Data is a very tricky animal to quantify. The ripples it creates in life go way beyond that initial splash, and the impact it has on other data artefacts are often difficult to predict. The rise in remote working has only served to exacerbate this issue and increased its unpredictability - with more unstructured data being created and stored across increasingly varied and disconnected environments, as well as personal devices to a point where each person is creating 1.7MB of data created every second.
At the same time, the defense perimeter, which previously was contained (for the most part) within the four walls of an office, has now expanded to encompass each of our home offices and even travel destinations. As such, the landscape for potential threats gaining access to our data and its protection requirements has significantly changed.
With no foreseeable move back to full time office working despite a vaccine (anytime soon at least – and a likely hybrid workspace model for many in the future), now is the time to review existing IT security protocols. Many teams were forced to facilitate the move towards remote working quickly, but it is important to evaluate the decisions made and look at the longer term impact, as well as using this as an opportunity to reconsider the protocols that perhaps didn’t quite work from the beginning. New services are being adopted, usually on top of legacy applications, and utilization is being expanded so we must revisit those decisions and apply a critical lens.
What do we Now Know That Can Inform us?
Take nothing for granted – we have the opportunity to rethink what we have always known. The new security perimeter cannot be defended as the old one was. It will require not just bigger and better solutions, but an entire shift in mindset and practice that will need to be re-built from the ground up. Working from home does not inherently increase cybersecurity risks as many commentators have stated. Whether it increases the level of risk an organization faces is really down to what kind of cybersecurity model that organization has been pursuing and the level and sophistication of the security provisions in place to protect it.
The Opportunity
Humanity is fallible and the ‘human factor’ has long been considered one of the primary weakness of cybersecurity, and one which cyber-criminals will repeatedly seek to exploit. A cyber-criminals’ route of entry will usually always involve an employee in some way, whether they are working from home or working from the office. Organizations stuck in the old way of trying to build a fortress perimeter around their corporate network in an attempt to block every breach will have noticed an increased risk from remote workers. If investment is only pumped into network security, then it makes sense that as soon as employees leave the safety of the fortified perimeter, there is an increased risk, but this need not be the case.
One potential solution is to trust no person or “thing” by default. There also needs be a shift towards opting for services with zero-knowledge data transfer and storage, Zero trust processes and least privilege enforcement wherever possible and applicable. To stop modern threats, we need to look beyond the network and pivot towards zero trust. With this kind of security principal in place, the location of the employee makes little difference to the risk profile of the organization.
But, most importantly, it’s time we stopped thinking about our network and infrastructure segmentation as perimeters. We need to start considering the entire stack: from the device being used to the data transfer and even to who is supplying our services and solutions. We need to reaffirm which services we really need to access, and which data. But we need to do this in a way which still enables the organization to operate effectively.
The Benefits
Closing the gates of your network infrastructure regularly and requiring all personnel and suppliers to identify themselves can be an effective way to protect your corporate data and limit risk. It’s also worth acknowledging that being outside the corporate network can be of real benefit to security. For example, when working from home, combined with the move towards cloud services such as Office 365, there’s a more substantial gap between endpoints within an organization, making the rapid proliferation of cyber-attacks across an entire network much more difficult to orchestrate.
There’s no let-up in security measures during this rapidly changing landscape, but organisations shouldn’t necessarily see the rise of remote working as an instant cybersecurity threat. Instead, it should be prompting more conversations about new cybersecurity models and strategies. Those who can turn remote working into an advantage will be in a stronger position to ensure continued security – even in times of disruption.