5 Ways to Evolve your Remote Working Cyber Security Strategy
Traditionally, a business may have had a split of some sort between remote workers and office based workers; biased towards office workers. This means an IT Director could create a policy based on a small amount of recognised (and hopefully configured) devices back into an environment to do work, access data and carry on with day to day tasks, and only have to worry about securing and monitoring a handful of remote working devices.
But since early 2020 – thanks to the global COVID-19 pandemic – the scale has tipped the other way. Your data, your devices and your users are now dispersed – users may have had to quickly access things from a personal device, new security concerns have arisen regarding where, how and who is now accessing data and the security risk posed by a poorly managed mobile fleet has never been stronger.
Business continuity plans quickly became business as usual, and with numerous employees and businesses indicating a wish to retain remote working as the new normal, I’ve compiled some key areas I feel businesses should put some consideration into to help evolve their strategies to remain fit for purpose.
1. Devices – It was likely during lockdown that either your IT team couldn’t get their hands on new devices in a scalable cost effective way, or users had already shown either a preference or productivity using their own devices – either way it’s likely that your data is now being accessed through new devices.
So one key thing you can do to evolve your strategy in this area is to consider implementing things like Conditional Access – which strikes a balance of best of both worlds between user experience and security. Conditional access can allow a BYOD user access and modify data from a device of their choosing, but not to download it for example.
2. Short-term planning vs long-term strategizing – There are many risks to doing a quick policy change to allow for remote working for the first time. We’ve seen it in many occasions as users rushed to get things moving again, that IT teams either opened too much up too quickly, potentially exposing security risks, or tied too many things down in response and created a poor user experience leading to shadow IT. So a balance needs to be found based on your own specific security needs based on how sustainable your solution to COVID-19 was.
So when it comes to forward-thinking for the next 60, 90 or more days a considered approach should focus on things like ‘what’s currently in place that can either be upgraded, rolled out wider or upskilled?’. In many cases in the Microsoft environment, we have been able to save time and money for customers by configuring things already present but either unused or undiscovered in their license bundle.
3. User Preference vs Company Needs – In March 2020, Microsoft reported that in a single day over 2.7Billion minutes of Teams voice calls took place – that’s over 80 years of talk time in one day on a single platform. For many of these companies Teams likely was a tool that was in place for certain projects or groups and then was suddenly rolled out to all.
Efficiencies and new ways of working are always uncovered when unified communication tools like Teams, Slack or Zoom are rolled out. It looks like those tools are here to stay, so it’s best to think ‘how do we facilitate and keep this going rather than turn it off at the end, because users will likely prefer this’. Thinking in terms of a short-term solution is also a potential issue for security planning as it suggests we know a date when things may go back to the ‘old normal’, which is looking increasingly unlikely as businesses and staff realise the benefits of remote or hybrid working.
4. Reconsidering your BC/DR Plan to be BAU – the pandemic forced many businesses to reframe their business as usual plans, with many adopting the strategies outlined in their business continuity/disaster recovery plans. Some companies may have had remote working tools shelved for a ‘just in case’ scenario like this, and the pandemic provided a chance to not only see if they were up to the job, but to make ongoing changes and tweaks to those disaster recovery plans to account for the volume of employees working remotely.
You would never normally get the time to do this sort of testing. One thing I would recommend that people keep in mind is the notion that: Although the vaccine rollout has been successful and infection rates are being held relatively steady, remote working is here to stay. This means that your stopgap solution has to be audited and examined to find out if it is robust enough to handle sudden spikes, but also be flexible enough to be scaled up or down and potentially be kept in place moving forward due to user preference.
5. Your perimeter has shifted – we’ve been working in this field for quite some time and if there’s one salient point we like to impress upon people when it comes to mobile working it’s that your perimeter is no longer your office firewall. Your data perimeter is now the device itself – if a device can access your data behind your corporate firewall, and it’s outside of that firewall, then your old traditional security methods are less effective against attacks.
So consider where your data now sits. You may now have hundreds of micro offices posing a threat to your data. As part of a security audit, it is regular practice to assess and audit the environment certain devices and data are stored in – businesses now need to start factoring an employee’s home security into a security audit.
CWSI Named First Irish Managed Security Service Provider to Join the Microsoft Intelligent Security Association!
MISA is an ecosystem of independent software vendors and managed security service providers that have integrated their solutions with Microsoft security products
COVID-19 restrictions have ended and working life is getting back to normal. However, with the remote working genie out of the bottle, the more pressing question is: what will the new workplace look like?