Today, cybersecurity is a pressing business issue, and one whose complexity and relevance is only increasing as Covid-19 drives a coach and horses through long-standing business processes.
As businesses shifted from the office toward large-scale remote home working and then beat a path to blended and hybrid working, the IT landscape was twice transformed. This means that cybersecurity has to respond to the new reality, according to Paul Sexton, cybersecurity sales specialist for enterprise at IT and telecoms service provider HCS.
“Over the last two years security has changed an awful lot,” he said. “In fact, it has changed over the last ten years, but with everyone working at home it has changed more in the last two years than in all of the years before.”
The key difference is that perimeter-based systems of the past are no longer sufficient to protect business data. This does not mean they should be abandoned, but they do need to be at least augmented, if not rethought.
“If you look at the way security is adapting, it’s not that the perimeter has been removed, it’s just that the number of perimeters has increased,” said Sexton.
Given the number of devices accessing business data, and the fact that they are accessing it from a variety of locations, the old challenge-response of password logins is one thing that has to change.
Sexton said using multi-factor authentication was a start, adding a good degree of additional security, but that, increasingly, a new approach to trust based on continuous verification was on the agenda.
“There has been a lot of talk around zero-trust, in fact it has become something of a buzz phrase.
“The old way of doing things was one check with an e-mail [address] and a password and that was the only check. But modern security puts agents on each endpoint so that when you have access to the company assets, the data, there are contrast checks to ensure that that computer should have access to that.”
This zero-trust approach allows for a lot of configuration based on a company’s individual risk tolerance. In practice, this means users cannot connect unless they meet the parameters set by the organisation.
“The network is automatically checked to see which devices have access, should they have access, and have they got the basic security that is required, including some level of anti-virus and it is up to date and patched,” said Sexton.
Security had changed because the attack surface had become dramatically larger, he said. This included the cloud, which added a lot of complexity.
“If you think about the job of the IT manager, previously they only had to worry about the desktops and servers in the business. Now they have to worry about all of the devices being used at home, such as laptops, mobile phones that aren’t owned by the business, and now also the cloud, where people are holding a lot of their data.”
Indeed, though cloud can help increase security, it is subject to a misconception that responsibility for security lies with the cloud provider. The reality is that businesses remain responsible for their own data.
“They can have decent security built in, but they will all have different controls. We partner with Fortinet, which is cloud-agnostic and makes the security universal. From a security point of view, it becomes all one cloud,” Sexton said.
Cybersecurity can seem a Sisyphean task, but Sexton said that in light of the increasing intelligence of threat actors, it made sense to work with a partner who could take the long view rather than simply ticking boxes.
“IT security is never truly complete, it has to be a strategy,” he said.