Hybrid work and security: embracing a whole new system

Any company is a complex system, and when you change the operating model of that system, new problems emerge. We’re facing a whole new security risk model.

If you want a great example of a system that benefits from a bit of inherent flexibility, it’s worth thinking about security. Most businesses have assets they want to protect. Sometimes they’re physical — equipment or plants — and sometimes they’re intellectual, which often means digital these days.

In a physical sense, security is (relatively) straightforward. You control entry and exit points with human or electronic security. You make sure only people with a business need to access things can do so. And then, as digital security became more important, we extended that model to digital devices and goods. We put enhanced security on devices, and forced people to access critical systems through encrypted virtual private networks.

The pandemic and the concurrent rise of hybrid working models changed all of that. Knowledge work transformed almost overnight, and we had most workers routinely communicating business confidential information across the public internet. Devices are no longer within the building — they’re in people’s homes. Or in coffee shops. Or in pubs. Remember, hybrid working is not a synonym for home working: it’s working where you want to work.

The security community has been scrambling to catch up. System changes always have unexpected consequences.

Security is both a risk and an opportunity

For example, many of the information regulators have been lenient with companies over data vulnerabilities during the pandemic. But with restrictions largely gone, but hybrid working still very much with us, that will change. As IT Governance reported:

Now that restrictions are lifting, however, they will be less lenient, so it is essential to put the necessary security measures in place if you are making hybrid working permanent.

As well as meeting legal requirements on data security, companies need to assess their points of vulnerability. And then they must seek solutions. Plenty of vendors are providing good advice. And, of course, their solutions are part of it. Good for them. We’d all do well to remember that where there’s a systematic change, there’s opportunity for smart companies:

That’s why, according to Gartner, worldwide spending on information security and risk management technology and services was predicted to grow 12.4 per cent in 2021 to $150.4 billion.

There’s gold in them there risks…

The two-speed approach to security

Accenture, NEXT’s parent company, advocates two approaches, depending on your appetite for risk and ability to handle rapid change:

  • A direct approach, where you move to a primary cloud provider and incrementally add security as needed
  • A scenic route, where you adopt a hybrid model of cloud providers and security approaches

The former gives you maximum security NOW. The latter allows you to build a more flexible, sustainable approach to changing digital dynamics. The defining part of the choice is how much of a business risk a leak from your company actually is.

The human is the weak link in the system

Of course, not all risks are handleable, and the human is always the weakest point in the chain. Back in my journalism days, I once got a lead on a major real estate development story by overhearing people discussing their plans for the scheme on a train. They were sat just behind me, and chatting loudly with no thought as to who could be listening, least of all a commercial real estate journalist.

Such risks can be minimised by training, and a good culture of ensuring that sensitive discussions only happen in private. But no system is perfect. And risks will always remain.

You need to make choices about what risks are acceptable — and which measures go too far. Very few businesses could justify searching every employee as they leave the building to ensure they weren’t sneaking out confidential information. It was, quite rightly, seen as too intrusive. It was a disproportionate response. Likewise, it’s likely that “bossware” computer activity monitoring software will be seen by most people as equally intrusive and inappropriate.

The security inherent in flexibility

If all of this is making you sweat, here’s something else to consider: there are good reasons for people to be back in the office now. Europe has just been through one heatwave, and another is threatened at the time of publication. When many homes don’t have air-conditioning, many offices do. And, thanks to energy supply issues, many of us are facing a winter where fuel might not be available — or might be cripplingly expensive. All of a sudden, doesn’t the heated and air-conditioned office sound a much more attractive place to spend a chunk of your time?

After two years of pressure pushing us away from the office, the direction of travel might be reversing.

All systems are not created equal. When you build a work model — or a security model — based around the idea that everyone must always be in the office, there’s an inherent lack of flexibility in that that means you can’t easily adapt to changes in the system. But if you adapt hybrid working models, and security to match, you build a system with inherent flexibility, which allows you to adapt as the situation changes.

And, even if you don’t give a hoot about security, that’s a lesson worth taking into any part of your work.