As remote work continues to grow, don’t forget about raising cybersecurity awareness
Harish Siripurapu, a CISO who recently started working with Baltimore-based Think Systems, talks about how cybersecurity practices are evolving as the shift to remote work becomes a bigger transition.
What started as a temporary patch must become an embedded feature.
The COVID-19 pandemic brought a fast shift to remote work in March. Five months later, as the virus continues to spread and distancing restrictions remain in place, many companies are continuing to default to WFH.
While remote work was already trending in some situations, this shift brought it to the forefront. By April, an analysis from the National Bureau of Economic Research said 40% of jobs can be done from home.
“What the pandemic has actually done in forced companies which were thinking about digital transformation, now they’re forced to do it,” said Harish Siripurapu, an Ellicott City-based CISO and executive advisor who has worked in cybersecurity strategy and leadership roles at PwCand San Francisco-based Sitecore. In May, Siripurapu began a partnership with Baltimore-based tech advisor firmThink Systems to expand its cybersecurity portfolio.
The must-have digital transformation has brought plenty of rethinking about the future of work, from what offices will look like to where they’ll be based. On a more day-to-day level, the shift also has implications for the systems that were put in place to help people do their jobs and share information. There was initial consideration of whether the platforms and tools that worked in the interim will continue to work for the long-term.
All of the interactions among workforces that used to take place in person must now move to digital. While keeping meetings running and workflows in check were necessary to quickly adapt early on, a longer period of remote work means shifting entire processes that had been codified years ago, like onboarding. Siripurapu reminds that there’s another layer to this.
“Once you have done the digital transformation, which is identifying all aspects of operations and digitizing it, then you need to protect it. That is where cybersecurity comes into play,” he said.
With that comes an assessment for companies of a fundamental question: “Can we trust our employees with company information?” In an office, it might’ve been easier to set up controls that monitor for red flags, but it works differently in a remote environment where not everyone is on the same network and computers might be accessed by different members of the family. It means companies are implementing new controls for data loss prevention to monitor and address traffic. Along with insider threat management that involves tiering access and blocking certain content, it involves protecting against attackers that are seeking to “socially engineer” employees into giving up info like passwords that can give attackers the opportunity to break in.
This points to the human side in cybersecurity, as mistakes by employees can lead to breaches. Many companies recognize this, and implement cybersecurity awareness training that might happen once a year. Siripurapu said that’s not enough. It’s necessary to stay in continuous contact about the potential threats with regular security advisories, he said. After all, threats are evolving. And constant efforts to educate and raise awareness are important. In an in-person environment, it might be easier to bring this up in side conversations, or post around the office.
“When you’re not in the office you don’t have that hallway conversation, so companies need to be proactive about raising employee awareness of cyber attacks, and also best practices,” Siripurapu said. “There’s a huge opportunity for companies to train up the employees on what the telecommuting risks are.”
In Siripurapu’s view, making cybersecurity part of a company’s practices will help to protect them. It requires strategy, but despite the headlines with scary breaches, it’s an area where success is possible — and progress is happening on the private-sector side.
“Cybersecurity should not be something that is feared,” he said. “Companies and industries are winning cybersecurity. Sure there are some events, but it is pretty much manageable. You just need to have a well thought-out approach to managing cybersecurity risk.”