Region currently facing major disruption to the way employees work, adds to cybersecurity concerns
The cybersecurity landscape is constantly evolving, with threats coming from all directions. However, the global COVID-19 pandemic has thrown “yet another spanner” into the works, bringing with it, new cyber risks and expanding organisations’ attack surfaces.
As the pandemic’s impact was felt across the region, many organisations were caught out because of their systems, applications and ways of working being centred around the physical office.
Few organisations were prepared for most of their employees having to access systems and applications at home. This has been more apparent in many of the Asian markets, which culturally are configured around the physical office, said Terry Burgess vice president, Asia Pacific and Japan.
“Understandably, many organisations’ immediate priority was keeping the lights on and activating business continuity plans,” he said. “Once these were activated, they quickly became acutely aware of the security, and particularly identity and access, challenges associated with a remote workforce.”
Burgess told CIO Tech Asia, CIOs should be asking if their employees if:
- They have the hardware and access to systems and applications they need to do their job
- Do people have the right level of access
- How are they using that access?
- How can they automate provisioning with a governance-based approach?
- What about data storage — with an uptick in bring your own devices
- Where is data being stored?
- How is sensitive data being stored
- What about IP data
“The first challenge for CIOs and CISOs was ensuring employees had access to what they needed to do their job,” he said. “To this end, I’ve heard of organisations holding tech drive-thrus for their employees!”
However, from conversations with SailPoint customers throughout Asia Pacific, it’s clear the bigger concern—with the potential to have a more detrimental impact—is maintaining visibility of who has access to what and what they’re doing with that access.
“This is not just for employees, but also the business partners and contractors working in key lines of business—all have “identities” and unique remote access requirements,” said Burgess.
Beyond access, CIOs and CISOs need to ensure all privacy and data protection legislations are abided by and that critical business data is secure.
“This has become more difficult with remote workforces,” he said. “Employees are more likely to bring their own devices, which may or may not have firewalls and antivirus, and turn to shadow IT to do their jobs.”
Additionally, cybercriminals haven’t eased up as a result of COVID-19. If anything, there’s more of an opportunity for crooks right now, with many leveraging the pandemic to find victims,” said Burgess.
“We mainly work with mid-market and enterprise organisations, which, for the most part, are cybersecurity aware and place a huge focus on their organisations’ cybersecurity postures,” he said. “As an example, we have operations in markets like Taiwan, Hong Kong, Philippines and Japan, which are large manufacturing hubs
Like the rest of the community, most of our manufacturing customers had to transition to an at-home workforce.”
According to Burgess areas like file governance for unstructured data and identity governance have been particularly front of mind for this sector due to the intellectual property these organisations hold.
Remote working has introduced more risk for teams governing and managing identity. Do they have complete visibility and management of who is accessing what application? Is that application access appropriate for that person? Is there governance around sensitive data?
Just because users are accessing applications remotely doesn’t mean the business can ease up on its privacy and compliance obligations. In fact, compliance and governance should be a higher priority as risk increases.
“The obvious one is adapting to a mostly remote workforce, which is not something most CIOs and CISOs have had to contend with before, especially in such a tight time frame,” Burgess said. “Beyond that, business is continuing and it’s not so much what they’re doing differently, but what they’re reprioritising.”
According to Burgess a good example is the acceleration of cloud adoption, where many CIOs and CISOs were building blueprints for workloads and applications including identity management and governance in the cloud.
“We’re now seeing much faster adoption. The cloud is a fantastic and natural platform for remote users to be connecting to in a secure way,” he said. “Many of our customers are looking for true multi-tenancy and an open API platform approach to seamlessly access all applications inside the business.”
Additionally, because of economic challenges spurred by COVID, he is seeing more customers seek OPEX pricing models.
“I envisage the cloud and SaaS will remain a priority for many businesses post-COVID,” he said. “I’ve had many conversations with customers and the SailPoint team about what the “new normal” will be.”
No doubt there’ll be a phased approach to the workforce returning to the physical office, for example, with organisations looking to shifts and staggered starts.
Ultimately, COVID-19 has shown that working from home works and has several benefits and I think many organisations will take a hybrid approach moving forward.
Tags: Cybersecuritysailpoint