Conversations about the future of work have to include security. I’ll take that one step further: the future of work very much revolves around the future of security. New ways of working offer exciting opportunities to boost employee productivity, creativity, and engagement, but they can’t come at the expense of security. On the contrary, many of the same practices already shaping the future of work—BYOD, unprecedented mobility, any-network access, employee-centric experiences—can increase risk for data, applications and networks. The attack surface has never been so broad or so inviting—and threats have never been more sophisticated.
At a time when data is both more valuable and more vulnerable than ever, how will we secure the future of work? As a guiding principle, we can’t rely on add-on security technologies and siloed teams. Security must be woven throughout both the IT architecture and the organization to ensure that no matter how or where people work, the organization is protected. At the same time, the measures we rely on can’t be allowed to impair the user’s experience or productivity. Today’s workforce won’t accept arbitrary restrictions or barriers; the same creative spirit that fuels innovation will also lead them to seek consumer-market workarounds.
The key is to make cybersecurity everyone’s business. When employees are fully bought in to security—when they understand its importance and relevance, and they’re empowered to support it without sacrificing their own work, your security team becomes truly organization-wide.
To that end, here are five security best practices for the future of work.
This isn’t exactly new—fair enough. User education has been a tenet of cybersecurity since the early days. But that makes it all the more important to reinforce its importance, so that we never overlook it or take it for granted. As people gain the freedom to work anywhere, on any device, knowing how to do so safely must be a top priority.
In the employee-centric modern workplace, it’s also important to consider how this education takes place. It’s not enough simply to recite lists of rules and protocols. Instead, engage in a true dialogue—take the time to understand users’ needs and practices, and then explain your security policies in ways that are accessible and relevant to their daily experience.
Extend the discussion beyond the office environment to encompass every other setting where work takes place. How can you recognize whether a public wifi connection is safe to use? What are the risks around USB sticks? How can employees secure the consumer technologies in their homes, so their kids don’t introduce vulnerabilities into the family WiFi network with a jailbroken phone?
Engage with lines of business
Security doesn’t happen in a vacuum. The most effective policies are grounded in a firm knowledge of operational processes. Meet regularly with business decision-makers to understand the implications of new initiatives. By building rapport and trust, you can gain a seat at the table to make sure that appropriate safeguards are built into each project right from the beginning. You’ll also get crucial perspective into the tools, workflows and practices that enable the group to drive value, helping you design measures that maintain protection and control without getting in the way of business.
Modernize and mobilize your security policies
Mobility increasingly defines IT—in terms of both the mobile devices people use, and the constant movement of people, devices and data from one place to another. As employees use non-corporate devices, networks and storage systems to meet their needs—whether personally owned, third-party or public—your risk profile rises dramatically. At the same time, they usually have valid reasons for doing so. You can’t just say no; you’ve got to find secure ways to accommodate it.
Make sure your security policies reflect the real world—not some antiseptic, locked-down cybersecurity dream (and employee nightmare). Create clear rules and guidelines to help employees stay safe without losing the freedom and flexibility they’ve come to rely on. Specify convenient yet secure alternatives to consumer-grade technologies. Differentiate between scenarios—what’s safe at Starbucks vs. headquarters, what types of work should be saved for a more secure location—and set up your granular access control policies accordingly.
Enforce policies fairly and consistently
Inconsistent enforcement can doom even the best security policy—and can undermine the credibility of any subsequent policy. You put a lot of thought into creating the right rules and procedures for your business; now make sure they’re enforced the same way every time, for every user, with no exceptions. A sense of fairness will promote employee buy-in. After all, it’s not just a matter of meaning what you say—users have to take it to heart and mean it, too. When security becomes part of your culture, the whole organization becomes safer for the long term no matter what the future brings.
Make it seamless—and automatic
The less you have to rely on human intervention, the more reliable security becomes. This can include everything from conditional access controls that show employees only the apps they’re authorized to use in a given scenario, to business data encryption by default on mobile devices. Open-in controls can prevent email attachments from opening in non-corporate apps. Micro-VPN can ensure security over public wifi. Automated logging and reporting can facilitate compliance and audit readiness. There are many opportunities to make security more seamless and transparent for users, and simpler and more efficient for IT to maintain. As the scale and complexity of the enterprise environment continues to grow, steps like these will be critical to stay one step ahead.
The future of work gets a lot of buzz these days, and rightly so—it gets more exciting by the day. With these best practices, you can make sure it’s also growing more secure by the day.