Organizations have come to accept that hybrid and remote work teams are here to stay. However, as connectivity and network infrastructure continue to grow, so does the threat landscape. Work location flexibility offers many solutions for global enterprises, but it also creates more security risks.
In this archived keynote session, Cassandra Mack, head of security and GRC at Spekit, and Dharmendra Mohan, co-founder and CEO of Sonet.io, explain how evolving security threats affect ever-expanding remote environments. The keynote opened the “10 Security Threats to Your Remote Workforce” live webinar, presented by ITPro Today and sponsored by Sonet.io, on Sept. 13, 2023.
View the entire ‘10 Security Threats’ live webinar on-demand here.
The transcript of the video follows below. Minor edits have been made for clarity.
Cassandra Mack: I think it's safe to say that remote work is not going anywhere. We hear a lot about return-to-work mandates, but the proof is out there that companies are moving even more daily operations out of their buildings, reducing costs, and realizing the value of at least having a hybrid workforce.
If you look back to COVID, IT and security teams were forced to quickly shift and figure out how to go remote. We propelled ourselves forward faster than ever, but we took a lot of shortcuts to get there. Remember Googling, ‘How do we get 650,000 users remote in a short period of time with devices’? We couldn't even order devices then, so it was a huge task we completed. Now we need to take a step back and figure out how we make sure it's right.
How do we get the right size for where we're going? How do we make sure that we have the right tools – not just what we could get cobbled together – to make a solution? Go ahead.
Dharmendra Mohan: Absolutely. With this return-to-work mandate, I don't think that there is one size that fits all. I think different companies and different verticals will behave differently. Some companies are going fully remote, some are fully in-office, while the rest of them are somewhere in between. Ultimately, we need to hire folks with the right skills at the right time. So, we need to cater to everybody, whether they are remote, completely in the office, or hybrid. We need to build the sorts of tools that can cater to all kinds of employees or contractors out there.
CM: That's a good point because the drag on our IT helpdesk and IT teams is felt more than ever. In fact, turnover rates are trending up towards 47% in IT teams because of that excessive workload and the extra strain. So, we need to talk about how we do that. We have quite a few changes coming down through the government that will impact big companies. The SEC is now requiring boards to be more responsible for cybersecurity as well as public companies. That will trickle down to the rest of us, who are not required at that level but are also part of the food chain for those bigger companies.
DM: Right. With the generational and technological shift, all remote workers or users are essentially used to having newer tools in their personal lives. And I think they expect that sort of experience, even with the enterprise tools. Many companies are banning ChatGPT, but there are many use case advantages. We need to build tools that can be used seamlessly from any browser and any device but also be able to protect data.
So, if people are putting company secrets into ChatGPT or sourcing fake data from it and putting it into the applications, we must provide checks and balances. We need to provide these tools that make users productive, but at the same time, have the checks and balances for them to be able to take advantage of all the modern tools.
CM: Yes, that's a key callout, because right now, as a security person, I have almost zero visibility unless I buy an expensive tool for data loss. Even observability, I don't have that. There are big companies that don't want to prioritize that. In their spending, they're considering the other important security tools that need to be put in place. Being able to get that without spending a ton of money is important, so I always tell this story.
Every IT and security person I've met in the last 25 years has a great story about some user. We used to advise checking to see if your computer is plugged in before you call the helpdesk, but it gets even crazier, right? The more you get into IT, the more you realize that users have a lot of access, and they touch many things. And we have tons of users, right? It could be executives, employees, contractors, or your customer base. They tend to do a lot of stupid things that cause us extra work. It's becoming a lot more unpredictable and complicated to manage that while being accountable for the actions that protect our networks.
DM: User error is the biggest cause of security breaches. There is no malintent, but they are just busy and end up committing an error. Our tools need to have built-in guardrails, both for users as well as for IT. If users are downloading sensitive content, it may not be their intention, but if a tool blocks it automatically, then they are good to go. ‘Okay, fine, I don't need to download.’ So, it becomes training for them, as well. Also, from an IT perspective, they need to know how a new user that they've onboarded is behaving.