Skilling: The missing piece of the security puzzle in modern workplaces

The modern workplace looks nothing like it used to. The traditional office environment with defined working hours has been replaced with remote or hybrid workplaces with greater flexibility. In this new reality, people can connect from anywhere, at any time, and on any device. 

This has proved popular with employees, particularly in SA. A recent Boston Consulting Group study of 190 countries found SA led the charge of embracing fully remote work, with 44% surveyed saying they want to work fully remotely compared with a global average of 24%.

But, while it may be popular with employees, it has opened up a whole new world of considerations and risks for businesses: the definition of an employee has shifted — they are not the only users who generate or need access to data, documents, databases and networks any more. Now, this definition covers employees, partners, customers and even bots.

These users also no longer access the resources they need through corporate-managed devices or on-premise apps and networks — instead, they often use their own devices and external connections to access what they need, which is stored in the cloud.

This explosion of users, internet of things devices, apps and connections has led to the proliferation of more sophisticated attack vectors from a greater number of bad actors. More cybercriminals can access advanced tools to infiltrate networks and systems in financially motivated attacks. 

The sheer scale and volume is unparalleled: Microsoft alone analyses 8-trillion threat signals daily, manages 630-billion monthly authentications and scrutinises 470-billion emails. Overall, 5-billion threats are detected on devices every month.    

Investing in a non-negotiable: security and skills

It’s clear security is a non-negotiable for businesses. Organisations need to invest in the most up-to-date tools and solutions to build layers of security that will protect the organisation’s data, apps, databases, networks and systems. Business leaders also need to prioritise investing in skilling and training their people to keep pace with new types of attacks from multiple vectors.

Skilling lies at the heart of security transformation. It emerged as one of the top priorities for SA business leaders in the recent IDC Cybersecurity survey commissioned by Microsoft, with 53% saying skilling to increase technical knowledge of cybersecurity is a critical need. There was also widespread recognition of the need to build a security culture to increase the understanding of security’s value to the business, as well as drive security awareness.

The technical and cultural side of security needs to be evaluated equally because businesses can have the most sophisticated technology and comprehensive processes in place to monitor, detect and respond to breaches — but if a person gives their password away or clicks on a phishing email, it becomes more difficult to protect the organisation.  

Ultimately, the individual user level is a person — and unless they have been trained to be security conscious, they are capable of human error and are likely to remain the weakest link in the security chain. People, process and technology need to be in harmony.

Many organisations are investing in strengthening their employees’ cybersecurity knowledge, and offer theoretical and practical training by carrying out spoof attacks, such as sending out phishing emails, evaluating who clicks on the links, and then providing more in-depth training to plug identified gaps.   

Making the weakest link an organisation’s strongest protection

Depth of skilling is vital — security is only as good as its weakest link, so it’s vital to start at the micro level. And that foundation is identity, because it remains the number one place where people are vulnerable. 

The IDC Cybersecurity survey confirmed the importance of prioritising identity, showing that the ability to confirm users’ identities, together with an additional layer of security, emerged as the most important priority for 49% of SA business leaders in the next six to 18 months. 

This means going back to the basics, which primarily requires securing and protecting a user’s identity through identity and access management to ensure identity exploits are minimised. It also requires skilling and training to drive positive behaviour change — largely by adopting the principles of a Zero Trust model.

Zero Trust means trusting no person or system, and needing to verify their identity in and outside the organisation before enabling access to specific systems or networks. It’s characterised by verifying identities explicitly, using least privilege to give people access only to what they need, for as long as they need it, and always assuming breach.

Businesses who have invested in Zero Trust, and in training their people in its principles, have said it’s critical to their success. It will also remain the most important security priority for at least the next two years in the shift to a hybrid workplace post-pandemic, with 54% recognising the importance of increased training and skilling of employees.

By skilling their employees in these principles, and other critical security training, businesses can turn security into an enabler of continued transformation to keep up with the rapid pace of change and remain competitive. 

This article was paid for by Microsoft.