A central office has typically been most businesses default working location, but the role of the office has significantly changed over the last year.
By Quentyn Taylor, director of information security at Canon for Europe, Middle East and Africa
Today, over 90% of organisations say they’ll allow employees to work remotely, at least part of the time, going forward. Changes that were brought about in haste to deal with the pandemic are crystallising into permanent fixtures.
The expectation is that employees will have the freedom to move between multiple working environments and connect to a company’s network from each one.
But this shift to a hybrid working model poses potential security risks for your organisation and employees. Your business’s network perimeter has evolved to not only encompass a core office location, but each employee’s home too. As such, it’s not surprising that companies have reported feeling less confident in the resilience of their security measures, according to NCC Group insight.
With hybrid working here to stay, security professionals need to work quickly to secure a flexible work environment that your business can trust. To do so, they must take a holistic approach.
This means ensuring the business’s security infrastructure is watertight, while at the same time investing in education and training for employees. Only then can you comfortably facilitate collaboration across a distributed workforce, or expect to build resilience against the modern threat landscape.
The modern threat landscape
Organisations need to address the changes we’re seeing to the modern threat landscape amid a shift to hybrid working and assess how they impact our new working reality.
* First of all, employees now communicate and collaborate with each other beyond the periphery of the usual security firewalls, sharing corporate data throughout the working day.
* Secondly, employees are likely to be accessing company servers over public networks, which offers attackers more opportunities to break through. According to NCC Group, 66% of organisations that increased their use of remote working during 2020, saw an increase in phishing and malware attacks. Notably, 39% of all those surveyed reported that accidental, malicious or inadvertent insider threats had increased in the second half of the year.
* Finally, we are seeing an increase in the use of personal IoT devices, such as printers and phones, that are configured with default security settings used for work alongside company devices, such as laptops. Mobile working and remote system access through trends such as Bring Your Own Device (BYOD) offer great benefits to the productivity of both staff and employers, however, they open up new potential threat vectors and present new challenges in relation to device management. The technology and user policies businesses previously had set up to protect a central office are no longer applicable in a hybrid working set up.
Cyber-attacks have evolved – moving away from trying to infect as many devices as possible, to looking for one weak link through which they can hold corporate systems to ransom or steal data.
Now if one employee is hacked while connected to their home network, the whole system could come down. The digital and cloud-based solutions that have become pivotal to business’s operations throughout the pandemic, to maintain collaboration and productivity, have also made businesses more vulnerable.
Making your hybrid workspace safer
Companies have an opportunity now – and buy in from senior decision makers – to make significant improvements internally. While businesses are never able to completely eradicate risk, there are steps that you can take to build resilience as you prepare for hybrid work.
* First, it’s important to carry out a security assessment of your internal and external IT infrastructure to understand the infrastructure perimeter you actually have, rather than the one you think you have.
* This will reveal the strengths and weaknesses of your security across the board. Only then can you identify security gaps and know which improvements need to occur to secure your network. It’s like securing a home, if one entry point is left vulnerable and an attacker gets in, it doesn’t matter that all of the others were secure. Finding every possible vulnerability is an essential step to securing them.
* Security vulnerability assessments can be carried out at any time. Before you introduce new systems or endpoints into the IT infrastructure, or on an ongoing basis. After all, what was secure yesterday, may not be secure today. Canon’s Office Health Check service offers businesses a comprehensive assessment of their internal and external IT infrastructure, including recommendations ranked by risk, to help mitigate any potential security vulnerabilities.
Investing in people
One of the most common mistakes that companies make is focusing solely on the technical aspect of cybersecurity. If you were to carry out a network perimeter assessment and invest in the best network security solutions, you might be confident in the resilience of your security measures and go about business as usual.
However, you could still find yourself caught up in a security breach. Why? Because you’ve failed to provide training for your employees. After all, it only takes one errant click on a fraudulent link to open the company up to risk.
Educating and training all employees on the concepts of cybersecurity and how to handle sensitive information correctly is an important element of any security strategy.
As we enter an era of hybrid work, it is important to foster a culture of openness around security breaches and encourage employees to come forward and share their mistakes. Your defence strategy is only effective if breaches are being reported. Firstly, this helps mitigate the damage as issues often snowball if employees hide errors.
If an error is out in the open, it can be fixed. Secondly, breaches can be used to help further education on security, while pooled learnings from attacks can speed up progress in crafting new defences.
The good news is that businesses are willing to invest in upskilling their employees: A recent NCC Group survey found that 36% of decision makers would outsource cyber security awareness training in the next 12 months, while 39% said education of security owners on cyber best practice as the area their organisation would most benefit from.
By taking control of your information, and the necessary steps to educate employees, you can keep one step ahead of cyber-attacks and have the confidence to operate business as usual.