s key to have a good mobile device management plan in place and to focus on user training.
This would involve the ability to remotely wipe a device clean of all data in case it’s stolen or lost.
Remote work opportunities come with many advantages, for both the employer and employee.
But it comes with added cybersecurity risks too.
Be aware of these and proactively respond accordingly.