Digital transformation and connectivity have provided unprecedented opportunities for businesses and revolutionised industries as a result. But this has come at a price as organisations have now been opened up to a growing array of cyberthreats.

Companies are under near-constant attack and a traditionally reactive, sticking-plaster approach to dealing with the online assault has proved ineffective, making cybersecurity by design a growing and crucial feature of any organisational structure.

Introduction of the General Data Protection Regulation in 2018 has forced organisations to take a more proactive approach to cybersecurity. Previously, only strongly regulated companies in sectors such as insurance and banking were required to take strict measures to protect customer data. Now, facing hefty fines for non-compliance, companies in all industries are prioritising investment in cybersecurity. 

However, there is still a long way to go. Most small companies are unable to hire security specialists because of the added cost and enterprise-level businesses are often hindered by legacy systems. The result is many organisations are unprepared for current cybersecurity threats and unable to take a proactive approach to protecting their business.

Cybersecurity-by-design frameworks advocate embedding a proactive stance against threats into business processes. The security team is involved in all development processes and use their expertise to review and provide advice on cybersecurity best practice before anything is rolled out. Implementing a security-savvy design process into all product development and implementation protects an organisation from the inside out.

“Security teams need to think of the worst possible situation and then work backwards to implement a cybersecurity-by-design process and measures that will either stop threats or reduce the damage,” says Dominik Malowiecki, chief information security officer (CISO) at smart home insurance provider Neos.

“Teams need to approach this from the perspective of an outsider and check all possible entries to customer data. Cybersecurity should always be an ongoing process.”

Introducing a cybersecurity-by-design framework means security becomes a proactive, end-to-end strategy and spans across the entire organisation and supply chain. Solutions are always tailored to the business, rather than a one-size-fits-all model.

Cybersecurity is a fundamental business practice that affects people, processes and technology, and a core principle of implementing design processes is integrating security at the beginning of the product development life cycle rather than just as a feature of a product. This enables organisations to model and fortify the ongoing cybersecurity posture and build resilience against threats and risks that are also continually evolving.

“This is an approach that should be adopted by all,” says Inga Schorno, head of information security at Tandem Bank. “As a bank built on open banking, we are a data-driven business and understand the benefits of efficiency and productivity, but acknowledge this must be balanced by identifying digital risks. It is only through an organisation-wide security culture and early involvement that those risks can be successfully identified and mitigated.

It is only through an organisation-wide security culture and early involvement that risks can be successfully identified

“Incorporating cybersecurity-by-design principles will help to adapt to the changing threat landscape by involving information security and risk teams at early stages of development. Failing to see it that way can leave you vulnerable to unexpected threats with a rigid framework unsuitable for fast response. Organisations must cultivate a wider cyber-resilient culture with ongoing training and adoption of the security framework.”

It is crucial that senior management are involved in the cybersecurity design process. This typically begins with due diligence whereby each company’s CISO or chief information officer is involved in agreeing the protection, access and permitted sharing of data. People are often the weakest link in security so it is important to ensure all employees are well trained on aspects such as cybersecurity best practice. System designers and developers should also be involved at the very least in the planning and implementing stages.

Before adopting any systems, design principles require the business to identify what they are for, what’s needed to operate them and what risks are acceptable, while ensuring there is no ambiguity about responsibilities. Organisations must make any compromise difficult by reducing the attack surface, designing for easy maintenance and making it easy for users to do the right thing. They should make disruption difficult by designing for scalability, identifying bottlenecks and testing for high load and denial-of-service conditions.

“Any compromises should be easier to detect through collecting all relevant security events and logs, making it difficult for attackers to detect security rules through external testing,” says Kevin Curran, senior member of the IEEE (Institute of Electrical and Electronics Engineers) and professor of cybersecurity at Ulster University. “Organisations should also remove unnecessary functionality, especially where unauthorised use would be damaging, anonymising data when it’s exported to reporting tools and avoiding unnecessary caches of data.”

As a company that specialises in digital due diligence, security is very important to Neotas and its clients. As such, a decision was made early on to keep everything in-house with a heavy emphasis on data encryption, Microsoft SharePoint and information resources management.

A cybersecurity-by-design framework has been key to achieving this. Neotas shares thousands of links around structures and has many restrictions on its libraries, so it requires a reactive security approach with an ability to see who has access to what and why.

As part of ISO 27001 accreditation, Neotas needed a robust system to complement its cybersecurity-by-design framework and help mitigate risks. A system from Torsion provides peace of mind by enabling quick changes throughout its architecture and solving the problem of limited control or visibility over data access, which often leads to security and compliance issues. 

“The reaction internally has been very positive,” says Patrick Reynolds, head of operations at Neotas. “Users are confident they are using a simple, secure information security system. We have seen bigger vendors with software that is bamboozling, but not as effective for what we require. It’s about finding a cybersecurity-by-design approach that works for your business.”

Introducing cybersecurity by design into an organisation provides a holistic set of pragmatic guidelines which can enable businesses to consider the full remit of protection. Companies that don’t put design processes in place to cope with the ever-present avalanche of cyberthreats will be more open to damaging vulnerabilities.

An eye-popping 81 per cent of executives in a chief information security officer (CISO) role in the UK feel burnt out, with nearly two thirds thinking of either leaving their job or quitting the industry altogether, according to a report by Goldsmiths, University of London.

The number-one cited source of stress is the need to comply with regulations, such as the European Union’s General Data Protection Regulation, with two out of five respondents worried about being held responsible in the event of a security breach.

But there is also deep concern about everything from skills shortages and the size and complexity of IT environments to the ever-growing volume of threats.

So what is going on here? Are things really as bad as they would appear, with those in the CISO role on the verge of a mass walkout? Or are they simply being melodramatic and overreacting to the everyday pressure that comes with a high-level position?

For Amanda Finch, chief executive of the Chartered Institute of Information Security, neither scenarios ring true. While she is sceptical that the levels of stress burnout and disaffection are quite as bad as the figures would suggest, she believes people are undoubtedly feeling stretched and require more support.

“The situation’s definitely not great,” says Finch. “Most CISOs are stressed and are working at very high levels, so if they’re not burnt out, they’re probably working towards it. There’s certainly a big problem there and this report is highlighting that.”

Most CISOs are stressed and are working at very high levels, so if they’re not burnt out, they’re probably working towards it.

However, she adds that most CISOs are very committed to what they do, which means more than anything she views the findings as a “signal of their frustration and desire to be heard as it’s a very challenging role”.

Anthony Young, director of information security specialist Bridewell Consulting, agrees. While he believes most people in the CISO role are unlikely to switch career paths entirely, the frustration they experience does tend to lead to a “fairly high degree of churn” in the hope that life will be better elsewhere. It’s a scenario that can prove expensive in recruitment terms for their employers.

“The job of the CISO is extremely stressful, especially considering the cyberthreat landscape, the risk of attack and the increasing sophistication of cyberattackers,” he says. “However, the CISO’s job is made even more stressful by a lack of budget and support at board level.”

Both are imperative if security bosses are to be in a position to build the team they need around them and to implement an effective risk-based strategy supported by adequate tools and policies. But the problem is all too often organisations bring CISOs in to “appease regulators, shareholders and customers without granting them the necessary power of mandate and resources” to perform their role adequately, says Young.

This situation is also not helped by the cybersecurity industry’s skills crisis, coupled with a lack of desire, in some instances, to pay the high sums necessary to hire scarce expertise. While such skills gaps are undoubtedly worse in areas where specialist technical know-how is required, such as penetration testing or cloud security, the difficulties involved in finding experienced talent are across the board.

As a result, most CISOs have vacancies in their teams they struggle to fill, which simply adds to the pressure of them having to be both constantly available and being held accountable for situations that are not always under their control.

Therefore, to try to address the issue and help those in a CISO role “get off the merry-go-round”, Finch recommends widening the potential talent pool beyond trained individuals, who can hit the ground running from day one.

Instead she suggests targeting people with transferrable skills, who could benefit from cross-training. An example includes reskilling individuals with analytical expertise, such as business analysts and project managers, as risk managers.

Another potent means of helping to reduce workloads and take the pressure off is for the board to sponsor, and invest in, security awareness training for the workforce as a whole to make it clear that everyone, not just the CISO, is responsible for organisational safety.

Another means of helping to reduce workloads and take the pressure off is to sponsor, and invest in, security awareness training for the workforce

Azeem Aleem, vice president of consulting at NTT Security, explains: “It’s about everyone working with the CISO to protect the organisation. Otherwise, security controls are bypassed as people see them as a hindrance, and so they unwittingly make themselves and the organisation vulnerable.”

But just as vital is that senior executives and those in the CISO role find ways to communicate with each other more effectively. For members of the board, this involves explaining what they need to know and helping their CISOs to express security risks in more of a business and operational risk context, not least to understand the support they require.

For CISOs, on the other hand, it is less about discussing individual security breaches and more about clarifying how such incidents could affect the business, its ability to function and the bottom line. It is also important to explain how cybersecurity can act as a business enabler.

Haroon Malik, cybersecurity consultant and strategist, explains the rationale: “It’s about digital trust. If cybersecurity is intertwined with new product development, customer trust is heightened. Ten years ago, people didn’t care, but some companies won’t do business with you now if you can’t prove you’re taking security seriously.”

Once CISOs can carve out some space and move beyond their usual firefighting mode, it frees their time up to develop a more strategic risk-based approach to activities, thus creating a virtual circle.

As Aleem points out, even though there will never be such a thing as 100 per cent security, CISOs are currently made liable and accountable for securing everything in the organisation, which results in high levels of stress as they attempt to mitigate every risk.

But he concludes: “It’s much more effective to adopt a risk assessment approach. The idea is that if you can identify your crown jewels, you know what to protect and where to focus your budget. If you don’t, you just end up running around like a headless chicken and that's where burnout lies.”

Data privacy has climbed the boardroom agenda in recent years as executives are increasingly alarmed by high-profile examples of companies that have suffered breaches, resulting in exposure of their customers’ sensitive, personally identifiable information.

The last ten years have seen enormous data growth. According to analyst firm IDC, the amount of data in the world more than doubled every two years throughout the decade to reach around 40 trillion gigabytes this year, and the rate of growth will continue to accelerate. During that time, the data organisations hold has become something they add to their balance sheets and leverage to support their overall valuation as a business.

The 2010s was also the decade many companies lost the trust of customers because of the way they handled, or mishandled, their sensitive data. Introduction of the General Data Protection Regulation (GDPR) prompted many people to recognise digital versions of themselves are for sale.

Yet while these issues certainly saw data privacy appear on the board’s radar, organisations still fail to distinguish between data privacy and data security. Companies have been discussing and purchasing solutions to deal with data security for many years now, but understanding the difference between security and data privacy could help them see why, despite their large investments, breaches continue to occur.

“When boards start to discuss what their data privacy programme is, the answer often comes back as data security,” says Kevin Coppins, president and chief executive at Spirion, which provides data discovery and classification tools to help companies protect sensitive personal data. “Understanding that you can have data security without data privacy is relatively new. Data privacy has to have a strong cultural element to it.

“If somebody breaks into your organisation and steals last week's lunch menu, nobody cares. If somebody breaks into your organisation and steals all your partners' and employees' data, suddenly it makes a headline. Although people have done a pretty decent job at data security, the pace at which external and internal bad actors can steal data has outpaced what you can do from a security standpoint.

“New regulations are now forcing organisations to recognise that some data is different and breaches occur because of the speed at which sensitive data replicates. It doesn't just live in a particular database; it lives in every nook and cranny of your organisation and is replicated across cloud servers as fast as the eye can blink. The threat surface has grown exponentially and there hasn't been the same focus on sensitive data components as there has been on building security around the perimeter.”

Approaching data privacy in the right way requires a culture shift driven from the very top of the business. Firstly, there must be a recognition that the true victim of a data breach is not the company; it’s the person whose records were stolen. Breaches can be personally devastating, so the anonymising of victims of data breaches is something that needs to end and the personalisation of breaches needs to begin.

Approaching data privacy in the right way requires a culture shift driven from the very top of the business

Secondly, C-suite leaders need to shoulder not only the financial responsibility of any data breach, but also the resulting reputational damage and loss of customer trust. That trust, once lost, is very difficult to regain and, if customers are no longer granting access to their data, companies will soon lose their competitive edge. Reputational damage has a far longer-lasting effect than the financial cost of a breach.

“Getting an organisation to understand and personalise data privacy is the responsibility of the C-suite because that's who drives culture,” says Coppins. “It needs to be personal. It is the person in the office cube next to you and their kids whose information was stolen, and they will be impacted for the rest of their lives. It isn't just a process or a technology; it’s a culture of respecting this concept of privacy and understanding digital privacy is the same as personal privacy.

“At Spirion, data privacy is part of who we are, and until C-suite execs understand the value of reputation and trust, a culture of data privacy is not going to purvey through the organisation and they'll continue to treat any data as any data. A lot of responsibility lives there and it's much more important than setting out a policy or buying a few different vendor tools to say we care about privacy. A cultural shift must happen.”

Spirion’s technology enables organisations to discover and validate the location of personal information in their information ecosystem, and then classify and control it according to the data protection mandates they’re subject to, such as the CCPA (California Consumer Privacy Act), GDPR or even specific contracts. This enables companies to get the big picture of how data flows through the organisation, and gain real command and control over that data.

The company enables organisations to meet the requirements of new data protection laws because creating a data inventory is so fundamental to compliance. It’s also central to creating a successful data protection programme. In terms of technical security controls, data classification is foundational to other controls, such as data loss prevention and next-generation firewalls to enforce an organisation’s data protection standards.

“Despite the view that breaches are always a result of bad actors, much of the danger to personal data is simply from organisational insiders who mishandle data and expose it to the world,” says Scott Giordano, vice president and senior counsel, privacy and compliance, at Spirion.

“Data classification is hugely important, not only to identify sensitive data, but also to help companies build the right culture. Unless personal data protection is engrained in the culture, all the money in the world will not help. The old saying about culture eating strategy for breakfast couldn’t be more pertinent.”

 For more information please visit spirion.com

Think very carefully before clicking on a tempting link purporting to be from the World Health Organization (WHO), or similar, with positive information about the cure for COVID-19. Chances are it’ll be a hacker preying on your understandable anxiety about the coronavirus pandemic.

In haste to uncover the supposed good news you could inadvertently reveal personal and professional secrets. Indeed, in these strange times, when it comes to cybersecurity, it’s worth stopping and asking yourself: “WHO – can you trust?”

As millions of us scramble to make sense of this black swan event, and home-working becomes the new normal, criminals are seeking to capitalise on the widespread panic – and succeeding, alas. New coronavirus-themed phishing scams are leveraging fear, hooking vulnerable people and taking advantage of workplace disruption. 

Data from artificial intelligence endpoint security platform SentinelOne shows that from February 23 to March 16 there was an upward trend of attempted attacks with peaks at 145 threats per 1,000 endpoints, compared to 30 or 37 at the start of that period.

“The most effective phishing attacks play on emotions and concerns, and that coupled with the thirst for urgent information around coronavirus makes these messages hard to resist,” says Luke Vile, a cybersecurity expert at PA Consulting. “Societally, we’ve never experienced this situation before, so all rules are off in terms of how people behave. While there is an intense urge to react to good news, it is risky.”

In the UK alone, victims lost over £800,000 to coronavirus scams in February, reports the National Fraud Intelligence Bureau. One unlucky person in particular was left £15,000 lighter after buying face masks that never arrived. Who would confidently guess at the March figure?

Banking trojan malware is masquerading as a WHO-developed mobile application helping individuals recover, or virtual private network (VPN) installers. And consider that Check Point research shows some 4,000 COVID-19 domains have been registered this year, many likely fronts for cybercrime.

“So-called ‘scareware’ will only ramp up as uncertainty rises and online searches increase as people seek information about the outbreak and solutions,” predicts Terry Greer-King, vice president of Europe, Middle East and Africa at California-headquartered cyber organisation SonicWall. “In 2019, malware and ransomware took a fall, 6 per cent and 9 per cent respectively. Now they are coming back because of the global health crisis.”

Proofpoint senior director Sherrod DeGrippo notes that cybercriminals have “sent waves of emails that have ranged from a dozen to over 200,000 at a time”, and the number of campaigns is “trending upwards”. He says: “The COVID-19 lures we’ve observed are truly social engineering at scale. 

“They know people are looking for safety information and are more likely to click on potentially malicious links or download attachments. Approximately 70 per cent of the emails Proofpoint’s threat team has uncovered deliver malware and a further 30 per cent aim to steal the victim’s credentials.

Dave Waterson, chief executive of SentryBay, a UK-based company specialising in software to protect applications and endpoints, notes that COVID-19-infected bodily fluids are selling for just $1,000 (£850) on the Dark Web. He forecasts that cyberattacks will rise by “up to 40 per cent” during the coronavirus pandemic. 

As working from home becomes more predominant he warns: “It is down to organisations to ensure any endpoint that an employee is using is fully protected. And as the Absolute 2019 Global Endpoint Security Trend Report showed, 42 per cent of endpoints are unprotected at any given time.”

It is down to organisations to ensure any endpoint that an employee is using is fully protected

Worryingly, Apricorn research published last year found that one third of IT decision-makers admitted their organisations had suffered a data breach as a result of remote working. Further, 50 per cent were unable to guarantee that their data was adequately secured when being used by remote workers.

The surge in virtual conferencing and other collaboration tools could expose more vulnerabilities for hackers to exploit. “Companies quickly adopting consumer-grade video conferencing can make it easy for an attacker to pretend to be a member of staff,” points out Elliott Thompson, principal cybersecurity consultant at SureCloud. “The industry is going to have to be dynamic and responsive on this front – as we always try to be.”

What, then, can businesses and their workers do to shore up their cybersecurity? The government’s National Cyber Security Centre published a home-working guide earlier this week that offers tips for organisations introducing home-working as well as highlighting the telltale signs of phishing emails.

Robert Krug, the network security architect for antivirus software giant Avast, offers more evocative advice. “Computer viruses can spread just as easily as human viruses,” he says. “Just as you would avoid touching objects and surfaces that are not clean, so should you avoid opening emails from unknown parties or visiting untrusted websites. 

“In short, the same steps that one takes to ensure they don’t get sick should be translated into steps that keep devices and networks secure. You may use hand sanitiser to remove germs from your hands, and you should have an effective antivirus solution to keep germs off your computers and networks.” 

You have been warned. 

Deepfakes

Deepfakes combine existing video images along with whatever the creator of this artificial intelligence-driven synthesis wants the person to be saying. These are likely to be used against banks, according to Tim Dunn, commercial director at ValidSoft. "As deepfake technology evolves, it will represent an advanced method of social engineering," he says. “The widespread use of web and app-based video channels will provide the opportunity for advanced deepfakes to fool both agents and AI bots alike." It seems the best bet when it comes to future mitigation will be biometric voice synthesis detection that can identify the fakes.

Counter-incident response

Staying inside the target network is key to a successful cyberattack; the longer they are in, the more they can get out. Counter-incident response does what it says on the tin: it turns off antivirus, firewalls, anything that might trigger detection. "The longer they have to achieve their goal, be that lateral movement, island hopping further up the supply chain or data collection, the better chance they have of success,” says Rick McElroy, head of security strategy at Carbon Black. Mitigation will have to include machine-learning-powered technology to filter the noise in incident reporting so security analysts can respond to the real events as quickly as possible.

Automated attack methodology

Just as security operations centres are starting to apply intelligent automated incident response filtering, so criminals are finding that automated attack methodology works well on their side of the security fence. "Automated, active attacks are escalating and causing massive damage to organisations that have been targeted," says Chester Wisniewski, principal research scientist at Sophos. They begin with automated mass reconnaissance scans and basic malware infections, with human involvement coming later to see what's been caught in the net. "These are essentially criminal penetration tests," Wisniewski warns. Mitigation? Keeping your cybersecurity emergency basics in place.

Big game hunting

Rather than adopt a scattergun approach of automated malware infection, big game hunters take their time to target key organisations for the best return. The weapon of choice is ransomware, which employs well-tested and human-powered reconnaissance, delivery and lateral-movement tactics, techniques and procedures. "The wider e-crime network has been seen to be leveraging this approach more widely," explains Zeki Turedi, technology strategist at CrowdStrike. ”As a highly devastating yet effective tactic, we can only see this continuing." Mitigation requires proactive monitoring for indicators of attack by capturing all raw events to detect malicious activity not identified by traditional prevention methods.

Disinformation

Disinformation is the deliberate act of providing and spreading inaccurate information with the aim of manipulating perceptions and influencing decisions be they political or business in nature. "Lies are a fact of life," says Rodney Joffe, former cybersecurity adviser to the White House and currently senior vice president and fellow at Neustar. "But the Internet has enabled this to occur at scale with close to 100 per cent reach." Lack of jurisdiction and absence of physical validation makes it almost impossible to tell truth from lies. "The best we can do is continually develop methods of validation and authentication, and ensure this is part of every process, both commercially and personally,” Joffe concludes.

Zoom has exploded in popularity since the start of the COVID-19 pandemic, skyrocketing from ten million daily meeting participants in December to more than 200 million in March. Everyone is using the video-conferencing app; Boris Johnson even conducted his cabinet meetings via Zoom while he suffered from the virus. 

However, the recent revelation that unidentified individuals are “Zoombombing” – hijacking meetings and spewing hateful language or sharing graphic images – calls into question whether, as organisations pivot to home working, data privacy is being handled with appropriate care.

How, then, do businesses and governments ensure data privacy measures are in place to prevent cyberattacks that will only accelerate given the added vulnerability of remote working?

Need for speed

Vast numbers of organisations around the globe have been forced to embrace mass home working, effectively overnight. Given the need for speed, it’s understandable data privacy policies are playing catch-up, though it is worrying that so many businesses had a standing start. 

“While remote working has become a bit of cause célèbre for companies and human resources departments trying to win old staff and new, remote access software has been around for some time, and it’s a real old-school threat vector,” warns Duncan Godfrey, senior director of security and compliance at Auth0. “Hackers’ and pen testers’ eyes light up when they find an open remote desktop protocol, or RDP, because they know their job just got easier. 

“For security professionals, though, it’s a headache for several reasons. Firstly, the software is typically very prone to vulnerabilities. It’s also straightforward to set up remote access for legitimate reasons or otherwise.

“One thing businesses rarely consider when setting up remote access for employees is the access providers have to their data. Not only with regards to the data they are sending over their networks, but they’ve also opened up a new route into their network: if the provider suffers a breach, they’re now at risk too.”

Battling a perfect storm

Andrew Jackson, chief executive of Birmingham-based communications and technology company Intercity Technology, says it is a “perfect storm” that businesses face as cybercriminals take advantage of the dramatic switch to home working. “The sudden and unexpected requirement for many employees to work from home creates a huge, vulnerable base of people accessing sensitive business applications and data, often using consumer-grade devices,” he says. 

“This comes at a time when malicious hackers have exponentially increased their activity on the back of COVID-19-driven uncertainty. In the last week alone, we have seen phishing emails go from 25,000 a day to 125,000 – a 500 per cent increase – which means the risk is real. 

“While firewalls included within domestic broadband routers are considered sufficient for personal use and occasional home working, they’re not necessarily capable of withstanding prolonged periods of remote working from a large proportion of the workforce. No wonder we are seeing more businesses and their employees become the targets of malicious hackers.”

How, then, can organisations keep their data secure?

Due diligence is critical

Organisations have scrambled to activate business continuity plans. Yet Luke Vile, cybersecurity expert at PA Consulting, urges leaders and security teams to think again before fully trusting third-party tools. Before grabbing a tech solution, due diligence is critical and internal data privacy measures can help counter any significant threats.

“Business leaders need to be careful when using any online virtual collaboration tools,” he says. “Many businesses are currently using Zoom or other platforms such as Skype, Microsoft Teams and FaceTime. But there are some serious security considerations to address before jumping on a call. For instance, has the software been approved by internal security teams, as well as securely integrated? 

“People may assume the risk is minimal, given the most visible data is faces and voices, but it’s important to remember that conversations are processed too. Also, these platforms will process any attachments and notes that are uploaded.”

Who do you trust?

Zeki Turedi, technology strategist at CrowdStrike, argues that the home-working trend triggered by COVID-19 should lead to better cybersecurity and data privacy strategies in the long run, but is worried in the short term. He offers this advice: “Strong security policies may already exist, but it is essential to review them and ensure they are adequate as your organisation transitions to having more people working from home than in an office. 

“Security policies need to include remote-working access management, the use of personal devices, and updated data privacy considerations for employee access to documents and other information. It is also essential to factor in an increase in the use of shadow IT and cloud technology.

“With more connectivity happening from remote locations, security teams will also need to put a greater focus on data privacy and hunting for intrusions from a greater number of entry points, which could be an initial burden or bring on added complexities if not planned correctly.”

Strong security policies may already exist, but it is essential to review them and ensure they are adequate as your organisation transitions to having more people working from home

Richard Meeus, director of security technology and strategy, Europe, Middle East and Africa, at Akamai, agrees that businesses should have prepared for this scenario. Moreover, those that have established a “zero-trust” model will be more confident than most.

As John Kindervag, field chief technology officer at global cybersecurity giant Palo Alto Networks, says: “Trust is always a vulnerability in a digital system.” He would know, having pioneered the concept of zero trust – trust nothing, verify everything and use micro-segmentation – and coined the term in 2009, while serving as a vice president and principal analyst at Forrester Research.

Meeus concludes: “The now established zero-trust approach of only enabling employee access to the applications they need, and protecting the wider network, still applies. This is designed to protect a company, no matter where its employees are accessing the network from or on what device. When it comes to remote working, only the cloud has the scale and security to implement across all employees.

“This new normal means businesses now have their perfect use-case to take the next step and enable their workforce to work whenever, wherever and however they want, without compromising privacy or security."