Andy Collins at Node4 explains that organisations supporting BYOD need to balance gaining visibility into users’ devices with personal privacy
Hybrid and remote working have played a vital role in enabling organisations to navigate the restrictions placed on them over the past 18 months. And despite the momentum building behind a full return to the office environment, for many, hybrid working will remain a permanent option for employees.
While its advocates believe hybrid environments can offer the best of both worlds, these distributed models of working are accompanied by a variety of security and compliance challenges. Key to addressing them is a diligent approach that ensures IT teams have full visibility of what employees and their devices are used for. From BYOD and business continuity to monitoring endpoints, privacy and user access, a failure in any of these areas can seriously compromise security and compliance.
Let’s start with one of the most important issues to address – Bring Your Own Device (BYOD). On the one hand, BYOD has provided employers and their teams with a quick, easy and relatively inexpensive way of extending their networks to the home environment. The big problem, however, is that most organisations have historically focused on their network perimeter as their main security boundary, and by definition, BYOD shifts the boundaries.
In response, businesses should be formalising their BYOD rules and processes in a corporate policy so users understand what is expected of them and what security software may be deployed to their device to ensure the organisation’s data, systems and network, remain secure.
Those organisations supporting BYOD going forwards also need to strike a balance between gaining visibility into users’ devices, but doing so in a way that doesn’t infringe on their personal privacy. For instance, Virtual Desktop Infrastructure (VDI) is a useful option, but employers need to know where their data resides and have the ability to remotely delete data or at least check what’s there, while at the same time not gaining access to users’ personal data.
Similarly, employees should only be given the right level of access to the applications and data they need for their job, and to minimise the risk of unauthorised access. Prior to applying this kind of role-based user access or identity management, it’s a good idea to carry out an audit to understand what level of access they really require.
Is diligence overdue?
A thorough approach to security and compliance also extends to the way organisations approach business continuity. As the return to work and hybrid trends continue to evolve, business continuity plans must remain fit for purpose and up-to-date with the way people are working.
For example, password policy, network controls and security monitoring should each be reviewed on a regular basis in any case, but if they haven’t been reconsidered over the past 18 months, then it’s time to take a closer look. And while the network perimeter remains key, greater emphasis should be given to endpoint, SaaS and cloud security.
More specifically, where does the most critical and sensitive data reside? For many companies, data has been moving out of the office to a variety of convenient Software as a Service (SaaS) ranging from SharePoint and Office 365 to HubSpot and SalesForce. Whatever platforms are used, a functional business continuity plan should extend to how the organisation reacts if there is a service interruption, or even worse, a security breach.
For example, how long will it take the supplier to restore their services if it fails and what does their SLA promise as a minimum standard? How do they communicate with customers when dealing with an incident? This kind of due diligence also extends to standards. What accreditations do they have in place, for instance? Are they Cyber Essentials or Cyber Essentials Plus certified? Are they fully ISO 27001 and PCI compliant? The list goes on, but organisations should ensure that service providers work to the standards that meet their needs.
Given the circumstances businesses have faced over the past year, it has been difficult for some to make sure that their security strategy has kept pace with the speed of change. But as organisations focus on their post-pandemic strategy and whether hybrid working will continue to be offered to their employees, security and compliance gaps must now be closed if they want to move confidently into the future.
Andy Collins is Chief Information Security Officer at Node4
Main image courtesy of iStockPhoto.com