Building a secure dynamic working domain for post-pandemic business
The success of any flexible working model depends on state-of-the-art security, with modern ways of providing secure remote access that meets the needs and expectations of employers and employees.
As Covid-19 lockdown restrictions begin to ease across Europe, many organisations are considering how to manage the transition from mass home working to a more flexible environment – and even whether they need an office at all.
IT leaders proved their worth during the 2020 pivot to working remotely, but now they face another challenge – how to securely accommodate employees’ desire for much greater flexibility around where they work and when, while boosting productivity, improving collaboration and managing costs.
This “dynamic” working model has implications across the organisation – from the boardroom to operations, from IT to HR – but it presents new opportunities as well. To navigate the near future of the post-pandemic workplace, business leaders need to understand the key technologies that will enable secure, managed, flexible working to meet the expectations of both employees and employers.
Flexible working offers the potential for significant cost, operational and management benefits. These include freeing up expensive real estate, better work-life balance, and fulfilling employees’ desire for much greater flexibility around where they work and when. In turn, the business stands to gain from retaining key talent and sourcing new skills regardless of location. However, this level of flexibility must be delivered securely.
IT leaders responded at lightning speed to enable remote working. The inevitable period of reflection since has allowed them to analyse what was achieved and what might need to change now.
“Cyber security professionals did pretty well moving employees at speed to home working,” says Carla Roncato, senior analyst at tech research firm ESG. “But the new normal is likely to be more flexibility and a hybrid environment.”
Roncato highlights identity and access management, zero-trust security and multifactor authentication as key technologies that need to be part of the CIO’s toolkit to support this dynamic work environment.
Identity and access management
Organisations opened up their security perimeter during lockdown to allow access to cloud-based collaboration tools such as Zoom or Slack, which served a hugely important purpose for keeping employees in touch. But even as this helped improve the quality of experience for employees working in a hybrid environment, it also led to a proliferation of user identities across different systems, which increases the threat surface targeted by malicious actors.
To resolve this, IT leaders need a seamless solution allowing them to consolidate different identity databases and integrate them with key applications.
Using identity and access management (IAM) tools to validate remote users not only makes application login more straightforward, but it also helps eliminate many manual processes, such as onboarding new staff and ensuring security when they leave, which reduces the burden on IT support and HR.
“Identity management is not one of those things designed to work only in the office,” says Roncato.
Prior to the pandemic, employees joining a company may have been required to go in-person to the office with proof of identity, so they could obtain a physical security device just to enter the building. Instead, with IAM, employees can email a picture of their driving licence, for example, with identity verification completed remotely.
“Onboarding has been democratised. Nobody wants friction – the benefits are that from day one, you are productive. Onboarding happens once, the information is protected and used to establish what the employee experience will be like,” says Roncato.
With a unified view of identity, risk signals are more accurate and security measures can be stepped up based on device, location or network contexts alongside multifactor authentication to provide further levels of security.
ESG research has shown that IAM is increasingly delivered and managed in the cloud, with 49% of organisations surveyed planning to consolidate around a major platform player as their likeliest strategy.
Zero trust
Zero-trust security is defined by the statement “never trust, always verify”. It offers organisations a holistic view of their identity and security strategy, and means employees can work on their device of choice and access systems from wherever they choose.
Identity is the starting point for a zero-trust security modernisation strategy, says Roncato. “From small businesses to global multinational corporations, all have successful outcomes with zero-trust identity programmes. Results matter – everything that you used to do in-person can be accomplished with digital identities,” she says.
She stresses the importance of validation and making sure users are who they say they are, especially in response to the growing threat of identity theft. “Zero- trust security means verify everyone. It is security hygiene. Why wouldn’t you do it?” she adds.
Roncato advises organisations to architect a least-privilege operating model and evaluate leading platforms in categories from privilege access management to cloud infrastructure entitlement management.
“This is the way to reduce the attack surface and impact radius that can occur from too many privileges and permissions,” she says.
Authentication and entitlement should be inseparable, and questions must be asked about what user privileges should be used in any high-risk transaction. This is where automation and the cloud can help through managing data and ensuring that only the right people are permitted access.
Multifactor authentication
In further guidance to organisations on their journey towards a dynamic working environment, Roncato advises deployment of multifactor authentication (MFA).
“Don’t wait any longer to begin the journey of breaking with passwords and knowledge-based security questions. It’s your best defence against people- oriented social engineering techniques such as phishing,” she says.
Passwords on their own are not an indicator of authentication. Knowing a secret is not enough. Authenticating identity in the face of a challenge response should rely on more robust validation, such as biometric credentials.
“Multifactor authentication is important because it verifies that you are who you say you are,” says Roncato. “Compromised emails trick users into giving away their usernames and passwords. Multifactor authentication ensures you can’t be phished as you have to prove something about yourself to get to the next stage of access.”
The pandemic also accelerated the adoption of cloud services and “as a service” applications, which provided the basis for the initial shift to remote working. Going forward, the cloud also enables the security improvements inherent in the combination of IAM, zero trust and MFA.
“We are people who move around. Cloud gives the possibility of portability. Identity is portable and cloud is available and reliable,” says Roncato.
Managers tasked with identifying suppliers that can meet business and security requirements should seek companies with strong partnerships with other technology providers, proven customer case studies, and expertise in the use of identity and access management, zero-trust security and multifactor authentication.
Organisational challenges
Investing in technology and security to support a dynamic working arrangement is essential but insufficient for success. The operational needs of key business functions are equally important challenges.
COOs responsible for determining who should return to the office, and when, must consider employee well-being and making the environment safe. A digital-first strategy can be combined with teams meeting in-person to avoid a sense of isolation and make the connections that translate into the virtual world of collaboration.
CIOs need to identify the right solutions for overburdened IT staff supporting a remote workforce. They need to ensure technology parity and match the expectations of office workers when they are at home, so users can choose their own devices and use them in both environments.
The HR function will be looking at other challenges, including recruitment, the danger of a work-life blur, how to increase productivity through fostering a culture of trust, and ensuring employees have the right skills for their digital environment. Offering flexible working is also likely to attract and help retain top talent.
But across the board, strong leadership is vital to ensure the well-being of staff adjusting to the new ways of working. Business psychologist Julie Brophy, principal consultant at organisational consultancy firm OE Cam, highlights four key considerations for managers to motivate and effectively communicate with hybrid teams:
- Focus and perspective – to give staff an understanding of the organisation’s post-pandemic strategy and the role they need to play.
- Autonomy – so they have sight of the goal and control over how they achieve it.
- Attachment – so they reconnect and feel like part of something again.
- Security – so they know how to get support and feel psychologically safe enough to share their concerns and struggles on the return to work.
Of course, the success of this new situation depends on state-of-the-art security, with modern ways of providing secure remote access.
“The benefits of focusing on these areas is a team able to work together in a new hybrid way and the mitigation of conflicts arising from the return to a shared environment,” says Brophy.
Who does what and how will differ for each organisation, and the balance of home working and office working must match employees’ needs.
“This will be different for each organisation and depend on the organisation’s type of work and their employees’ preferences, and expectations,” says Brophy.
“Four main activities require the immediacy and energy of a shared working environment: collaboration, creativity, complex decision-making and maintaining culture. The required mix will drive the amount of time organisations want people back in the office.”
An ongoing journey
The challenges around shifts in working strategy are dynamic and ongoing. No organisation is going to reach journey’s end. New technology partners must be brought on board that can help the business as its digital transformation evolves.
Consolidation of remote working tools is a priority and must incorporate protecting remote workers from security threats such as phishing and other cyber attacks.
There are responsibilities on both sides, for employers and employees, to ensure the dynamic work environment is secure and successful.
“For both parties, an important responsibility is effective communication to ensure the needs and expectations of both employers and employees are considered in the new ways of working. This will form an essential part of renegotiating the psychological contract – the unwritten and intangible agreement that informs how things are done and how people behave towards each other,” says Brophy.
Evaluating remote working tools with an emphasis on security, working with partners that can deliver support for the growing number of remote employees, and providing continuous access to the right tools while giving employees the support they require, are the key factors in a successful transformation.
“Identities are a critical control point for all organisations due to their ubiquitous use in our digital world,” says Roncato.
The outcome is happier employees, a more secure organisation and one that is ready and responsive to the challenges of a global economy post-pandemic and beyond.