For better or worse, remote working has changed the entire landscape for security. Compared with 12 months ago, organisations have had to adapt from fixed perimeters with verified devices to a world where every living space is a vector.
Those who were expecting this to be a short-term adjustment have been left disappointed, and even when it’s safe to return to the office, the many lessons and changes that happened in this period will live on.
Casting his mind back to March 2020, Michael Conway, the director of Renaissance, said that the real challenge for organisations was changing their mindset from a short-term adjustment to long-term reality. For some, this shift has been put off in favour of dealing with the current reality, which could lead to some negative ripple effects.
“If it’s three months, they’ll get through it, but now we’re 12 months in,” he said. “It’s always been a series of [plans] three weeks in or six weeks in, so how you make investments on that?”
“What I don’t think we’ve seen yet are the repercussions, the vulnerabilities, and the attacks out of it. You’ll see compliance challenges and because they almost got pushed to the side to get [the move to remote work] done.”
While the initial focus for organisations was buying accessories such as headsets and microphones to deal with video calls, the main desktop and mobile devices used are personal and can be overlooked.
They need to be protected and secured and the tidying up of a security environment will be the major challenge. There are positive signs, but there’s a long way to go as the lines between personal and work lives get blurred and ensuring that people aren’t straying away from agreed parameters will be key.
“It’s maturing a bit, but there’s still a large amount of work in there,” Conway said. “There are technologies out there that we would sell which do employee monitoring, data leakage monitoring . . . the ability to control what people are using, installing pieces of software. That type of thing is critical.”
What Conway expects to see over the next 24 to 36 months is greater security controls. That means rethinking how our security and privacy controls are set up and this will provide challenges for managed service providers too.
As the number of endpoints has increased, comprehensive, robust security is a necessity that only the largest of companies will be able to meet on their own.
The rest will require managed service providers who will need to show they’re ready for the demands that this will bring.
“If I were to forecast the future, the key areas are the retrofitting of controls and management,” he said. “The managed security providers are going to deliver more like managed detection and response.”
“You’re going to start seeing those key services out there, where somebody is monitoring and managing your devices against any attacks, any issues, any challenges, and 24/7 remediation.”
What will become a necessity for businesses is 24/7 monitoring. Building in the entire security infrastructure to allow your environment to be monitored constantly on your behalf will be the next step for organisations.
The idea that it’s a matter of when rather than if you get hit by an attack is more prevalent than ever, so this monitoring can help detect, remediate and protect your parameters.
“You can’t know what’s coming down the line so someone needs to be in a position to respond,” he said. “If there’s an attack or hack, that response might be patching or shutting your system down. We need the assistance of these people who are doing 24/7 monitoring,” Conway said.
On the bright side, Conway has recently noticed the engagement people have with user awareness and security training. As most people now work from home, checking with another colleague to see if a link is valid or not isn’t as frictionless as it would be in an office.
Instead, it has required a more proactive approach where end users educate themselves further, allowing them to be savvy enough to navigate these problems.
“You can put in protections, but if they click on them, there’s nobody there to say if it looks right or not,” said Conway. “That user awareness training is important as they don’t have that peer learning.”
“People will start putting in place not just productivity controls when they buy into remote working as a hybrid element.”
Ultimately, the security plans of all organisations will need to take into account working from all areas. The move back to the offices will eventually happen, but with hybrid models likely to be popular, giving employees the leeway needed to work anywhere will be crucial.
This won’t suit all roles but, at the very least, businesses should accommodate it as people will have reassessed how they want to lead their lives and security should match this.
“Over the next period, we’ll see that evolution back, but there will be a pressure point as people will say they need the flexibility and agility, and this is the way I want to lead my life,” he said.