Connect with us


Security culture and resilience – not technology – will make ‘hybrid working’ a success

Security culture and resilience – not technology – will make ‘hybrid working’ a success

By Jon Fielding, managing director EMEA, Apricorn

As people start migrating back to the office, organisations must facilitate yet another major shift in working practices, sustaining productivity and business continuity while keeping critical data and systems protected. Many employees are likely to combine remote and site-based working for some time, even adopting this ‘hybrid’ approach as a permanent model.

Remote workers continue to pose a major threat to data security, according to Apricorn’s latest survey of UK IT leaders, with more than half predicting they will expose their organisation to the risk of a data breach. Over a third admit their remote workers have already knowingly put corporate data at risk in the last year. As the line between home and office becomes blurred, and employees access networks and systems from a mix of devices and locations, organisations will be exposed to more risk.

Putting the right technology solutions in place to enable new efficient and flexible working models, while ensuring the business remains compliant with regulations, is of course essential. However, those that become too fixated on the tools will leave themselves vulnerable to data breaches unless they also pay attention to two key principles: building a culture of individual responsibility, and strengthening their cyber resilience.

Building engagement and accountability

For hybrid working to be successful, all employees must follow information security best practice, and comply with regulations such as GDPR. It will be up to each and every employee to safeguard the company’s security posture by protecting data and being vigilant about threats.

There’s currently a question mark over whether they’re ready to take on this responsibility. More than a quarter of the organisations surveyed by Apricorn believe their remote workers simply “don’t care” about security, which indicates an alarming lack of engagement.

Companies in the finance sector must urgently improve awareness of the specific security risks the business faces, and build knowledge of how to control them. This should involve delivering cybersecurity awareness education, alongside ongoing training – and programmes should include freelancers and other third-party contractors. The approach will need to be rethought, perhaps combining interactive video sessions with short and frequent on-demand ‘bursts’ that keep knowledge fresh.

It’s important that education programmes cover basic security hygiene; many security breaches are down to something as simple as choosing a weak password or clicking on a link from an untrusted source. Employees should be clearly and directly briefed on the company’s security policies, as well as the regulations the organisation is required to adhere to. They also need to be trained in which tools, devices and technologies they’re permitted to use to do their work, and how to implement them safely.

This practical stuff is vital – but to build a culture of cybersecurity best practice deeper employee engagement is required. Education programmes must therefore explain the ‘why’, as well as the ‘what’ and ‘how’: the reasons data protection is important, and the specific risks and consequences to the business of a breach. This context will help to increase accountability and ownership.

Strengthening cyber resilience

We’re all now acutely aware that no organisation is immune to effects of a crisis – whether it’s a pandemic or a data breach. Strengthening cyber resilience is all about being better positioned to prepare for, respond to and recover quickly following an incident. It’s important that organisations shift their focus away from trying to achieve ‘complete security’ to ensuring they have all their ducks in the row if something should occur.

Hybrid working will expand the threat surface, as staff access networks, systems and databases from multiple locations, using a mix of business and personal devices. Organisations are increasingly turning towards the company-wide encryption of data as a straightforward way of managing risk in this complex new working environment.

Encryption is specifically recommended by Article 32 of GDPR as a method to protect personal data, while Article 34 removes the obligation for companies that experience a data breach to inform each individual affected if encryption has been applied. Article 83 suggests that fines will be moderated if a company can show it has been responsible and mitigated damage suffered by data subjects. In short, encryption will give organisations the ability to demonstrate transparency and due diligence.

By providing employees with removable USBs and hard drives that automatically encrypt all data written to them, companies can give everyone the capability to securely store data offline, and move it between office and home safely. The data will be intelligible to anyone not authorised to access it, so whatever happens around the device the information on it will be secure. These devices can also be used to back up data locally, mitigating the risk of targeting in the cloud, and helping the business to get up and running again fast following a breach or other disruptive event.

We expect cyber-attacks will continue to rise through 2021, as hackers take advantage of people once again getting to grips with a new way of working – in particular ransomware, malware and phishing. Building a culture of security awareness and individual accountability, and combining this with improved resilience, will put organisations in the banking and finance sector in the strongest position to weather whatever storms are coming their way.

Editorial & Advertiser disclosure
Our website provides you with information, news, press releases, Opinion and advertorials on various financial products and services. This is not to be considered as financial advice and should be considered only for information purposes. We cannot guarantee the accuracy or applicability of any information provided with respect to your individual or personal circumstances. Please seek Professional advice from a qualified professional before making any financial decisions. We link to various third party websites, affiliate sales networks, and may link to our advertising partners websites. Though we are tied up with various advertising and affiliate networks, this does not affect our analysis or opinion. When you view or click on certain links available on our articles, our partners may compensate us for displaying the content to you, or make a purchase or fill a form. This will not incur any additional charges to you. To make things simpler for you to identity or distinguish sponsored articles or links, you may consider all articles or links hosted on our site as a partner endorsed link.
Global Banking and Finance Review Awards Nominations 2021
2021 Awards now open. Click Here to Nominate


Newsletters with Secrets & Analysis. Subscribe Now