Address New Risks Without Adding Complexity

Written by

The eldest members of Generation Z are now turning 21, and for the first time we’re about to have four generations working alongside each other in the enterprise. This diverse workforce will bring new cybersecurity challenges, including the need for security teams to deal with widely differing levels of technology skills and experience, as well as a range of attitudes to security. 

Working practices will also continue to evolve in line with employees’ expectations and preferences for more mobile and flexible ways of working. This will lead to enhanced risk. The ‘human’ cybersecurity threat is already well-acknowledged, particularly where data is being moved or accessed outside of the corporate network.

In a survey carried out this year by Apricorn, half of respondents (50%) agree that their organization expects that mobile/remote workers will expose it to the risk of a data breach, while 89 percent of surveyed organizations had experienced a data breach, and human error was still the prevailing cause.

Security teams need a new approach to protecting data in the multi-generation workplace – one which balances control with facilitating working methods that drive agility and keep people engaged. 

Any organization will profit from a better understanding of its employees, including their attitudes and behaviors – and it’s important to avoid making assumptions about these. Recent research from NTT Security found that professionals aged over 30 are more likely to follow cybersecurity best practices than their younger colleagues.

However, designing a security strategy that attempts to address different behaviors and risks with copious models and technologies will only introduce more complexity. 

The best way to strengthen security posture across a diverse workforce is to build a common baseline of awareness, together with an understanding of the best practice steps to follow. This knowledge should be underpinned by appropriate tools and policies. 

Know where you’re weak
A good place to start is to carry out an information audit to gain visibility of the types of data the organization holds and processes, where it flows, who accesses it and why, and what existing security controls are applied to it. From there it’s possible to identify where data may be exposed, and by whom, and work to address the vulnerabilities through a combination of education, policies and technology.

Security is everyone’s business
Educating employees at all levels in good security hygiene will ensure everyone understands the importance of data protection, has the skills to spot potential threats, and recognizes that it’s their responsibility to keep information safe. They should also be trained in the specific risks and legislation that apply to the business, and the consequences of failing to follow procedure. 

Specific and comprehensive policies should be drawn up and shared, setting out clearly the processes employees are expected to follow when they work remotely, for example, or how and when they can use personal devices and tools for business purposes. Wherever possible, policy should be enforced through technology (such as endpoint control solutions) rather than relying on the employee to always “do the right thing”.

Good ongoing communication is vital for keeping employees of all generations engaged. The whole organization should be encouraged to ‘talk security’, sharing ideas and feedback to help cybersecurity teams understand and drive overall business goals.

Protect all endpoints with encryption
There’s no ‘one size fits all’ when it comes to securing the multi-generation enterprise, but encrypting all data – both at rest and on the move – is as near as it’s possible to get. Two thirds of organizations now hardware-encrypt all information as standard – up from just half in 2018, according to Apricorn’s survey.

The use of corporate approved hardware-encrypted storage devices will remove an element of the ‘human risk’ of mobile working entirely. These automatically encrypt all data written to them, without employees needing to make a decision to encrypt. 

A diverse security team  
Assembling a team of professionals who possess a broad range of skillsets and experience is a highly effective way of defending a diverse organization against cyber-threats. The different perspectives they bring, alongside capabilities such as business acumen and communication skills, will create a team that better serves the enterprise. As part of this, CISOs should seek to recruit talent from other departments as well as from outside of their industry.

Workplaces and working models are in constant flux, while technology and the security required to protect it will never stop evolving. Developing a solid foundation of good cybersecurity hygiene will ensure all employees have a consistent basic knowledge of how to safeguard the data they handle. However, the measures implemented, from training programs to BYOD policies, must be reviewed and updated on an ongoing basis. An organization that neglects to do this may well find they’ve built on a foundation of sand, rather than rock.

What’s hot on Infosecurity Magazine?