The digital fortress
Formerly, a company’s IT infrastructure was contained within its own four walls. Employees used hardware such as PCs, printers and phones which remained securely in the office, while software programmes and data were stored in on-premises data centres. IT had full control over the performance, maintenance and security of the organisation’s technology stack. Early remote working initiatives were tightly controlled with users connecting to Virtual Private Networks (VPN), so that the only thing that left the data centre was the employee and the limited hardware. Over the VPN, the IT department could maintain visibility of security protocols and maintain administrators’ rights to ensure employees were not installing unapproved, potentially high-risk software.
Along came the cloud, which allowed organisations to scale-up their data storage capacity as well as their ability to back up files to remote locations. However, with the cloud came greater agility and choice for employees. Shadow IT, the phenomenon of employees using applications of their own choosing to store and access company data outside the data centre’s four walls – on personal devices and online accounts – became a challenge to IT departments. Fast-forward to 2020, when at some stages nearly half of Europe has been working remotely, and the four walls of the data centre have fallen as far as many businesses are concerned. Some organisations found themselves supporting remote workers for the first time – many with employees who would not be working from company-issued laptops and smartphones. A report from OneLogin, which surveyed 5,000 global workers from the UK, the US, Germany, France and Ireland, found that only 33% of employers in the UK enforce multi-factor authentication for employees who are working remotely.
From a cyber-security perspective, this is a critical risk. Previously, the data centre was analogous to a fortress. Everything that went in or out was strictly monitored and the threat from external sources was low. This is why one of the most well-known forms of cyber-attack is a Trojan virus – one that tricks the victim into thinking they are receiving or opening a legitimate file, document or link – effectively inviting in the attacker. Now, not only have the gates of the digital fortress been flung wide open, the people who used to be inside are now distributed. And, every single one represents a possible entry point for a malicious threat. The attack vector hasn’t just increased, it’s exploded.
Increased threat vector
IT departments often have little to zero visibility of whether or not employees are connecting to the VPN, particularly when employees are using personal devices. Furthermore, personal devices aren’t just being used outside the data centre’s four walls, but in family home environments and shared households. Not only do IT teams have far less control over the apps, websites and content their employees are engaging with, there is no guarantee they are the only person using that device. While the organisation might not have visibility of data now being stored and used outside the four walls, it is still ultimately responsible for it.
Given this vastly increased threat vector and risk to data systems, organisations must ensure they have a robust Cloud Data Management strategy in place to ensure data is backed up, protected and recoverable across all devices and applications. Employee best practices and training are vital to this – helping IT teams ensure that users are connected via the VPN and are storing company data in secure cloud environments, rather than on personal accounts or their own desktops. If data cannot be backed up it is not protected, and in the event of unplanned downtime or a cyber breach that data will be unrecoverable. Moreover, organisations are adopting Software as a Service (SaaS) solutions in their droves. For example, Microsoft Teams grew from 32 million to 72 million users between March 2019 and April 2020. For businesses using SaaS solutions such as Microsoft Teams and Microsoft Office 365, backups of data need to be conducted on a continuous basis – either on premises or in cloud object storage. This will protect the business against a single point of failure that is outside their control.
As a combination of working from home and from offices becomes increasingly commonplace – even for organisations who previously had little-to-no track record of supporting remote working – the cyber-attack vector will remain high. It is therefore critical that businesses have a clear strategy for managing data across their cloud and data provisioning. This includes ensuring that data is backed up at all times, recoverable in the event of a disaster, outage or cyber-attack, and is as protected from external malicious threats as possible.