The New Security Demands Of A Hybrid Work Environment
As Gartner, Inc. recommended in a hybrid work report for CIOs, organizations should "address issues around the integrity of data, security, technical capacity and capability, and business outcomes by reviewing employee behavior." Security is always a priority, but remote and hybrid work environments continue to introduce new challenges and complexities that most organizations have yet to reconcile.
Traditionally, access to corporate networks tended to be more controlled. Team members were either "in"' the office and thus secured via local and network credentials or "VPN'd" into the corporate office. In both instances, they accessed data through corporate-controlled mechanisms. This is no longer the case.
Data access points are expanding
The remote wave driven by Covid-19 highlighted the momentum of two major technology shifts:
1. A reinvigorated focus on transitioning to the cloud, accompanied by decentralized application and data.
2. The need for remote access, and the associated desire to eliminate corporate data stores and VPN-controlled access in favor of zero-trust network access.
The urgency of digital transformation initiatives to accommodate new work models compounds the security challenges associated with enabling them. As organizations make sensitive data available to distributed employees, they need to consider how they will secure it in parallel, not as an afterthought.
At the core of the challenge is that more devices and networks are vying for corporate and client data access. Most are appropriate and welcome — remote employees tapping into data they need is one example. IoT sensors and applications deployed to measure the usage and efficiency of office space are another.
Both developments pose a unique risk by inadvertently allowing a back door to data access. Given the urgency to leverage these tools and their associated data risk, it's no surprise that cyber threats only trail the pandemic and health crises as a top CEO concern in 2021, leapfrogging over-regulation, trade conflicts and an uncertain economic outlook since the same survey was done in 2020.
Understand where security risks come from.
Given all the change and range of endpoints with potential access to private data, it's important to start addressing the problem by defining risks in four key areas:
• Operational. From network shutdown via ransomware attacks to SLA breaches to distributed denial of service (DDOS) attacks, these security risks prevent the business from providing a contractual or implied service obligation.
• Compliance and data privacy risks. Lawsuits from customers, clients and/or government agencies are a legitimate concern. There are strict regulations in place, such as GDPR and CCPA, that put the onus on the business to protect customer data from malevolent actors outside — and within — the company. In addition, most business contracts include breach and data risk clauses.
• Brand reputation risks. Big data breaches can erode hard-earned trust with customers, partners, prospects and other stakeholders. However, companies tend to survive most data breaches unless negligence, corruption and/or compromised data is revealed.
• Employee risks. Employees who see negligence and poor practices are less likely to stick around. Further, there is a fine line between monitoring employee activity for security issues and becoming too "Big Brother," which carries its own retention risks.
Once a framework exists for identifying potential weaknesses and their ramifications, plans to limit risk and contain access can be put in place. Without the framework, it is nearly impossible to be proactive around data security.
Evaluate the security merits of on-premise vs. cloud-based solutions
First, organizations should investigate whether the solutions it relies on to conduct business are conduits for data breaches. The easy answer is to say, "yes, obviously," but it all comes down to risk management. No solution is completely air-tight, but does the rise in distributed cloud-based services weaken the security infrastructure of the company as a whole?
Increased exposure to private data through new vectors of attack can trigger a knee-jerk reaction to hunker down. Yet, I don't believe on-premise solutions are more secure than cloud solutions, as the number of in-house or on-premise solutions being run — multiplied by the number of application and system updates mandated — can require a sophisticated maintenance program. Additionally, any gaps or data exposed may leave the company as the sole target for litigation or remediation.
On the other hand, cloud systems — when pursued with a robust information security evaluation model — can migrate the risk to the exposed application. This can mitigate both data security risk and liability risk.
Develop a vendor risk assessment program
The next step requires developing a process for evaluating the current and future security capabilities of a potential vendor. Instead of pouring energy and resources into building secure solutions, organizations can instead develop sophisticated vendor risk assessment programs that ensure any vendor solution is up to snuff on security.
These programs should prioritize identifying and partnering with vendors that have an established security program. Requirements should include written information security policies along with third-party audits and accreditations, such as ISO-27001 and/or AICPA SOC 2. Similarly, U.S. government agencies rely on certification programs like FedRamp and NIST, which are continually updated to reflect top-flight security principles. Each one serves as proof that a potential vendor isn't just compliant on day one but remains so into the future.
Vendors should also be asked to show proof of secure policies for their own vendor selections and, where appropriate, active software and source code management. M&A activities, enterprise application procurement and digital transformation initiatives all must fall under the verification processes implemented as part of a cyber-secure workplace. It's a long list, but it's repeatable and critical, and it's much easier than managing each vendor interaction ad hoc.
Trust the process
At the end of the day, functioning effectively and securely in a hybrid work environment all comes down to risk management. The way people work — and by association, the way they interact with business systems and sensitive data — will continue to change. Employees won't be perfectly careful with security. They will use public Wi-Fi, download apps and procrastinate on security updates. However, developing and sticking to a robust process for evaluating systems and solutions can position any organization to mitigate risks and respond quickly to any problem that arises.