Prior to the Covid pandemic, employees would access data from within the office environment through a secure, centralised on-premises network.
By Ian Engelbrecht, system engineering manager at Veeam Africa
As remote and hybrid work became the norm, the attack surface increased with many local workers using their personal devices to remain operational, especially during the hard lockdown period. Companies simply did not have the time or resources to equip every information worker with secure laptops and smartphones at the time.
While larger organisations tend to enforce multi-factor authentication to keep their company laptops and mobile devices secure, not all companies employ complex security measures to this extent. The security risks can be further exacerbated by the fact that different organisations prefer different virtual meeting platforms or data storage facilities, and in the case of dealing with clients, many employees need to have multiple applications on their device to accommodate their clients’ selected programmes.
Even company departments and processes that were previously completely isolated on the corporate network have had to be made accessible to remote workers. Take payroll as an example. These functions must now be available to HR personnel working from different geographic locations. Companies must now consider the security implications of having this data shared across different networks. Unless appropriate systems and processes are in place to secure and protect data, cybercriminals can potentially access this sensitive data and hold it to ransom, and should attackers encrypt this data, companies will be unable to pay employees on time significantly disrupting the business in the process.
Organisations have policies in place to protect data on company-owned devices. However, they expose themselves to significant risk if employees save corporate data to their personal devices. Typically, people would do this to remain operational when load shedding occurs, or internet connectivity goes down. However, it contributes to the data sprawl that significantly adds to business risk. If an employee’s laptop is lost or stolen, a company has no idea what data was saved on that device as there is no longer a central repository of where all business information is kept.
With more people working remotely, cyberthreats have increased over the past two years. According to the Veeam Data Protection Trends Report 2022, rising ransomware and other cyber threat activity have seen 97% of companies in South Africa suffering at the hands of a cyberattack in the past 12 months. Even more concerning, 31% of those businesses were unable to recover their lost data. An organisation must practice good security hygiene and develop policies to keep employees informed and educated on the risks they face as well as what constitutes best practice when it comes to data management.
The corporate network now extends to employees’ homes and in some cases, their personal devices. This means the network must contend with people’s personal routers and all the devices connected to those routers. If employees therefore do not secure their Wi-Fi networks or patch all the endpoints connected to the router, the risks to the network are clear. Even though many companies are using secure virtual private networks for their staff to use, there are still some organisations who do not have that in place.
One of the best ways companies can manage this is through a Modern Data Protection strategy that enables them to own their data on any infrastructure — cloud, virtual, physical, SaaS and Kubernetes – follows the 3-2-1-1-0 rule. This requires an organisation to maintain at least three copies of its data, on two different media, with at least one copy stored at an offsite location, one copy offline, and all backups being verified containing zero errors.
To mitigate against the threat of this happening, companies must introduce and enforce policies designed to keep their data environment safe. This requires educating and then continually testing users and ensuring they take the necessary steps to secure themselves and vital business data, such as attending security training sessions and regularly reviewing security information supplied to them. Think of it as enhancing Modern Data Protection solutions with the creation of a human firewall.
Fortunately, it is a low-cost exercise to raise employee awareness and introduce this level of resilience into the business. If one considers that every crime is one of opportunity and often exploiting weak points including employee ignorance, a significant amount of data breaches are avoided when people are better trained.
The pandemic saw many businesses rushing to make remote work a reality not considering the security and data gaps that this would create. Furthermore, the hybrid work environment has contributed to the growth of Shadow IT inside the company. Shadow IT refers to devices, software, and services that sit outside the ownership or control of IT departments. For example, departmental leaders who circumvent the IT department to purchase point solutions or remote workers needing to share data with each other, but who improvise if the organisation does not already have solutions for them to do this. Employees may start using – often free and usually less secure – consumer solutions to upload sensitive company data. Not only does this become chaotic to manage, but it also adds to the data sprawl and increases the risk for systems and business compromise.
Left unchecked or ungoverned, this contributes to data chaos where business and technology leaders do not know where their data is stored, whether it is secure, or if it even falls under the protection of corporate security systems.
There is no silver bullet when it comes to protecting against cyberthreats and businesses have seen the full force of its impact in recent years. Cybercriminals are well versed in exploiting weaknesses in IT systems. It only takes one hole to sink a ship, and one vulnerable entry-point can expose the business to crippling cyberattacks.
South Africa is not unique in this regard. Companies around the world are trying to get to grips with this issue. For some, it is tightening up their security policies and procedures for all workers, no matter where they are. For others, it is the call to get remote employees to return to the office to better control IT matters to minimise the threat of data sprawl and associated chaos. However, many people are resistant to return to the way things were, preferring hybrid work and the benefits of less time spent in traffic, saving costs on fuel, or citing environmental benefits.
There is no turning back for companies, the pandemic accelerated the digital transformation plans of many organisations and the business landscape shifted for everyone. The wider world is adopting hybrid ways of approaching things, so organisations need to embrace a hybrid environment too. Whether operating across Cloud, Virtual, Physical, SaaS and Kubernetes environments, companies must be confident their people, apps and data are protected from ransomware, disaster and harmful actors, and are always available for their customers. This requires them to adjust their data backup, recovery and management where needed to achieve the Modern Data Protection needed to defend them against the continued threat of compromise.