Secure your workplace in three easy steps – expert advice from Fujitsu Forum
It was clear from attending the talks and exhibitions at Fujitsu Forum 2017 that people are excited about the future workplace.
But in amongst the talk of innovation, one concern rang loud and clear: the ongoing dilemma of keeping your company secure without harming productivity and the wider employee experience.
As we all know by now, the scale of security is alarming.
In fact, spending in this area is expected to top $100 billion by 2020 – an understandable figure when you consider the number of high-profile attacks that have occurred in recent years.
So what can we do to face the security challenges that are making us all so worried?
I put this question to two security experts: Microsoft’s Anna Kopp and Citrix’s Christian Reilly.
They joined me on stage at Fujitsu Forum for a session on workplace security, titled: ‘Don’t become a headline – secure your workplace’.
We aimed to provide some insight into the threats to security that your business is currently facing and provide some tips for defending yourself.
If you missed the session, you can watch it again here:
In my view there are three particular areas that organisations are struggling with:
Growing surface area for attack
From WannaCry crippling the NHS this year, to DDoS attacks taking down Spotify and Twitter and a whole range of high-profile data breaches, we’ve seen just how many potential avenues cyber-criminals have.
And attacks are becoming increasingly sophisticated. Today we need to monitor threats 24/7, in real time, from both inside and outside our organisation.
Indeed, it may well mean we’ve reached the limit of what humans can achieve in cyber defense on their own.
A recent Citrix survey found that three-quarters of IT leaders are worried about cyber threats and recognise they need a new framework.
I think this figure should be closer to 100%.
The biggest threat of all is contractor or employee negligence, and the surprising cause of this is a failure to consider how your staff work and how their IT may stand in their way.
The move into a digital workplace lets us create richer and more rewarding customer relationships and improve the employee experience. It’s certainly not a negative force – but it is an unstoppable one.
And it’s changing the way people think.
A recent Fujitsu survey found 79% of organisations are now willing to share sensitive businesses information with collaborators, and 63% are already running co-creation projects.
On top of that, working styles are evolving.
More than half the workforce will be working in a freelance capacity by 2025, and millennials are demanding more flexibility and better connectivity.
And of course even the slowest technology adopters have begun to migrate their services to the cloud.
So how do you deal with the three big challenges that I’ve laid out?
I asked our expert panellists for their advice – and they gave us plenty.
Here are their top three tips:
Implement a three-layer approach to security
Anna is better qualified than most to talk about securing a large organisation – Microsoft has more than 100,000 employees across multiple countries.
She estimates that the average number of passwords for any one person is somewhere between 10 and 200.
Single sign-on seems like the most likely solution to this problem, but Anna said you need to go further than that.
You have to use something completely individual, she said, or you leave yourself open to duplicates.
So Microsoft uses biometric security measures like facial recognition or iris and fingerprint scanning. These tools are increasingly becoming workplace norms, no doubt helped by the fact we’re getting more comfortable with them as consumers.
That’s the first layer.
For the second layer, where sensitive data needs to be accessed, Anna explained how Microsoft is using contextual authentication via an app-provided pin code or QR code to control and log access.
The third layer is particularly interesting, and it’s something Microsoft is beginning to look into now.
With so much sensitive data travelling around the business, it may be necessary to restrict visibility of the structure of data.
Anna called this a culture of protectionism that operates in multiple directions. You may need to restrict visibility of clients, for example, and by creating a master account list you can gain a degree of control.
The list enables you to restrict visibility of certain data to the relevant account managers, i.e. the ones who work on that particular account.
This means nobody outside the account team can access that sensitive information, even right at the top of the hierarchy.
Nobody sees anything they’re not supposed to see, which is important because internal leaks can be just as damaging as external ones
Follow what your users are doing
Next up was Christian, and he started by reiterating something that all of us in the security space now know:
“There are two types of companies: those who have been hacked and those who don’t know they have.”
This means most organizations are approaching security the wrong way.
Instead of being concerned about securing a perimeter, you should be looking at what your users are doing – to really take the time to understand exactly how they use your system on a day-to-day basis.
Users will circumnavigate your system if you don’t allow them to easily do what they need to for their roles.
If you don’t provide an easy method of file sharing, for instance, your users may turn to Dropbox or something similar.
These informal additions to your system are effectively an open door to hackers and malicious individuals.
For this reason you need to understand the needs of your users. Only by doing this you can prevent them from seeking their own unauthorised route.
On top of this Christian argued that we need a fundamental shift in understanding what we’re trying to protect.
That shift, he argued, should be towards UEBA: user and entity behavioural analytics.
UEBA essentially helps you gain a comprehensive understanding of ‘normal’ user behaviour, i.e. person X logs in from a certain location, they use a particular application and they generally work between these particular times.
If the system then detects ‘abnormal’ behaviour – person X logs on in a different continent, for example – it will flag the abnormality and you can deal with it accordingly.
The beauty of this approach, Christian said, is that you can use it to boost productivity, too.
By gaining a better understanding of your employees in this way, you can begin to deliver a contextual workplace that offers a much better end-user experience.
Co-creation is coming, so get ready
The theme of this year’s Forum was co-creation.
This was extremely relevant to our session because co-creation will present one of the biggest security challenges of the next few decades.
In future, organizations will need to collaborate effectively and securely.
This is a difficult ask. Sharing data between two separate businesses is complicated – you have to ensure there is no vulnerability and that nothing falls between the cracks.
But the increasing importance of co-creation is inevitable.
So we need to start preparing ourselves now by putting all the right safeguards in place.
One way of doing this may involve co-creation itself, i.e. working with others to develop best security practices.
However we manage it, we need to ensure we get there by the time this approach becomes mainstream.
It’s impossible to guarantee your business security 100%.
Unfortunately, there are malicious actors out there who will always be trying to overcome the defences you put in place.
But, with an intelligent and forward-thinking approach – the kind of approach outlined by our experts above – you can ensure that you avoid making silly mistakes that make life easy for a hacker.
If you can make sure that you don’t trip yourself up, your chances of staying secure increase one hundred fold.
In three easy steps, you can keep yourself from becoming a headline.