As normality slowly returns to working life after 18 months of kitchen table offices and meetings via teleconference, Irish business find themselves wondering how to plan for what happens next. Many office-based organisations seem to be taking a hybrid approach, with staff returning to their desks for one or two days a week, while continuing to work from home on the rest.
“This hybrid approach is a very positive move,” said John McCabe, managing director at Damovo for global services and Ireland. “Remote working got many organisations through Covid, but there is a lot to be said for in-person contact and impromptu chats in the canteen.”
Underpinning this, though, will be an IT strategy: the success of a hybrid work model will depend primarily on the availability of secure access to necessary resources at all times, and from any location.
Modern network infrastructures providing continuous, stable connectivity, coupled with cloud-based unified communications applications, will continue to enable flexible and collaborative working. However, this shift to the ‘next normal’ has implications for a company’s security.
McCabe said businesses had done well to keep things going, but a programmatic approach to security, one that took the ‘attack surface’ into account, was now required.
“On the whole, it definitely wasn’t secure, but I think people are aware of that because of the remote working and the amount of hacking going on,” he said.
“The attack surface is all of the different ways you can get into an organisation, and that has expanded massively with how people are working today,” he said.
Indeed, many organisations had to take some shortcuts to rapidly shift to a home-working model – with more focus being put on remote access than on security. These interim solutions, coupled with a more dispersed workforce, an increased number of devices and a shift to the cloud, now present more opportunities than ever for hackers.
McCabe puts this in stark terms: “In fact, cybercrime has now become the third largest economy in the world – behind [only] the US and China. This threat will only continue to grow.”
Organisations now need to examine all of their security procedures, both internally and externally.
“It is not enough to think that you are safe because your network security policies tick the compliance rules boxes,” he said. “Unfortunately, attackers never follow rules. That is why it is important to engage with a partner that can help to identify the real-world limitations to your security procedures [which may have been] overlooked by your compliance initiatives.”
Damovo’s cybersecurity division Lares works with companies, large or small, to validate their security posture through offensive security-focused services such as complex adversarial simulations, network penetration testing, application security assessments, insider threat assessments, incident response and forensics, and vulnerability research.
“Even the most confident of Cisos (chief information security officers) have been surprised at the level of vulnerability that this type of testing has uncovered. The investment in proactive threat testing has significantly reduced their future exposure to security breaches and helped figure out where they need to invest,” he said.
McCabe said a typical response to hybrid working would mean examining all aspects of cybersecurity: from better data back-up to zero-trust, multi-factor authentication and biometrics to name but a few. Complete alignment between data security policies within the office and remote working standards is the goal.
“It is paramount to protect the company’s internal data, and that of its customers. The processes also need to work efficiently: you do not want productivity to be hampered by poor network access, login delays or negative user experience.”
Executed properly, the hybrid workplace opens up all kinds of new opportunities for companies and their staff, said McCabe, but it may also cause more headaches if not well thought out and executed.
For example, frustration encourages employees to find ways around security settings, which will cause even greater vulnerabilities.
“The good news is that support is out there to help organisations get it right, ensuring productivity and security,” McCabe said.
Alongside this, businesses need to think beyond the technology, because cybercriminals and their victims share one thing in common: they are human. As a result, businesses are only as strong as their weakest link.
“Cybercrime is opportunistic: they see an opportunity and they go for it. The culture is always the most important thing. It has to be right and there has to be education. The technology can only do so much.”