As businesses refocus on security (beyond just keeping the lights on) after almost two years of unprecedented and sustained disruption, the question many are asking is: \u201cIs my security fit-for-purpose in the world of hybrid working?\u201d\n\nThat\u2019s one of the questions we put to business leaders in compiling our recently published Global Workplace Report. Their responses yielded some interesting findings:\n\nBut perhaps more interestingly, our findings revealed something of a disconnect between the level of confidence among the C-suite in their ability to modernize, digitally optimize, and secure their future workplaces and employees in more operational roles. This suggests that while a future workplace vision is indeed emerging, some businesses remain light on detail and capability. \n\nHow did we get here?\n\nIn understanding why many organizations\u2019 post-pandemic security strategies aren\u2019t going far enough, it\u2019s helpful to revisit the journey that businesses found themselves having to embark on when the pandemic struck.\n\nGovernment-sanctioned lockdowns across the globe forced organizations to enable and support work-from-home scenarios almost overnight. None had the luxury of time to plan out their remote workplace strategy.\n\nBusiness continuity and employee productivity were the top priorities. Security, while not altogether an afterthought, was not strategic but ad hoc, to plug immediate security gaps and needs.\n\nNow, many organizations find themselves facing a set of security challenges critical to the success of their hybrid workplace strategy.\n\nFirst, an expanded digital footprint and more users connecting to the company\u2019s networks, applications and devices from remote locations means the average business\u2019s attack surface has increased exponentially. Detection of threats and vulnerabilities across the dynamic footprint is not straightforward. In fact, 80.7% of IT leaders say it\u2019s more difficult to spot IT security or business risk when employees are working remotely. The ability to respond quickly and effectively across the distributed IT environment is paramount, since it\u2019s not if but when an attack will occur, and your business is more exposed given that the right security is likely not yet in place.\n\nSecondly, with many people still working remotely today, the productivity, collaboration tools, and applications being used across the business remain heavily cloud-based. Cloud is a great solution for quick deployment and scalability, but a lack of proper security processes, protocols and management introduces a real risk of compromise.\n\nFurthermore, the devices and locations from which people are accessing these tools add further complexity. Users are now accessing company data from a myriad of devices, both managed and unmanaged, and from a variety of locations. This means that simply securing the traditional perimeter \u2013 the corporate network \u2013 isn\u2019t enough.\n\nData protection is also critical. Privacy regulations in every jurisdiction mandate strict control over how personally identifiable information (PII) is being processed. Each organization will also have intellectual property (IP) and sensitive information that must remain protected. And because data is being accessed from outside the corporate walls, there\u2019s a greater risk of data breach.\n\nWhile businesses grapple with these challenges, cybercriminals continue to exploit areas of weakness and gaps introduced by an expanded and disjointed technology ecosystem and networks that many businesses deployed when the pandemic hit.\n\nIn fact, according to our 2021 Global Threat Intelligence Report, cybercriminals have been opportunistic, successfully exploiting vulnerabilities that virtual working has created. In the last year, a large proportion of cyber incidents were directly related to the increase in the virtualization of networks due to an increasingly hybrid workplace. Specifically, remote working ushered in a spike in web and application attacks across all industries, accounting for 67% of all attacks, up from 55% in 2019 and 32% in 2018. \n\n\n\nDust off your security armor\n\nAs businesses consider their post-pandemic hybrid workplace strategies, they need to revisit and re-evaluate security from the ground up and assess where they may have unwittingly created gaps in their security armor.\n\nWe believe that businesses need a multi-pronged approach to rebuilding and, in some cases, fundamentally re-imagining their enterprise security.\n\nHere are some of the key capabilities you should be exploring:\n\nZero-trust\n\nThe zero-trust approach to security was growing in popularity well before the pandemic. But now, given widespread acceptance that hybrid working will become the de facto standard, the relevance and use cases of this model are becoming amplified and better understood.\n\nWith this approach, trust is not automatically granted to anything inside or outside a business\u2019s perimeters, and access is granted on a least-privileged basis. People seeking access to devices, applications and data must verify that they are who they claim to be. Meanwhile, access is continually monitored for any unusual activity.\n\nSASE\n\nSecure Access Service Edge or SASE is an identity-centric service offer that has evolved through the convergence of Network-as-a-service (WAN, SD-WAN etc.) and Security-as-a-Service (firewall, Secure Web Gateway, etc.) offers.\n\nIt brings a cloud-based approach to secure connectivity by brokering secure access between users and devices to the service edge and allows access to approved services and applications only. Being cloud-delivered, it\u2019s just as scalable and flexible as other cloud technologies. It also allows for numerous other security capabilities to be more easily deployed, such as Secure Web Gateway, Data Loss Prevention, Remote Browser Isolation and Cloud Access Security Broker (CASB), amongst others \u2013 improving the agility of your security posture.\n\nSecurity policies\n\nAn organization\u2019s security policies set the tone from the top. Policies that may have worked well in the pre-pandemic workplace will need to be addressed to ensure they\u2019re fit-for-purpose and well suited to remote, virtual working arrangements.\n\nSecurity policies need to be living and breathing documents at the best of times. So, it\u2019s important to periodically revisit, update, and communicate them to people to ensure their continued relevance given the evolution of the threat landscape, new ways of working and regulatory changes.\n\nThere are several compliance frameworks that might apply to you (e.g., NIST, HIPPAA, PCD-DSS, GDPR) depending on your industry, and your security policies should take them into account. The policies you put in place must ensure you meet your regulatory and compliance obligations in a world where sensitive data might be dealt with outside the office walls and address what to do should something go wrong.\n\nSecure by design\n\nFinally, as you\u2019re planning your hybrid workplace of the future, make sure that your organization is \u2018secure by design\u2019 \u2013 which means that security is built-in and not bolted on to your digital programs. In other words, as you\u2019re building out your hybrid workplace of the future, ensure the security team is engaged early and an integral part of your digital transformation to save you cost, time, effort and most importantly, to minimize your risk.\n\nIf you\u2019d like to find out more about how NTT can put you on track to building and operating a secure hybrid workplace, speak to your client manager or get in touch.