Maksim Kabakou - Fotolia
Security Think Tank: In 2021, enable, empower and entrust your users
After a year of unprecedented disruption thanks to Covid-19, it looks like remote working is set to remain with us for now, which means security strategies will change in 2021. What will this change look like, and what tools and services will be selling like hot cakes?
Remote working is nothing new, but it is most certainly here to stay. That is not just an opinion, that is a statement based on what UK workers are actually saying, according to Morgan Stanley in its 2020 report.
Following on from an unprecedented number of people being given the opportunity to work from home in the first lockdown, only 34% of office-based staff returned to a Covid-19 safe office working environment after Lockdown 1, compared with 70% in Germany, 73% in Spain, 76% in Italy and 83% in France.
Having been given the opportunity to work from home, many UK workers are now keen to retain at least an element of home or remote working as part of their roles.
It is also worth noting that 50% of workers who were new to remote working – people who had never previously worked from home before Lockdown 1 – wanted to continue with remote working either full- or part-time in future.
The opportunity for cyber crime has, of course, not gone unnoticed by hostile actors. Indeed, Darktrace noted a jump from 12% (March 2020) to 60% (May 2020) in the percentage of malicious traffic directed to homeworkers. Most of this was delivered via phishing of one sort or another. The National Cyber Security Centre (NCSC) even introduced a reporting service to allow phishing recipients to forward their emails for investigation ([email protected]).
The impact of the UK’s subsequent tiering strategy and Lockdowns 2 and 3 have not yet been evaluated to the same degree, but it seems fair to think that little will have changed in terms of the intent of the workers or the criminals.
The businesses that were the most robust in terms of continuing as usua, tended to be those that had experience of a more agile working practice, had securely configured hardware in place with teams and had already implemented a mature security plan, with appropriate and effective policies and procedures in place.
These businesses had considered the change to their working environment and therefore security risk assessments had been carried out and risk mitigation measures were in place, at least to enable a smooth transition and put them in a good place to review and prolong these secure protocols.
According to (ISC)2,, 30% of security teams globally made the move to a remote workforce in a single day and, in most cases, with only a single day’s notice. This is impressive and a testament to the skills and commitment of both IT and security practitioners. Although we can’t say definitely whether these businesses fall into the well-prepared category, it certainly feels like they might – that kind of agility rarely appears overnight.
It is fair to say, however, that this was not a universal situation. A large number of businesses were culturally still restrained by the “bums on seats, hours worked” mentality when it came to staff management and, as such, were locked into the idea that staff had to be in the office to work. For organisations like this, the transition to a totally remote workforce has been harder, both technologically and culturally.
One of the changes we have noticed in the time that has elapsed since the first lockdown is the widespread marketing of tools that monitor employees or records and reports on “productivity”. It is not my intention to name any of these, but I would like the opportunity to discuss them in generic security terms and juxtaposed against principle-based security.
Risk management and human-based tools
Before I do, though, I want to talk about risk management, because firstly it leads well into employee monitoring and secondly because it is clear that many may now face an enhanced risk from either criminal activity or from accidental security incidents caused by employees – let’s not forget that not all insider threat is hostile. An unfamiliar circumstance or working environment can lead to unintendedly risky behaviour or exposure of company information assets to inappropriate viewing.
It can be easy, when considering the new risk landscape associated with so much remote working, to believe that these risks are all manageable with technological solutions, some server-based, some network-based and some client-side. We use anti-malware tools, anti-phishing tools, intrusion detection and prevention tools, etc.
However, we have been deploying a range of these same technological solutions for some years now, and yet still we see the number of data breaches increasing, not decreasing.
Now more than ever, we need to consider the value that human-based security – the best but often most poorly deployed tool in our arsenal – brings to the table. Almost all incursions of malware into an organisation are facilitated by our own people unwittingly interacting with it. So, in these unusual times, we must raise our expectations of the users but also support them in the challenges they face.
Team leaders, for example, need to be regularly communicating with their teams to ensure they stay onboard with all security requirements, and there needs to be an effective reporting mechanism for both incidents and near misses. Excellent leadership makes users feel important, and this, in turn, gives us a multitude that are part of the solution, not viewed as a problem. It is time to modernise our security attitudes. It is time to enable, empower and entrust.
The problem with monitoring
Entrust? Ah, now we get to the heart of the other matter. There has been a huge uptake of remote monitoring tools since lockdown began. Often marketed as productivity monitoring, many of these are equipped with a “stealth mode” enabling managers to watch what their staff are doing without them being aware of it.
In some cases, that stealth mode is the feature that is most heavily pushed as the great thing about the tool. There is no doubt at all that this uptake in these tools is thanks to historical cultural attitudes that staff cannot be trusted to be productive unless they are watched, that we must make sure everyone is working their hours, and that unless continually monitored, our people will simply slack off.
Unfortunately, the deployment of these monitoring tools in stealth mode, without appropriate policies in place and without staff knowledge, is illegal.
Let that one just hang there for a second. Monitoring of employees without transparency, policy and due diligence is a direct breach of data protection legislation and an area the Information Commissioner’s Office has intervened in on numerous occasions in the past, often enough to require employer codes of practice in this area.
The second unfortunate knock-on effect of this legacy culture is within security itself. Security practitioners, whether knowingly or subliminally, have developed a dictatorial, rule-based, non-trusting mentality. This has, in turn, resulted in the use of rule-based policies designed to tell users all the things they are not allowed to do, along with the procurement of numerous IT tools designed to catch them doing it.
This is antiquated, erodes trust, entrenches poor culture and ultimately results in an “us and them” blame culture.
The way forward is to abandon these out-of-date ways of managing users and security – it isn’t working anyway – and move towards a more empowering principle-based approach. If we work with our people, help them to understand the principles of what we are trying to achieve, and empower them to achieve a successful outcome, we in turn encourage initiative, discretion and, dare I say it, even the use of common sense.
Ultimately, we end up with a newly educated, empowered, disciplined and highly motivated remote workforce who are working with us to secure our assets.
Longer term, this could actually result in a lower cost of ownership through a decreasing dependency on the technology alone.
There is no point telling a child not to go outside of the bollards unless you also explain to them what a bollard is. Similarly, there is no point telling our people all the things they cannot do unless we also use leadership, explicitness and positive regard to explain to them what they can do.