The effects of the Covid-19 pandemic has fast-tracked everyone’s capability to be digitally competent, as organisations accelerate their ability to meet the needs of consumers while also transitioning their employees to working remotely. Remote working is not a new phenomenon, it’s simply the scale of homeworking that is different. (see Flexible working still a huge opportunity for B2B telcos)
In a 2019 survey ‘State of Remote Work’, Buffer found that 84% of respondents stated that their primary remote working location was ‘home’, with the remainder using co-working spaces, coffee shops and other locations. But only a third (31%) stated that all their fellow employees worked from home (assuming no office location was available).
In 2018, an Owl Labs study found that:
- 44% of global companies didn’t allow remote working
- 32% of employees never (or couldn’t) worked remotely
- 16% worked remotely just one day per month
- 13% worked remotely one day a week
- 21% worked remotely more than 1 day per week
- 18% always worked from home.
But while many organisations previously resisted an increase in homeworking, for a wide variety of reasons, they have had no choice but to allow it during the coronavirus crisis. The result has been a giant experiment that exposed many fears and objections to remote working as being unfounded. In fact, the benefits have been shown to be so wide-ranging and significant that many companies have decided to allow everyone who wants to work at home to do so even after the crisis is over.
All of this is set to have a major impact on how businesses are connected and how they protect themselves from cyber criminals. Cyber resilience – the practice of preparing for, responding to, and recovering from cyber-attacks – will need to re-align itself to the new mode of working. Much of the core infrastructure is already in place to do this, as most organisations had already moved to cloud-based security protection to enable mobile workers in the age of perimeterless operation. But now, even more employees will be connecting via home broadband or, when lockdown lifts, via public WiFi connections in coffee houses, libraries, pubs, hotels and so on rather than using approved office-based network connections to core applications.
One option for businesses is to switch home-based employees to an approved provider, although this goes against IT consumerisation trends such as bring-your-own-device, network and application (BYOD, BYON, BYOA). Another option is to use VPNs or other tunnelling applications to minimise the intrusion of unauthorised access to core systems.
Omnisperience believes that consumerisation of IT, combined with business decentralisation, increases the need to focus cybersecurity efforts on protecting the weakest link in the security chain – the user. Unlike security systems or AIs, users get stressed, distracted and bored; they can be influenced by cybercriminals; and they can make mistakes. They also circumvent systems that get in the way of what they want to do. All of this creates ‘Air-Gaps’ that cybercriminals can exploit in order to gain access to data, systems, the wider organisation, as well as that of partners.
The 2020 Verizon Data Breach Investigations Report, highlighted 22% of data breaches are directly caused by simple human errors; while 58% of breaches targeted personal data – almost double the proportion of just a year ago. This is why securing the user is so critical to the new mode of working – something Omnisperience calls User Isolation Protection. (See our recent Omnisperience Green Paper User Isolation Protection)
Many cyber resilience strategies still focus on the macro-level components of the business, with the most fallible parts of the cyber resilience plan unfortunately deemed as ‘any other business’. Such organisations believe that having mobile, endpoint, firewall and other security solutions in place is sufficient; with any exceptions being the fault of the user or the inadequacy of the product to stop the attack.
In a recent article Simon Chassar, Chief Revenue Officer Security Division of NTT Ltd, highlighted the importance of running both offensive and defensive security exercises as “a great way of assessing the business”. He poses three key questions for organisations:
- What data and capabilities are the most important for the business?
- Which systems are involved in supporting this data and capabilities?
- How will the organisation and its customers use the data and services provided?
Omnisperience believes that if cybersecurity strategies are to get both senior management and user buy-in they cannot stand in the way of doing business, or dictate what can and can’t be done. Instead, they must support and enable the business. That is, they must provide unobtrusive protection. We’d therefore add an additional question to those proposed by NTT Ltd: How do we protect our users whatever they are doing, and wherever they are doing it, without this protection being overly intrusive into their day-to-day activities?
Matt Gyde, CEO of NTT Ltd’s Security division has emphasised that it is important that organisations should already have plans in place to ensure their employees are cybersecurity conscious. “Their IT infrastructure should be secure right from the start. In doing so, organisations will reduce their chances of being impacted by risks that can slow down their business,” he said. NTT Ltd call this being ‘secure by design’, with cybersecurity core to an organisation’s overall business strategy. This means implementing inherently secure solutions that provide the latest cyber threat protection required for them to maintain business continuity and minimise disruption.
Gyde recognises that the current crisis brings a new way of working and therefore new risks. In their ‘GTIC Monthly Threat Report’ they urge organisations to step up their efforts to protect people in this remote environment without interrupting business. ‘It’s good practice to provide a refresher on organisational security policies and procedures, especially as they relate to the management of organisational information. This includes proper classification, marking and handling, as well as guidance on good security hygiene and internet habits,’ the report says. NTT Ltd urges organisations to include reminders that non-employees should not have access to organisational information or systems, and emphasises that it is essential that users know how to report outages, system problems, and security issues or incidents.
Ensuring that users of all types are isolated and protected acknowledges that it is these individuals that shape the success of the business. Bill Conner, President and CEO at SonicWall, comments: “What we are seeing is a heroic undertaking by organisations to quickly and efficiently provide security for the unplanned rise in a remote, mobile workforce that will permanently change the way they operate.” He believes these changes will result in “increased pressure to execute and deliver proactive, always-on and data-centric security protection”.
Reflecting the operational reality from SonicWall’s engagements, Spencer Starkey, VP EMEA Channels, has noticed that during this unparalleled event, organisations were forced to quickly expand remote workforces to connect employees and keep critical functions operational, resulting in a distributed IT landscape that demands a perimeterless cybersecurity approach. “Because of the dramatic shift of budgets, resources and operations, these businesses must now properly secure and re-architect massively distributed networks with more modern, cost-effective models designed for the new business normal,” he comments.
Omnisperience believes that User Isolation Protection (UIP) is an essential concept in securing the new normal. Using such an approach means users can only access data that is classified for their role – increasing efficiency and cyber resilience, while minimising exposure if the company is breached. We believe cyber resilience must balance protection from cyber criminals with the need of users to conduct legitimate activities without being encumbered by onerous and intrusive security policies that slow them down.
Phil Allen, VP EMEA at Ping Identity, believes that strong cyber security has to be tied to the identity of the individual that is seeking access. “As corporate boundaries change, shrink and eventually disappear, we encourage organisations to move towards a model of zero trust, where all access to applications and data is explicitly verified, based on the context and the risk of that interaction.” Allen believes that building such a model places the identity of the user at the centre of the security policy and, as such, organisations can make the right decisions regarding access without placing too much reliance on the physical location of the individual. Allen stresses that an ‘identity-centric’ security strategy makes location less relevant and can be a significant enabler for remote working.
As reported in the Verizon DBIR, 70% of the breaches discovered were caused by external actors exploiting compromised credentials, and over 90% of organisations that reported a hack attributed it to web applications. Isolating the user from these harmful exploits removes the pressure on the user to be a security expert. It means they no longer need to know if the link they are clicking is good or bad, because this is curated for them.
Henry Harrison, Co-founder and CSO at Garrison Technology, argues that organisations should not be reliant on the user to maintain the required levels of security awareness. “If you thought it was hard to promote security awareness when everyone was in the office, how much harder is it when people are at home?” he says. “With homeworking, we really have to recognise that phishing training, in particular, is not going to deliver the protection we need, and that we need to start deploying technologies that will protect the enterprise even when our employees have the inevitable inattentive moment and click on that malicious link.”
The change of working mode that has seen a huge increase in remote working and consumers interacting digitally rather than physically has emphasised the requirement for businesses to re-evaluate their cyber resilience and ensure their approach to cybersecurity is more user-centric. The intent of User Isolation Protection is to deliver a win-win scenario of secure digital business along with higher levels of satisfaction from employees who are free to get on with their jobs while also feeling safer.
For further information about UIP’s contribution to cyber resilience, see Ransomware is on the rise – increasing the need for UIP and Data Recovery. Also see our Green Paper ‘Requirements Selection for User Isolation Protection’, which provides insight on how to implement a UIP approach.