The business challenges created by COVID-19 are extreme. Organisations have had to rapidly shift to remote working models, placing huge strain on existing systems and infrastructure. While some businesses have adequate cyber and network security frameworks in place to cope, many have been found wanting. UK workers are now bracing themselves for the long “social distancing” haul. Despite the UK government’s desire to get employees back into the workplace, remote working is expected to continue through the remainder of the year. But rather than being simply the default status of all employees, it will now function as a business-critical tool to keep workplaces sparsely populated – and within government guidelines as they change.
What’s more, mass employee hire, redundancies and furloughs, have added to the workload for IT and security teams. A practical example is supermarket Tesco’s, which has hired 16,000 temporary workers to better serve the increased demand for click & collect and home delivery operations. New employees must be onboarded, given corporate identities and granted access to internal systems. This places pressure on IT staff to ensure existing systems and operations are equipped manage the rapid influx of workers. Whereas the big box retail example might be extreme, the same essential business processes and trends can be seen across industries and employers of all shapes and sizes.
The extreme joiner-mover-leaver cycle has created a volatile landscape with greater security risk to businesses. To manage security in the face of such disruption, business leaders need a proactive approach to identity management.
Balancing security and survival
Whether for work or personal life, we have turned to new technologies and apps – such as Houseparty and Zoom – as a means to stay connected. This has created new security challenges for businesses with reduced control of office setups. Meanwhile, technology vendors have found their productivity tools targeted more than ever by malicious outsiders trying to exploit any vulnerabilities created by technical oversights or a lack of awareness amongst new users.
Having faced the initial COVID-19 challenge – keeping the lights on – the second test for businesses is to effectively manage cyber risk when network visibility is reduced. The way we are using our devices has also suffered from this blurring of the office and home. With many employees making use of their work devices for personal errands and family entertainment, it becomes more difficult to govern all corporate access. In addition, internal IT administrators are now heavily focused on server capability and VPN bandwidth, which reduces the resources available to manage cybersecurity risks effectively.
Addressing these challenges requires an intelligent approach to identity. Most managers and leaders fully accept that their employees are more than a professional persona. The time has come for our office technology, and most importantly business security strategies, to accept this too and focus more on the ‘human vector’ rather than just a corporate endpoint. Ultimately, business leaders must ask the following; what are employees accessing in the organisation? What are they doing with that access? And, how is that access being governed (or not governed)?
Prioritising zero trust
Whether it’s a malicious insider or the office ‘nice guy’ being caught out by a phishing email, you don’t have to look very far to find the long line of organisations impacted by an employee-generated cyber breach. While it may sound trite, organisations must constantly evolve their security strategy to mitigate this risk.
Enter the ‘zero trust’ philosophy. This framework is defined by having zero trust for anything – or anyone – related to your organisation. When applied to a cyber security strategy, it means continuously authenticating users across the network. Put simply, nothing inside or outside the network is trusted until it is verified. This framework transforms identity from being “just another IT problem”, to a business-wide concern that must be managed at the board level.
Identity at the centre of security
Identity goes beyond the network, and ties into both endpoint and data security. Not only does it take information from every segment of an organisation’s security infrastructure, but when done correctly, a successful identity governance strategy combines this data to provide complete visibility over organisational access.
From a regulatory perspective, business leaders are being tasked with defining and enforcing policies (such as SOX, CPS 234, GDPR) and controls to minimise access risk. Regulation works in tandem with identity governance, empowering business users to be more effective and secure with the data at their disposal. As employees are reduced and onboarded en masse, this has never been more important for a robust security strategy.
COVID-19’s elastic workforce has created a multitude of business challenges with no easy solutions. While organisations can expect identity governance to become more complex, the benefits to overall security far outweigh the effort required and associated costs.
Business leaders must constantly evolve their understanding and approach to meet these challenges head-on – or risk being another statistic.
Author: Ben Bulpett, EMEA Director, SailPoint