With the global pandemic changing the traditional way of working, employees in every market sector in New Zealand are now spending their working days in offices, homes and other locations. It’s a hybrid working model that Kiwis have embraced and it’s here to stay.
At a recent CIO New Zealand roundtable event in Auckland, supported by Palo Alto Networks and Vodafone New Zealand, senior technology leaders from organizations across Aotearoa discussed the challenge of keeping security first when the workforce is dispersed.
Glenn Johnstone, head of ICT practices at Vodafone NZ, highlighted findings from their disconnection report, in which 30% of respondents said they would move positions if their employer didn’t offer remote work. But the productivity benefits of working from home also come with a more complex IT environment to manage.
“The sheer number of smart devices in our lives means we’re more vulnerable than we think. We are connected through our phones, our printer, our cars, refrigerators, aquariums – and any connection can be a problem. This means we need security on all devices; in the office, at home, anywhere and everywhere your people are connected,” says Johnstone.
“The other key aspect is the implementation of zero-trust networks. If you’re operating in the cloud, you’ve increased the cybercriminal attack surface by a factor of 60,” he adds.
Sean Duca, regional chief security officer for Palo Alto Networks – Asia Pacific and Japan, echoes this. “With the primary focus now on delivering work safely and securely to our workers, no matter where they are, we need to think about where the data resides, who has access to it, and how it is secured and accessible.”
How New Zealand companies reduce risk in a hybrid work environment
Joe Locandro, chief information officer at Fletcher Building, praises the many productivity benefits that hybrid working has brought, but highlights the security challenges it brings.
“The computing advantage has extended to people working from a variety of ‘out of office’ locations, including homes, hotels and different countries. Also, most home computers are used by different family members. As a result, the potential for malware to become resident on home computers increases.
Locandro emphasizes the need to focus on providing an edge with cyber products that cover endpoint protection, two-factor authentication, and keeping employees up-to-date with virus protection software on home computers.
Waqar Qureshi, general manager of networks and technology at Horizon Energy Group, says they have developed a work-from-home policy for their organization that includes awareness and responsibilities for accessing, storing and sharing data/information.
SSO, MFA and VPN systems are also available to limit unauthorized access to accounts and systems.
Another event attendee says he uses a secure VPN, MFA around that; MFA around logins as well as using geo-fencing.
“In terms of risk to people, there is a lot of communication. We use town hall meetings and email newsletters to remind them of the importance of being vigilant. Everyone also has to go through phishing training plus we run SMX through our email which blocks/disables various features,” adds the CTO.
As organizations no longer have internal applications consumed as a service or applications running outside the traditional perimeter; many have simply looked to address the challenges by focusing on access and authorization, but the need to inspect all traffic is paramount, says Shawn Duca of Palo Alto Networks.
“Attackers are targeting employee laptops and the applications they use, so we need to inspect the traffic for each application. The attack surface will continue to grow and will also be a target for cybercriminals, which means we must remain vigilant and be able to continuously identify when changes are occurring in our workforce, when our employees are and monitor our cloud properties at any time.”
Educating your organization is key
Roundtable attendees discussed the best ways to gain buy-in and further awareness of the importance of cybersecurity, both from the board and the wider organization.
Joe Locandro says Fletcher Building’s management team and its board are updated monthly on cyber statistics, activities and events.
“There is strong leadership support for cyber programs. We regularly educate our staff about the potential of malware through phishing emails, frequently alerting staff to current market scams as well as regular phishing exercises. We measure click-through rates on phishing exercises as well [the] degree of detection difficulty.’
Another event attendee says transparency on the board is key. “Risk is the number one theme in my board book and it’s always bright red. Then there are details of the current situation, what we are doing about it and current progress. We use Essentials 8 to provide a framework and rigor that is easy to understand and define.”
Waqar Qureshi emphasizes the importance of any organization investing in cybersecurity training for IT staff “mainly to help them understand why certain policies, systems and processes are important. This includes all IT staff, not just members of the security team. ICT help desk staff are usually the first point of contact between ICT and users.’
The evolving threat landscape
Running legacy solutions that cannot meet the demands of a borderless workforce can see productivity impacted and the solution may not be able to deal with modern threats.
“Every organization should use this as a moment in time to reassess and reframe what the world looks like today and what it might look like tomorrow,” says Glenn Johnstone. “In a dynamic and ever-changing world, businesses must look to a software-driven model as it will allow them to pivot and change as they need. The way we work has changed, so we have to change our thinking and our approaches.”
As the threat landscape evolves, Sean Duca advises CIOs to be ever vigilant that:
- The attack surface has grown. Make sure you know what the attacker can see and manage accordingly.
- Know your assets inside and outside the organization – each acts as a potential entry point for an attacker.
- Secure your cloud estate: Make sure you have visibility and control over each of the workloads and data stores in the public clouds you operate in – look for consistent security, not piecemeal approaches in each.
- You no longer have a perimeter, you have a perimeter: protect your data applications where they are – use least-privilege access with continuous trust and security verification.