The forgotten security measures in Australia’s rush to the cloud
Flexible work arrangements are set to become one of the pandemic's standout legacies.
With the ability to complete their jobs in a variety of locations and across devices, Australia's employees have unlocked a raft of previously unconsidered conveniences.
This is particularly true for working parents, people with restricted mobility and those living outside traditional business districts.
But it's also created a new set of problems when it comes to keeping organisations secure.
When remote work was first mandated across Australia, enterprises responded by rushing to the cloud. The benefits afforded by cloud-enabled tools – namely scalable operations and the ability for staff to work and collaborate productively outside the office – have seen this acceleration continue.
Cloud spending by Australian enterprises is on track to exceed $3 billion by 2025.
But security measures have lagged behind this digital transformation and largely remain tethered to on-premises hardware. Gone are the days when apps, data and users were confined within fortified corporate perimeters. Unfortunately, the notion that an organisation's network can only be accessed by managed devices remains all too common.
This is not in keeping with the current work-from-anywhere reality. The hybrid work set-up means shadow IT is now the norm, with employees connecting to the workplace network with a range of 'unapproved' applications and devices.
For example, workers often switch between their mobile and laptop, use WhatsApp or Signal to connect informally with colleagues, and then revert back to Teams or Zoom for meetings – all while freely exchanging personal identifiable information (PII).
To say this has complicated security is an understatement. IT teams – who are already under-resourced due to an ongoing skills shortage – are increasingly struggling to maintain visibility over ever-growing perimeters.
Threats are not just theoretical
Since mobile devices are widely used for both work and personal reasons, a scammer could successfully target an employee through a personal application and end up gaining access to the entire corporate network.
It also can't be assumed that the bolted-on security tools in the virtual private networks (VPNs) many enterprises rolled out during the pandemic offer airtight security because they only run security checks at the time of access. This means any compromises that occur when users' risk levels and endpoints change – which is frequent – pass by unchecked.
This is not just theoretical. Over the past year, there's been a 51% increase in scams reported by Australian mobile users and a 67% increase in losses resulting from these scams.
Further proof these attacks are succeeding appears in the latest Annual Cyber Threat Report from the Australian Cyber Security Centre (ACSC), which found business email compromise (BEC) is now one of the top cybercrime categories, with the average loss per successful event totalling AUD $50,600.
Streamlined security in the cloud
As the public internet replaces the corporate network, security needs to follow other organisational processes and move towards a granular, cloud-delivered approach. This should be streamlined, requiring minimal grunt work from under-resourced IT teams, and multifunctional, with tools working together to combat the growing range of threats across an expanding surface area.
The first step is to understand all the apps staff use while connected to the network to better assess risk levels. As well as the apps themselves, organisations need to continually monitor the fluctuating risk levels of endpoint users and the sensitivity of the data they're accessing and modify permissions accordingly.
When data is classified as important (for instance, sensitive payroll information), proactive encryption technologies require keys from trusted parties to unlock the data before it can be accessed or sent. This prevents unintentional data leaks and requires minimal intervention.
Historically, organisations had siloed teams for information security, network security and endpoint security, making it difficult to produce a combined security vision. This is not to mention other organisational departments, such as sales, marketing, and finance, that play a significant part in an organisation's security posture but often have their own priorities.
With these departments no longer needing to go through IT to subscribe to cloud services, it's possible an employee could inadvertently upload the organisation's customer database to a malicious app without the traditional checks and balances.
It's crucial every employee within an organisation is aligned on a consistent security roadmap and that the right tools are in place as a safety net for human error.
Work-from-anywhere is here to stay, and as scams against organisations and individuals continue to rise, business leaders must adapt to the cloud-enabled environment to protect their staff, customers, and assets against potential threats.
The apps and devices employees use for work and leisure will continue to cross, complicating the risk environment and increasing the attack surface for organisations. With a streamlined, cloud-based approach to security, leaders will not only widen their net of protection but account for any threats that may emerge in the future.