Cyber resilience: a set of good practices

Digital & Remote: Balancing efficiency and risk

Retour au dossier

Pandemic-related operational changes have forced most companies to accelerate or outright reinvent the way they function. New processes needed to be defined, technology had to be adapted, people needed to be trained and all this within the shortest timeframe imaginable.

Never let a good crisis go to waste. These words spoken by Winston Churchill while working for the United Nations after the Second World War couldn’t be more fitting for the situation we face today. Unfortunately, opportunity doesn’t discriminate between benevolent or malevolent forces and malicious actors have adapted equally fast and explored new ways to exploit accelerated digitalisation.

Working in an office building, which is properly managed and secured by dedicated IT & security departments, has provided a robust safety net that has evolved and adapted over the years to negate many cyber risks. Firewalls, blacklisted IPs, segregated networks, company-managed workstations, physical access restrictions to certain areas and machines are just a few of the key security principles almost every company has in place.

The attack surface of each employee has suddenly increased enormously.
André Meyer

André Meyer,  Head of Cybersecurity and defense,  Accenture

The new reality, however, sees many employees using personal devices at their homes, accessing their private Wi-Fi or a shared one with their neighbour or even a public Wi-Fi in a bar or restaurant. Files are shared via whatever seems the most convenient solution, often outside of the control of the company. The attack surface of each employee has suddenly increased enormously, not forgetting the new possibility of insider threats which have risen dramatically since March 2020. Whether malicious or unwitting, insiders have caused disruptions and critical data loss at nearly half of the organisations in a survey of 457 cybersecurity professionals commissioned by behaviour analytics company Cyberhaven. An employee at Russian search provider Yandex reportedly sold access to nearly 5,000 user mailboxes. A Tesla employee reported that one criminal conspirator offered him $1 million to help with a scheme involving distraction by distributed denial-of-service (DDoS), information exfiltration and ransomware for extortion.

So how can you balance this new, highly efficient way of working from anywhere, anytime for your employees without compromising your company’s data, integrity, and obligations?

The first step is to create a universally applicable remote working policy providing guidance on how to store devices securely, creating and maintaining multi-factor authentication, and an acceptable use policy for visiting websites that aren’t work-related. Nurture your employees’ sense of responsibility for the organisation’s security. The document should include a detailed elaboration on which data protection technologies the company offers to properly secure sensitive data. In summary, the very first step you need to take is to properly inform and train your employees who remain the driving force and Achilles’ heel of your corporation.

Having covered the human factor in the equation, technology should empower your employees to work as securely as it does flexibly.
André Meyer

André Meyer,  Head of Cybersecurity and defense,  Accenture

Having covered the human factor in the equation, technology should empower your employees to work as securely as it does flexibly. The overarching approach is to apply a zero-trust principle in your security architecture. Looking at your end users, the easiest, but most costly and labour-intensive approach, is the distribution of company-managed devices like laptops and phones which are entirely under the remote control of the distributed IT department. Remote management of access policies, fully encrypted hard drives with remote wiping capacities and centralised digital identity management are a great starting point. However, this is not the only possibility. Bring your own device (BYOD) is just as feasible when done right. A modern mobile device management (MDM) solution like Microsoft InTune offers similar possibilities by compartmentalising the device of your employee without impacting the device for personal usage. Another alternative is virtual desktops that are made available via the web browser and prohibit any data exchange with the physical machine they are being opened on remotely.

Your employees and customers are evolving. Technology and threat actors are evolving. The world is evolving. Everything is becoming more digital to give us, the people, more flexibility to live, to be creative and be productive. By adapting to this changing landscape, by rethinking the status quo and embracing the change, you can pave the way for the years to come without compromising your security in the process.