Matthew Moynahan is the CEO of Force, the global human-centric cybersecurity enterprise transforming the digital business.
If a CEO had asked their CISO two months ago what it would take to allow 100% of their workforce to work remotely, they probably would have received a response like, “Give me a year and $ 10 million. , and I’ll see what we can do. ” Yet, apparently overnight, CISOs managed to make it happen. To their credit, the urgency of the moment created change at a rate that businesses typically hampered by bureaucracy did not believe was possible.
This “new normal” contrasts sharply with last year, when only 18% of the workforce was remote on average and more than 44% of companies didn’t even allow remote work options. As a result, CISOs must prepare for what will be a lasting impact of the COVID-19 crisis on businesses: securing their organization at a time that will see an exponential increase in the number of remote workers.
For the first time in modern businesses, CISOs do not work in model-based security programs. As the initial transformations began to alter security, COVID-19 completely dismantled it by introducing a work-from-home environment. The “edge” originally encompassed IoT devices, but now it means any place where someone does their work.
This growing awareness that people are the new perimeter of business has made understanding employee behavior and critical data at the edge the major security challenge of the day. And those who are slow to adapt will be exposed to the potentially crippling risk of the economic impact of the crisis – and the simultaneous disruption of a critical data breach that could permanently damage the company’s brand or creditworthiness. . The hard truth is that cybersecurity has never been so imperative today.
Disruption is breeding ground for bad actors
Naturally, no crisis is seen as more than a great opportunity for the bad actors as they take advantage of the fear and uncertainty associated with the pandemic. Previously, this was enough of a challenge to stop malicious actors outside the traditional perimeter. However, more recently, hackers have taken more sophisticated approaches to compromising employee connections, allowing bad actors to pose as employees and rendering many established cybersecurity defenses ineffective. At present, CISOs have no idea how many of their employees have fallen victim to a phishing scam or other identity theft by a nation state attack. And once detected, it is often too late, because data exfiltration can happen in seconds. The damage that is happening now will only start to become apparent in the next six to 18 months.
All of this happened to a lesser extent before the significant shift to remote working and was just as invisible. Today, however, millions of workers globally are now not only connecting to corporate networks, but also working with sensitive data that has been moved to newly deployed SaaS applications that enable environments to be better enabled. remote work, but also open the door to new large-scale vulnerabilities. CISOs have received a wake-up call and now understand that they are living with a false sense of security. They realize that real security isn’t about building a perimeter between four walls or through specific hardware, software or device, but people. People are the new and real perimeter in the age of the commoditization of the computing stack. And visibility into the behavior of people and data, wherever they are, has never been more critical.
Manage the insider threat when no one is inside
With people spread across the globe in this new business environment, it is imperative to keep an eye out for the “inside threat” that has potentially become every entity in your network. Attackers compromise access, guaranteed. And even traditionally loyal employees can feel disconnected from the company in this unprecedented career change. CIOs and CISOs need the technology to enable large-scale remote working that allows employees to be productive while keeping the environment safe, all under the same security policy.
The power of this for business runs deep. When organizations understand that their employees are their new perimeter, they stop using imprecise and inflexible rules and instead apply custom and adaptive controls that allow users to be productive while managing security risks. Think of it as a personal credit score for security risk. Fueled by behavior-based analytics, these risk level ratings rise or fall depending on how well a credentialed user – whether a trusted employee or a bad actor posing as a – behaves and interacts with your data.
Automatically reporting and blocking only real risks means less friction for users in general. Policy enforcement based on actual risk also enables individualized company-wide policy enforcement for a more productive environment and more effective security.. Understanding the behavior of users interacting with data is the kryptonite of modern bad actors and allows CISOs to move to the left of the breach.
In addition, an increasingly remote workforce will have impacts on the entire security landscape. This is forcing employees to be more diligent in how they share valuable company data and will require new security policies on how to protect that data. It requires extensive email and web security protection to cover employees wherever they log on. And it requires a bigger view of cloud application usage and data movement on and off the network. If cybersecurity wasn’t already a top priority for your CEO, it should be now.
Stronger than before
Organizations today are navigating uncharted business territory as their global workforce has suddenly shifted to a large-scale remote working model. While we are all doing our best to move forward safely, this is also a valuable opportunity. The goal for every business should be to come out on the other side stronger, better prepared, and more secure than before. And that means having real visibility into threats, whether inside the office or across the world, protecting the real perimeter, your people.