The workplace landscape has changed dramatically and irrevocably since the advent of COVID-19. Working from home, initially viewed as a temporary measure, has become a more established practice with both employees and companies now appreciating the benefits a new workforce model strategy.
With organizations shifting from a short-term, tactical crisis response to long-term strategic planning for this new environment, it’s time to examine its long-term implications for the business, particularly around cyber security.
The remote work wave has led to more widespread use of personal devices and unsecured networks that can open new avenues for adversaries to access sensitive corporate data. Although many companies feel confident in their protection from online attacks, this could well be a false confidence, as it’s easy to make errors or omissions when rushing to implement new processes and technologies.
We sponsored a report by Harvard Business Analytic Services to examine how — and how effectively — companies have responded to the latest security challenges, with special attention to remote work, accelerated digital transformation and increasing online attacks. Some key findings in the report included:
- 86 percent of respondents said their employees’ ability to work from home had expanded, 80 percent said their collection and use of data had expanded, and 83 percent said the pace of digital transformation increased during the pandemic
- Only 43 percent of respondents felt their organizations are well protected against online attacks
- 78 percent of companies either initially or eventually tightened security for remote work
- Only 34 percent of organizations assess risk and build in new security measures every time or nearly every time they undertake initiatives to expand collection and use of data
- The top security concerns around remote work were email scams, malware and viruses, unsecure Wi-Fi networks and personal device use for work
- 81 percent of respondents expected to have more ability to work from home in the future
Validate your remote work security programs
Given that virtual-first and hybrid work models are here to stay for many organizations, it’s important for companies to reassess the security measures they’ve implemented for modern workplace solutions and remote work, making sure they haven’t overlooked key vulnerabilities or inadvertently introduced new attack vectors.
Organizations should consider validating their security postures through penetration testing and Red Team exercises simulating a cyber attack. They may also want to conduct a comprehensive cybersecurity review to ensure they have proper governance as well as up-to-date policies and technologies to secure access and devices, protect user identities, protect against ransomware, provide 24x7 monitoring and management, and protect data.
Data Protection is key
Beyond adapting and hardening defenses, companies need to adopt new ways of thinking about security. In working to help large organizations around the world secure their data and infrastructures, DXC has identified key practices and policies for companies looking to successfully shift to the work-from-anywhere model.
An important paradigm shift for organizations is to move from building security around a traditional network infrastructure to protecting the data itself. As security perimeters become more fluid and data is accessed by numerous means and devices in modern workplace scenarios, it’s no longer sufficient to rely on hard corporate network perimeters, protected VPNs and trusted corporate devices.
Security models such as Zero Trust allow organizations to adopt a perimeterless approach, in which devices are not trusted by default, even if connected to the network and previously verified. Zero Trust involves a more granular approach to managing user identities and access to data, with multiple levels of context-based verification, combining both device identity, user authentication and other factors to allow access to applications and services.
As Zero Trust has matured, standards have been created to help companies apply its principles. IT organizations can take a gradual approach to applying Zero Trust, applying security controls in a use-case-driven fashion, rather than trying to shift their entire security strategy all at once.
It’s also key for organizations to build security into new technologies and processes they implement for enabling remote work and digitalization, rather than treating it as an afterthought. And, in this era of complex IT estates, they should identify where their most critical data assets reside, as well as key interconnections and dependencies that come into play with remote work.
Balance security and usability
When adapting their security approaches, organizations are also concerned with their impact on user productivity and convenience. Security and usability are often thought of as opposing goals, but this doesn’t have to be the case. Many modern software platforms provide for seamless integration of identity management and data security controls both in cloud and on-premise environments. In addition, modern device management platforms embed security in much the same way: users can log onto their laptops using a password or biometric identifiers such as fingerprints, enabling them to switch easily between devices. By using these native capabilities rather than adding complexity with numerous add-on tools, organizations can keep simpler security architectures.
Look at the larger picture
Companies implemented new collaboration and productivity tools at onset of the COVID-19 just to keep the business going. Now it’s time to look at whether they’re using the most efficient, safe and cost-effective methods of collaboration for their users. For example, an organization with a full Microsoft license may be paying for an add-on collaboration platform such as Zoom when it could be using the built-in Teams capability for videoconferencing. Often this issue can be addressed through process change in the organization, such as mandating the use of the existing workplace platform components rather than alternatives providing the same functionality, or purchasing an expanded license to gain those integrated capabilities.
On a broader scale, companies need to evolve to a workplace model that is highly integrated, automated, seamless and personalized, and that makes use of native capabilities for collaboration and security. A balance of security and user productivity is best achieved through a centralized, modern workplace platform that combines security and IT functionality while bringing together the disparate services and data employees need to do their jobs. Remote workers expect to be as productive and secure as their onsite colleagues, and employees everywhere need to work together effectively in a hybrid model.
When considered within the context of an overall workplace strategy, this will yield a modern workplace that will ensure employees can work seamlessly and securely on any device, anytime, anywhere.
About the author
David Langlands is vice president of Security Product Management at DXC Technology responsible for global offering strategy. He has spent the last 14 years guiding security practices worldwide in addressing security threats through the application of leading technologies. Previously he was a partner in IBM’s security services business and global leader of cloud and infrastructure security.
Get the latest threat updates
Protect your enterprise. Subscribe to DXC's monthly report on the latest threats, breaches, cybercrimes and nation-state activities.