BRIAN FAWCETT (BF): Both employers and employees agree that a combination of remote and in-office working is ideal moving forward. But, only one in five businesses are very confident that their infrastructure security can support extended remote work. And less than 8% are very confident their security protections against phishing or ransomware attacks are adequate in a largely virtual environment.
I'm your host Brian Fawcett, and this is IT Availability Now, the show that tells stories of business resilience, from the people who keep the digital world available.
75% of businesses are taking a hybrid work approach. That's according to data from two recent studies conducted by the Harris Poll, and research firm Pulse, on behalf of Sungard AS, but doubts about security cast a shadow over these plans.
Today we're going to delve into the cybersecurity measures organizations must have in place to support a long-term hybrid workforce, as well as dig deeper into the survey data itself. We're joined by Asher de Metz, Security Consulting Senior Manager, at Sungard AS.
Hello, Asher. Welcome back to the show.
ASHER DE METZ (AM): Thanks, Brian. Excited to be here.
(BF): The data clearly shows that most organizations are utilizing hybrid work. So is that trend expected to stick for the foreseeable future?
(AM): Yes, in fact, it’s going to become more popular and per our research some 89% believe a mix of remote and in-office working is the best work situation following Labor Day. 83% plan to employ a hybrid working model following Labor Day.
(BF): And yet only 21% are totally confident in their ability to keep this environment secure. So how do you explain the decision to move full steam ahead?
(AM): Yeah it’s a bit alarming, to be honest. And the reason it’s a bit alarming is because on the one hand, companies are saying they don’t feel confident in their ability, or one-fifth of companies are saying they’re confident and four-fifths (80%) are saying they’re not confident, however they’re looking to move ahead anyway, even with these potential security risks.
Now, that being said, businesses recognize that security isn't something they can ignore. The lion's share of respondents agree that good security is imperative for remote workers to be successful. The survey found that remote employees felt a few items are essential, including security software that keeps work devices secure, an easy to use system that enables employees to share files securely, IT support that specializes in supporting remote workers, and of course, a high-speed internet connection.
(BF): So what makes, then, securing a hybrid environment more challenging?
(AM): Well for starters, the rate of security events continues to accelerate and ransomware attacks aren't slowing down, they’re only increasing in quantity and sophistication. As evil doers, the hackers are getting smarter every day and with each attack. For instance, a ransomware attack used to be just an automated attack that would just land in the environment and propagate, but now today ransomware attacks, they're coming with an extra component where they’ll backchannel to the hackers, and they'll be inside your network stealing the data and not just encrypting it. Additionally, hackers are taking advantage of supply chains to really get their ransomware propagated.
So with a hybrid environment, you've got more access points for hackers, and this could be at home or at coffee shops, and more possible security gaps as these networks - the home networks and the devices that are on them - they can then have security gaps. And of course, you've got that potential to connect to these unprotected networks that we have no idea of what their security levels are. So additional changes to building out a robust, end to end security practice include migration to cloud infrastructures, rising regulatory compliance requirements and growing shortage of in-house, technical security skills.
(BF): That's great context there Asher. So for the 80% of businesses that aren't confident in their hybrid workforce security, what measures should they put in place?
(AM): The important thing is to always make sure that the company's got their security basics covered. Things like strong passwords, patching, multi-factor authentication, ingress and egress filtering, segmentation. Businesses really need to take a multi-layered approach to security and this means making sure all critical networks and supporting systems are segmented from the rest of the network. If critical systems and supporting systems must be connected to the main network with an internet connection, then the business really needs to make sure they're really heavily filtering all traffic coming in and going out.
Additionally, they can even segment employees. If they've got critical employees, tackling high-security data, critical data, place them in the office with extra high security, or at the very least, put a special home office in place for them with high security. And the low risk employees who don't really touch any data, and if their accounts are breached or their systems were breached, we wouldn't necessarily need to worry, because they're in their own separate disposable network. Additionally, what's important is to keep backups updated and separate or air-gapped.
(BF): All excellent recommendations. What can businesses do to verify that they're taking the right precautions to ensure that there are no holes in their security?
(AM): Well, the first step for any business is to evaluate current security posture and potential risks. Every organization will have different weaknesses. Identifying and fortifying against these many factors of potential attack across a breadth of environments and regions, generally means that a single point solution, by itself, or single strategy isn't the silver bullet to solve all these growing challenges.
Additionally, pentesting can quickly identify the glaring weaknesses in your systems. Ensuring response readiness in the event of a cyber-attack is critical. At some point, every business is going to experience a cyber security event. It's not if, it's really when. So they must be prepared to minimize the impact and long-term damage to the business.
So testing the disaster recovery and business continuity plans is going to be an essential step here. And then lastly, another important element is going to be refreshing employee education. So, although we say that we should inoculate employees from making mistakes and that we shouldn't make them responsible, like a security guard, we should still teach them how to spot and report phishing emails, before they click any suspicious links and keep them up to date on the latest phishing scams.
(BF): This is all great advice Asher.
75% of organizations are currently utilizing a hybrid work approach, but most are not confident they can properly secure it long term. As ransomware attacks continue to increase in number and severity, businesses must now ensure they have the right cybersecurity measures in place.
By evaluating their current security posture to identify potential gaps and weaknesses, taking a layered security approach that emphasizes multiple network protections, re-educating employees about the latest phishing scams and testing data recovery plans, organizations increase their chances of maintaining and securing a hybrid workforce.
Asher, thanks so much for being with us today.
(AM): Thanks for having me.
(BF): Asher de Metz is Security Consulting Senior Manager at Sungard AS.
You can find the show notes for this episode at SungardAS.com/ITAvailabilityNow.
Please subscribe to the show on your podcast platform of choice to get new episodes as soon as they’re available.
IT Availability Now is a production of Sungard Availability Services.
I’m your host, Brian Fawcett, and until next time, stay available.