The nature of IT security has changed dramatically over the last decade. As perimeter security tightened, hackers started working on new techniques to gain access, meaning identity came to the fore.
In addition, the changed nature of how we use IT in business has also had a major impact. Take cloud computing, which has had an enormous impact on the consumption of software and services, moving them from the local device to centralised servers.
“As things move to the cloud, a lot of the security focus can be centralised. For example, if Microsoft detects malware in an email on O365, we can immediately block that email across all users of our cloud,” said Des Ryan, director of solutions at Microsoft. “It lowers the amount of security infrastructure that needs to be on the local device.”
Ryan said while some traditional security was still required on devices, the focus was increasingly on understanding a company’s data. The devices can then be subject to access controls.
Particularly pertinent now, as the Covid-19 coronavirus pandemic has seen many workers ordered to work from home, is understanding how the device relates to the data.
“Regardless of where someone is physically, companies need to understand their data. Then classify and segregate the data,” said Ryan.
Microsoft’s research found that 49 per cent of end users who work remotely have used techniques such as emailing documents to themselves to circumvent company security, seeing it as an inconvenience.
Such practices leave companies wide open. “That data is now stored on the ISP’s server and on the local device,” Ryan said.
“There’s immediate GDPR exposure, and if that individual was ever to leave the organisation, then you have data outside the company. Even simple things like printing on the home printer can be a problem.”
Ryan said whatever security was put in place needed to be workable. “If it’s overly complicated, then people just decide that it’s easier to work around it,” he said.
Ryan said it was incumbent on all organisations to take security seriously, and to start by training people.
Microsoft’s research found that of 900 end users, 50 per cent had received no security training at all.
“End users are the weak link, that’s why they’re targeted. Human nature being what it is, they take short cuts,” he said.
“After training, you move to the systems: you can do rights management, track who is sending what where, and so on. Lots of people are not taking the time to classify data.
“I think there’s an assumption that Ireland is a small country, so we’re not going to get attacked. However, I can categorically tell you from my interactions with customers that this assumption can be naive.”
Interestingly, Microsoft has found small businesses are among those taking the issue seriously.
“Surprisingly, some of our case study customers are among the smaller businesses. Maybe with bigger companies sometimes there’s a lot of infrastructure outsourcing in place where the provider has less incentive to modernise and step things up,” he said.
Last year, Microsoft found that 22 per cent of Irish end users were still writing down their passwords, while 44 per cent were re-using passwords between personal and business accounts. Some 36 per cent still back-up corporate data to a personal device.
This year shows growing concern, with 65 per cent of businesses worried about what their employees expose them to and 49 per cent seeking to increase security spending, a figure that jumped 65 per cent in the public sector.
On the technical side, Ryan said investments should be strategic. “Security is all about identity now,” he said. “Obviously my preference is that people buy Microsoft technology, but regardless they need to invest in some technology.”
Increasingly this means looking towards artificial intelligence (AI) and machine learning (ML).
“Around half of incidents are not even looked at [so] you’ve got to be leveraging AI and ML as much as possible to fill that gap, otherwise you’re vulnerable,” said Ryan.
He said the changed approach to security is what puts Microsoft at the centre of the issue. It not only has the technology, from active directory upwards, it also has a 360-degree view of what is going on online.
“Microsoft is perhaps not known as a security company but the reality is, we’re one of the biggest security companies in the world. We’ve an unparalleled view into what is going on in the cyber-world,” he said, pointing to Microsoft’s reach not only in terms of business IT but also networking and the internet as a whole. “When you buy Microsoft Office 365, you’re buying that insight.”
To find out more, download the Amarach report for Microsoft Ireland, titled Securing the Future 2020: The State of Cybersecurity in Ireland; see aka.ms/SecuringtheFuture