This has proved popular with employees, particularly in South Africa. A recent Boston Consulting Group study of 190 countries found that South Africa led the charge in terms of embracing fully remote work, with 44 percent of South Africans surveyed saying they want to work fully remotely compared to a global average of 24 percent.
But, while it may be popular with employees themselves, it has opened up a whole new world of considerations and risks for businesses: firstly, the very definition of an employee has shifted – they are not the only users who generate or need access to data, documents, databases and networks anymore. Now, this definition covers employees, partners, customers and even bots.
These users also no longer access the resources they need through corporate managed devices or on-premise apps and networks – instead, they often use their own devices and external connections to access what they need, which is increasingly stored in the cloud.
This explosion of users, Internet of Things (IoT) devices, apps and connections has, in turn, led to the proliferation of more sophisticated attack vectors from a greater number of bad actors. More and more, cybercriminals are able to access advanced tools to penetrate networks and systems in financially motivated attacks.
The sheer scale and volume is unparalleled: Microsoft alone analyses eight trillion threat signals daily, manages 630 billion monthly authentications, and scrutinises 470 billion emails. Overall, five billion threats are detected on devices every month.
Investing in a non-negotiable: security and skills
It is clear, then, that security is a non-negotiable for businesses today. Organisations need to invest in the most up-to-date tools and solutions to build layers of security that will protect the organisation’s data, apps, databases, networks and systems. More than that though, business leaders need to prioritise investing in skilling and training their people to keep pace with new types of attacks from multiple vectors.
In fact, skilling lies at the heart of security transformation. It emerged as one of the top priorities for South African business leaders in the recent IDC Cybersecurity survey commissioned by Microsoft, with 53 percent saying skilling to increase technical knowledge of cybersecurity is a critical need. There was also widespread recognition of the need to build a security culture in order to increase the understanding of security’s value to the business, as well as drive security awareness.
Essentially, the technical and cultural side of security needs to be evaluated equally because businesses can have the most sophisticated technology and comprehensive processes in place to monitor, detect and respond to breaches – but if a person gives their password away or clicks on a phishing email, it becomes more difficult to protect the organisation.
Ultimately, it boils down to the fact that the individual user level is a person – and unless they have been trained to be security aware, they are capable of human error and are likely to remain the weakest link in the security chain. People, process and technology need to be in harmony.
Many organisations are investing in strengthening their employees’ cybersecurity knowledge, and offer theoretical and practical training by carrying out spoof attacks, such as sending out phishing emails, evaluating who clicks on the links and then providing more in-depth training to plug identified gaps.
Making the weakest link an organisation’s strongest protection
Depth of skilling is key – security is only as good as its weakest link, so it is vital to start at the micro-level. And that foundation is identity, because it remains the number one place where people are vulnerable.
The IDC Cybersecurity survey confirmed the importance of prioritising identity, showing that the ability to confirm users’ identities together with an additional layer of security emerged as the most important priority for 49 percent of South African business leaders in the next 6 to 18 months.
This means going back to the basics, which primarily requires securing and protecting a user’s identity through identity and access management to ensure that identity exploits are minimised. It also requires skilling and training to drive positive behaviour change – largely by adopting the principles of a Zero Trust model.
Zero Trust means trusting no individual or system, and needing to verify their identity – both in and outside the organisation – before enabling access to specific systems or networks. It is characterised by verifying identities explicitly, using least privilege to give people access only to what they need, for as long as they need it, and always assuming breach.
Businesses in South Africa and around the world who have invested in Zero Trust, and in training their people in its principles, have said it is critical to their business success. It will also remain the most important security priority for at least the next two years – and is an important tool in the shift to a hybrid workplace post-pandemic, with 54 percent recognising the importance of increased training and skilling of employees.
By skilling their employees in these principles, and other critical security training, businesses have the potential to turn security into an enabler of continued transformation so that they can keep up with the rapid pace of change and remain competitive. DM/BM
About Colin Erasmus, Modern Workplace and Security Business Group Lead at Microsoft South Africa
Colin Erasmus started his professional career as an entrepreneur in start-up technology consultancy, and developed niche technologies that are still being used today in the electronic events registration industry.
He is one of a select few privacy certified individuals in South Africa and assisted in drafting South Africa’s privacy legislation (POPI Bill). Colin has over 20 years of experience with Microsoft that has equipped him with strong business acumen and people management experience. He is an expert in Microsoft Modern Workplace solutions, which help customers improve employee productivity and satisfaction, and create seamless communication and collaboration across locations and platforms while maintaining the security and integrity of systems and data.