The last year has seen the security landscape evolve dramatically. The rise in cyberattacks linked to remote working has prompted a realization for many businesses that it’s time to re-evaluate their cybersecurity strategies. While most understand that trust should never be relegated to the back burner, many are still looking at it through an outdated lens that stands in the way of delivering the level of security that organizations need in order to properly protect themselves and their employees in the new hybrid office.
Securing remote work isn’t just a technology issue. In our current digital era, security is built on layers of trust that underpin the way people engage with technology. To get things right in our new operating environment, companies need an approach that elevates trust throughout the entire ecosystem and makes security part of every job description. In my work as a Global Chief Security Officer, I have identified five steps that business and technology leaders can leverage to enhance trust among the people, processes, and platforms that contribute to secure remote work.
Building trust through empathy
Perfect security is a myth. The most effective way to build strong trusted ecosystems is to acknowledge that digital trust will always be a work-in-progress, and fundamentally, it is all about people.
In my experience, the most effective way to build trust is to listen, learn and lead with empathy. When people tell you that security protocols are difficult to follow, don’t lecture them - seek to understand and find adoptable solutions. Encourage people to speak up about mistakes, and reward proactive behavior. Trust within an organization multiplies when it is generously and wisely given, and when people feel heard.
Making sure security solutions are built in, not bolted on
Unfortunately, some aspects of security practice have earned a bad reputation over the years, as well-meaning IT management teams implemented security solutions that placed barriers between people and the information they need to do their job. The fact is, people will find a way to work around security measures that don’t align with their business needs. As long as end-users see security as something that gets in the way, we will always face more security risks than we need to. Effective security comes from having tools and solutions that are easy to implement and follow.
My philosophy is that the best security solutions are built in, not bolted on. This means giving employees guideposts to facilitate their decision-making without stifling their productivity, and trusting them to succeed. Technology can help us achieve this, such as using AI-driven tools that can automatically apply security classifications to different data types. But the goal is bigger that the tool: the point is to seamlessly integrate security into workflow processes without imposing new hurdles.
For today’s leaders, investing in frictionless security solutions is a direct investment in people and culture. It creates a sense of ownership and accountability among users for the content that they create and share. This helps individual employees realize that they’re bigger than just their title in a company, which grows the trust ecosystem.
Against this backdrop, there are three additional steps that security professionals can take to create a trust-based ecosystem that effectively delivers the level of security you need.
Distinguishing what’s critical
Part of any trusting relationship is knowing what’s important. Not everything in an organization needs to be as secure as a bank vault. Taking a one-size-fits-all approach to security has never been economical or purposeful, even before Covid-19 changed our work environments.
In every organization, different types of data hold various degrees of security importance. Whether it’s financial information or health care records, leaders need a clear view of what data, if compromised, would do harm to their organization. The appropriate security controls for these crown jewels need to be identified, and integrated into the flow of work with clear lines of accountability, so that the data is protected by both the technology and the people surrounding the data.
In my day-to-day work since the pandemic began, I am seeing more customers accelerate and deepen security plans that focus on the core transformations of their business. Distractions such as only hardening the perimeter (VPN, firewall, endpoint protection etc.), typically may not add incremental value to the core competencies of an organization. By differentiating what’s critical from what isn’t, leaders can successfully maximize the return on their security investments, by pre-empting problems that could irrevocably damage confidence in their organizations.
Going back to basics
You can’t build an addition on a house with a shaky foundation. The same is true with trust. There are core security fundamentals that form the basis of trust in every security environment: Senior leadership needs to be able to trust from the beginning that their teams have secured systems for remote work. Customers need to trust that their data is protected. Employees need to trust that there are systems in place to support them. It isn’t something you can add on as an afterthought.
In a world dominated by remote work and mobile access, most organizations would benefit from strengthening the basics of identity management and implementing formal processes for monitoring and correlating security logs. Strong identity management means having a robust process for onboarding and off-boarding entities (employees, processes, APIs etc.). This prevents access proliferation, which puts your data at risk by leaving the virtual vault open to people who shouldn’t be entering it anymore. Along with best practices such as multi-factor authentication and malware detection, strong identity management helps ensure that the only people accessing your system are the people who have permission to do so. Supporting that effort with a formal process for monitoring your security logs will help you identify unauthorized access attempts early, and neutralize threats as quickly as possible.
Investing in end-user education
Trust is a two-way street. Security professionals know that end-user behavior is still one of the biggest risks to security, but I also believe that, with the right approach, end-users can be the biggest security advocates. Educating users about security threats and best practices is often seen as a “nice to have” that gets forgotten when a crisis emerges. However, this is exactly when security education is needed most. Social engineering has long been a primary threat vector, and the success rate with attacks is higher when everyone’s attention is diverted elsewhere.
The fact is, workers are more distracted than ever in this pandemic, with many employees working from make-shift home offices, surrounded by families and pets, maybe in multi-purpose environments like kitchens and bedrooms. Yet, these same people still want to make good decisions, and they can be trusted to do so if they have the right support. Developing and communicating clear policies about trusted devices and regularly sharing information about the changing threat environment will help establish and reinforce a strong security culture, even in a changing environment.
Organizations that don’t already have strong education programs don’t need to tackle this alone. They can look at leaders in this space to support them in ways that organically mesh into the culture of learning within an organization.
Why does that matter when securing remote work? Because it creates a work environment full of empowered people who feel invested in the company’s success, which is a trust-based security posture that money can’t buy.
- Lakshmi Hanspal, Global Chief Security Officer at Box.
- Support your staff and customers with the best help desk software.
Are you a pro? Subscribe to our newsletter
Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!
Lakshmi Hanspal is the Global Chief Security Officer at Box. She is responsible for corporate, physical and cyber security of Box’s footprint, including data protection and privacy.