Securing the Remote Workforce
A study into the impact of remote working on IT.
Most organisations were forced to adopt remote working in 2020 across the majority of their workforce, and it turns out that many workers enjoy the extra flexibility – Just 10% of respondents said they plan to return everyone to the office full-time.
We learnt this and much more in our survey of IT leaders, which we carried out at the start of 2021, asking how they had adapted in 2020 and what they expected to see in future. The workplace has changed drastically in a short space of time, and now IT must rethink how it supports workers.
This report synthesises our research findings with our expertise to highlight the key areas of risk, along with some observations on how best to overcome them. The report is split into three main areas: remote working risks; employee experience; and IT after lockdown, which you can access using the links below.
Introduction
For most organisations, remote working still requires adjustment. First, new working practices must be secure. In the hurry to switch to at-scale remote working, corners were cut and there was no time to train staff on home working security or review how devices were secured.
Shadow IT is also a greater temptation for homeworkers and there are a number of challenges to address around home network security. Second, remote workforces will rely on the cloud even more than they do at present. We saw increased cloud adoption during 2020 and there is no sign of companies scaling back. In fact, the reverse is more likely. Not only will many companies expand their cloud usage, but they will also adopt more than one platform. Multi-cloud security needs particular attention, as we will see.
Finally, organisations must ensure that these workers have the applications, devices and connectivity they need to get their job done wherever they are, quickly and securely. Employees are more likely to think like consumers and expect the same kind of seamless IT experience that they get from their personal technology. Companies that cannot deliver will find it hard to attract and retain staff.
Let’s begin by looking at the challenges of securing remote workers.
Remote Working Risks
Cybercriminals and state-sponsored hackers took advantage of the pandemic to increase phishing and ransomware attacks. Once attackers get onto a worker’s machine, they can steal credentials and data and perhaps gain access to the wider network. Most organisations train their remote staff to make them aware of these risks, but in the rush to set up thousands of employees to work remotely during the pandemic, many people started remote working with little, if any, security training.
This is risky, to say the least. Companies need to make sure that everyone is familiar with best-practice security measures when working remotely – and that applies to people who worked remotely before the pandemic. Beyond that, companies need as much visibility as possible of security issues across all their platforms. The kind of single-pane security visibility that Ekco provides will help, for example.
Shadow IT and Endpoint Security
Among the pressing issues is the danger of shadow IT, long the bane of IT departments everywhere. During the pandemic, 47% of IT specialists say they saw users turning to shadow IT to get their work done. It’s understandable: stuck at home, often without sufficient training to do everything they needed to do, many workers were not equipped to be their own IT departments. Not every instance of shadow IT has to be rooted out – some of it will be harmless – but informed employees will make better decisions.
The second area of concern is with employee’s use of company devices. Many more people have company laptops or smartphones and they probably aren’t going to give them back. That’s fine. These new endpoints are secure, right? You made sure of that before you shipped them? Of course you did. And employees are going to use those laptops and smartphones to work wherever they are. They might also leave them on trains, write their VPN passwords down where they shouldn’t and cause other problems for security teams.
Beyond the devices themselves, your users are probably on networks that aren’t secure. A recent study of 127 popular routers found that every single one of them had critical vulnerabilities. These range from easily guessed login credentials (the username and password might be hardcoded as “admin”) to devices that are seldom patched. One-third of the routers tested was running a Linux version that was last updated in 2011.
Home Network Security
The IT department can control the office network, but there’s no way to check every remote worker’s home network. If an employee’s router is compromised then all kinds of attacks are possible including, for example, redirecting users to websites that appear genuine, but which are designed to steal credentials.
Many companies will circumvent the problem by requiring employees to access line of business applications via a virtual private network (VPN) but, unfortunately, not enough are doing this. Our survey found that just 29% of respondents said they were using a VPN. Almost as many (26 per cent) said they used an application installed locally on their machine.
Another solution is SD-WAN (software-defined wide area network) technology, which offers a new way to handle corporate networking by virtualising the network infrastructure, instead of requiring proprietary hardware. It can be designed to prioritise cloud-based applications, whether an employee is connecting from home or the office and can add security functionality without the need for more equipment.
The challenge of securing home workers won’t go away. Finding the best solution means partnering with a provider that has the experience and sector knowledge to determine what will work for your particular circumstances. But it’s important to consider how security fits into the overall employee experience – and that is where we will turn next.
Having the right technology is, according to almost four-fifths (78%) of the IT leaders surveyed, essential.
A seamless Employee Experience
Today’s employees expect an experience that is more like what they are used to as consumers, so they have less patience than ever for confusing, unreliable or fragmented workplace technology systems.
When they shift to remote working, those frustrations can increase, raising the possibility that staff could burn out or quit their jobs entirely. More than half of our respondents in our survey (54 per cent) say the shift to home working has increased the risk of burnout. Having the right technology is, according to almost four-fifths (78 per cent) of the IT leaders surveyed, essential.
Choosing the Right Tools
A light touch is really important. Users don’t really want to think about IT and, when it’s working well, they shouldn’t notice it. They want a seamless experience that doesn’t require them to constantly log in and log out of various systems and constantly authenticate themselves. Fortunately, this can be done without compromising security.
For those planning to adopt more Microsoft Azure, Office 365 is already set up to support a remote and secure-by-design posture. There is a range of security tools, such as Microsoft Endpoint Manager, compliance tools, Advanced Threat Protection (ATP) for Sharepoint and more. We’ve worked with organisations to deliver this as a harmonised estate using Microsoft licensing you may already be paying for.
We’ve delivered this for Soteria Insurance, building and managing the entire IT estate around their security and compliance requirements while providing a consistent, light touch environment. The end result is a highly secure environment ensuring the integrity of company data that just works for the end-user, enabling them to carry out their jobs without IT ever getting in the way.
Minimising User Frustration
The recent changes to working practices can be a source of frustration as IT departments try to keep up, but it’s better to see them as an opportunity to take stock of your security approach and make sure that it is fit for purpose and does not frustrate users.
How do you deal with that as a business? The question of which software tool to use was once a question decided by techies. Now it’s a wider corporate question. Professionals are using more technology than they used to and are having to take on more responsibility for managing, where previously they could rely on an expert. If they can’t do this successfully, they still need to get their job done, so they are likely to turn to shadow IT, using Zoom instead of Teams for video meetings, or sharing a file with a colleague using Whatsapp, for example.
If they continually meet this kind of frustration, they are likely to burn out or start looking for jobs elsewhere, ideally in a company where the technology works more seamlessly. Making that happen today is likely to involve integrating cloud services, while still keeping them secure. Let’s consider how to meet that challenge.
If your response to securing remote workers is a Facebook relationship status, then you really do need to take time to plan when it comes to securing multi-cloud.
IT After Lockdown
Many businesses accelerated their cloud strategies through 2020 and plan to keep the momentum going. The cloud is vitally important in the post-pandemic world and plays a central role in longer-term digital transformation. The challenge will be doing all of this when budgets remain tight.
Half of the companies in our survey (52 per cent) increased their use of cloud technologies during 2020 and many are planning to move more workloads to the cloud. Almost two-fifths (38 per cent) plan to move to Azure, with 15% going with AWS and 10% looking at private cloud.
Our survey found that two-fifths of respondents (40 per cent) said they would be moving workloads to more than one platform, with 3% saying that they would be using as many as five. Such a multi-cloud strategy is becoming more common. One recent report said that 93 per cent of enterprises have a multi-cloud strategy. Companies are taking a multi-cloud approach because they can get the best solution for a specific use case and reduce their dependence on one provider.
However, a significant majority (62 per cent) of those surveyed said their IT budget has remained the same, so they will have to do more with the same resources. The good news is that cloud services need not be prohibitively expensive. Methodologies and technologies developed for companies on a scale of businesses like Netflix are trickling down to SMEs. The challenge is to identify the ones worth investing in.
There are huge benefits, but any cloud strategy must pay careful attention to security. This is particularly true of multi-cloud, where security can slip through the gaps. This is likely to be a challenge. In our survey, when asked about securing remote working, more than half of respondents (54 per cent) said: “it’s complicated”. If your response to securing remote workers is a Facebook relationship status, then you really do need to take time to plan when it comes to securing multi-cloud.
Hardware firewalls aren’t enough. Organisations need to consider encryption, advanced threat defence (ATD), malware protection, SSO and access control. And it isn’t just the links between public cloud platforms that must be secured. Many organisations also have a managed private cloud as part of their estate, and this too is part of the security picture.
The result is a larger potential threat landscape. The network perimeter, once the frontline of cybersecurity, essentially disappears. Today, a growing number of organisations are removing the inherent trust from the network, assuming instead that it is hostile. A new boundary is created around applications and any request to the network must be verified for identity, context and policy adherence.
In addition to a zero-trust approach, companies should be looking for applications that are secure by design. When security has to compete with other requirements during development, it can easily be overlooked, which stores security problems for later. Today, more developers and service providers are committing to a secure-by-design approach by embedding security into the development process.
When planning a cloud strategy, companies need to take a good look at what they have already and determine whether they are getting the most value from their existing environment. If a new service or provider is needed, it’s essential to make sure that security processes are reviewed, adapted and evolved to accommodate.
Conclusion
The issues highlighted in this report are far-reaching and they require a sustained, joined-up approach to overcome them. The majority of our respondents (53 per cent) said that when they don’t have in-house expertise they partner with a specialist, and that is certainly a faster way to get on top of these challenges.
However, that means more than just outsourcing the odd project. Organisations need a partner who can guide them through these challenges, evolving their approach over time. An example of this is multi-cloud, which 40% of respondents stated is on their roadmap. It becomes increasingly critical to work with a partner who can provide true oversight of data, applications and compliance across all cloud services. This helps organisations maintain visibility and ensure that quiet corners of the IT estate don’t get forgotten.
Ekco has built a highly referenceable reputation for delivering transformation projects across a range of industries, with a particular specialism within the regulated space. Our agile, cloud-native approach delivers lasting change through business improvements, cost reduction and speed of delivery.
If you’re facing some of the challenges highlighted by our research then please get in touch. It all starts with an open conversation with our experts – tell us where you’re at today and where you want to be. We can deliver the roadmap to get you there.
Question?
Our specialists have the answer