Hybrid working is creating exciting new opportunities for organisations to boost productivity, enhance employee engagement and gain a competitive advantage. But for businesses willing to adapt, there are serious security questions they must first ask of themselves.
|“Almost half of businesses (46%) report having cyber security breaches or attacks in the last 12 months. Like previous years, this is higher among medium businesses (68%) and large businesses (75%).” Cyber Security Breaches Survey 2020|
Among this 46 per cent of businesses that identify breaches or attacks, more are experiencing these issues at least once a week in 2020. As organisations resume their operations, safeguarding employees, assets, data, and reputation will be critical.
But the traditional, network-based security measures trusted by modern businesses to keep their systems safe were not designed with flexible working models in mind, and with hybrid workers moving devices, which could have been security compromised, between home and office environments this creates new risks.
In the face of this, what risks does your business face as you embrace hybrid working? Which steps should you take to secure your systems and how can Opus help?
To shine a light on the subject and help you to solve these challenges within your own business, we caught up with Stephen Harte, a cyber security specialist and director at Opus.
How hybrid working challenges security
“As you might expect, the biggest security risk faced by hybrid organisations is the individual user being at home, beyond the protection of the corporate network”, Stephen explains. “Most corporate networks are made up of multiple security layers to protect the systems and assets behind them. Without this protection, the user is more exposed. When the whole business is operating this way, the company is more vulnerable.”
Working remotely also distances employees from the direct support of the IT team. As a result, they may be less likely to check in with IT when they receive a suspicious email or other potential cybersecurity threat. As Stephen explains in the following example, because employees have more autonomy, they’re more likely to fall for those kinds of mistakes.
“I recently became aware of a company whose chief executive was targeted by a phishing campaign. One of the company’s key suppliers had been hacked. Once the hackers were in their supply system, they began sending emails out of the mailboxes. Because the emails came from a trusted source, the board member didn’t suspect them. This type of threat is particularly hard to protect against, and yet it's quite a common scenario.”
The speed at which businesses had to adapt when the UK’s work from home initiatives were announced meant that many of the communication and collaboration solutions they adopted weren’t implemented with security in mind. Now, as we embrace a ‘new normal’ and find the working world changed, many organisations are looking again at how these platforms are being used by their employees and where the security risks lie in order to future-proof them.
“A number of organisations have come to us with this exact challenge”, Stephen reveals. “When the global health crisis reached our shores, they quickly adopted solutions to facilitate remote working and collaboration. Now, their employees are using them to share sensitive corporate information and many businesses have realised that actually, they didn't think about how to properly secure these platforms before they rolled them out.”
And when a remote worker’s device becomes unknowingly compromised, the risk to the company is increased when that worker next returns to the office. Because of the flexible nature of hybrid work, cyber threats can actually be ferried, Trojan-Horse style, past the physical office’s defences, where they are plugged directly into the company’s systems.
For modern businesses looking to adopt hybrid working models, the impacts of these changes go beyond reviewing your cyber security measures. In many businesses, the role and function of the IT team itself is changing to better manage the threat.
“The pandemic has accelerated the move to cloud and brought security to the forefront of considerations”, Stephen explains. “As a result, we've seen a noticeable shift in the mindsets of organisations, in particular their IT teams. As recently as two years ago, the IT function’s primary responsibilities were still focused around keeping systems running. Their main concern was making sure that employees across the business could access the systems when they needed to, keeping the lights on and the business operational.”
Now, the environment has changed. Because those systems have moved into the world of cloud, and typically it's now the cloud provider's responsibility to keep those systems running, Stephen is seeing IT teams’ responsibilities shifting more heavily towards data.
“Where is their data? Is it secure? And how are people accessing it? These are the questions business leaders are asking of IT now”, Stephen comments. “As a result, they now need to be able to track where their data is. They need to label it. And crucially, they need to secure it. We're seeing a real shift towards cyber security and information security in terms of the considerations and the role of IT teams in companies we serve.”
As the IT function itself adapts to the need for more secure hybrid working, what steps are these newly appointed Security Managers and Compliance Managers taking to keep their data safe?
How to work safely, wherever your team is based
Skilling up the workforce
“Technology solutions exist to protect against hybrid working security risks, but the most important — and the most effective — resolution is through cyber security training”, Stephen explains.
“We’ve seen a massive demand for this recently, and rightly so, but what many businesses are still learning is that cyber security training isn’t a one-off event. Just as cyber security threats are constantly evolving, so too should the training needed to prevent them. Unless you have access to training content that’s constantly being updated, and you can make refresher training a specific part of your company culture and processes, then you're potentially leaving your organisation open to risk.”
Without the protection of the corporate network to keep remotely operated devices safe, many organisations are turning to endpoint security to protect their systems.
As basic, entry-level protection, every company device should be installed with anti-virus. But as cyber threats become more sophisticated, so too must the levels of endpoint security available. Already, Stephen’s seeing artificial intelligence being embedded into anti-virus software to actively monitor behaviours on devices. These kinds of solutions use machine learning to understand the normal habits a user goes through, so if unusual activity is detected, they can take the appropriate action.
“If a cyber threat does compromise your system, having AI-driven security monitoring is one of your most powerful tools”, Stephen explains. “Much like how your bank might freeze your accounts and call you when it notices unusual activity, these solutions will be able to identify any device on your network that’s exhibiting strange behaviour, even if that behaviour would be invisible to human eyes. It can then flag and potentially quarantine the offending devices to protect the corporate network.”
Other solutions are leveraging the cloud to expand the security layers traditionally used to protect the office network across all the network’s users, wherever they’re working. These Secure Access Service Edge (SASE) solutions replicate the firewall protection that many businesses have relied upon to secure themselves in the office and cloud, then reach out to every endpoint, giving employees the same level of protection when they're working remotely as when they're in the office.
As IT teams adapt to new roles and responsibilities, and security solutions become increasingly complex, some organisations will be wondering where to start. In cases like this, where a skills or knowledge gap could leave your business vulnerable, the quickest and most efficient way to keep your systems safe is to reach out to a specialist partner like Opus.
As more organisations look retrospectively at the systems they’ve implemented over the course of the national lockdown, we’ve seen a growing demand from companies asking us to review their security policies to ensure that best practice rules are put in place.
“To help our customers address their cyber security training needs, we offer an accessible product called Clip Training, which has cyber security training embedded alongside general Microsoft application training”, Stephen explains. “As many of our customers have discovered, it can actually be deployed within the Teams application, making it easy to use by everyone who’s already familiar with the Teams platform. It also enables you to set rules and training tasks for your staff so you can clearly track who’s finished the training and set dates for when it needs to be completed or renewed, for example.”
Amongst the components that often go into our secure endpoint offering, we’re able to layer everything from next-generation anti-virus software with AI and machine learning capabilities right through to the SASE defences we touched upon earlier. As Stephen explains, our customers’ most secure endpoint environments are achieved by layering a variety of different security systems on top of one another.
“We don't consider the best endpoint protection to be a single vendor solution. Cyber security is one area where you don't want to put all of your eggs in one basket. You might invest solely in MS security tools, for example, and they come very highly rated, but supporting them with additional security measures from other vendors will give your system a better chance of stopping a cyber attack, should it ever breach the first line of defence.”
To find out more about adapting to the hybrid working model, download our free guide to the new normal for business during and post COVID-19.