GRC Tuesdays: Securing Remote Working in the Digital Age
With multiple benefits for both employers and employees, remote working was already quickly gaining traction, and the current situation further accelerated this trend. To be able to continue operating in geographies where confinement is being enforced, and to enable employees to keep their jobs, many organizations have opted for a remote working approach.
A sustained trend with multiple benefits
This trend started many years ago though, with the emergence of the right technology that allowed employees to access the organizational IT systems from anywhere in the world – as they would if they were in the four walls of the company itself.
It’s also undeniable that this is driven by quantifiable benefits with estimates that average business could save $11,000 per remote worker and 65% of respondents claiming that they are more productive in their home office than at a traditional workplace. But it’s not just about productivity or costs, people who work remotely at least once a month are 24% more likely to be happy.
As a result, I can only concur with Jennifer Christie – Head of Human Resources at Twitter when she stated that “We’ll never probably be the same”, “People who were reticent to work remotely will find that they really thrive that way. Managers who didn’t think they could manage teams that were remote will have a different perspective. I do think we won’t go back”.
But there is also another side to the coin. You may recall that in a previous blog (GRC Tuesdays: Internal Control – From Necessary Evil to Operational Excellence), I had referred to ISO31000’s definition of risk management where a risk is the effect of uncertainty on objectives, be it positive or negative. Well, there are unfortunately also threats associated to the positive aspects (benefits) of remote working. These will need to be addressed by the organization.
Most organizations are moving part of their employees to remote workforce. But are they ready?
Going back to statistics, a concerning finding by a study from OpenVPN shows that 90% of IT professionals believe remote workers are not secure. And over 70% think remote staff poses a greater risk than onsite employees. Note that this is a perception of course, but it still needs to be addressed. Especially when considering the fact that there has been a 10-fold increase in cyber-attacks in some regions at the moment.
As a result, organizations need to target the root causes of both external threats – to deter the cyber-attacks, but also of the insider threat to address the concerns of IT professionals that internal actors may pose significant level of risk to the organization’s IT infrastructure.
Effectively addressing these challenges
1. Managing system accounts and ensuring the correct authorization assignments
By putting in place a sound identity and access management process, companies could more easily manage access to enterprise applications – be it Cloud or OnPremise, via user role and attribute-based accesses. Companies could further implement multi-factor authentication to improve security. And to remove the burden of excessive login procedures, simply putting in place single sign-on would help them achieve this objective without additional workload for the employees. Effortless security in a way!
2. Protecting the applications that run your business
A company’s internal systems make an appealing target for hackers as they run business-critical processes and house sensitive corporate information which can be used for cyber espionage, sabotage, or fraud. To prevent data breaches, organizations could monitor business applications for suspicious activities (i.e.: anomalies) and attacks. They could also analyze the business transactions themselves for fraudulent or unusual patterns. By correlating insights, companies could take a proactive approach and identity threats early.
3. Addressing data protection and privacy concerns
In some cases, users need to access sensitive data in the course of their daily tasks. And both to protect them from unwelcome suspicion, but also to protect the organization’s crown jewels, companies could implement data masking tools so that unnecessary information is hidden by default but can be revealed on demand. And of course, data logging will help cyber investigations in case a data breach does occur. Not only to identify the culprits but also understand the scope of the breach and be able to notify impacted parties – and regulators, in a timely manner.
These three processes create an additional security layer for the organization, but this would nevertheless not be at the detriment of the employee. Indeed, these processes would run in the background and not create additional workload for the employee. A win-win situation I believe since all parties would feel better protected.
Finally, I’d like to leave you with a quote from SAP’s Chief Security Officer (CSO) which I find extremely relevant as I believe it really represents our mission statement: “SAP is not in the security business, but in the business of securing our customer’s business”.
What about you, has your company changed its security policies and procedures to adapt to recent events? I look forward to reading your thoughts and comments either on this blog or on Twitter @TFrenehard