Part 15 in the “Controls and Risk Management” series
With multiple benefits for both employers and employees, remote working was already quickly gaining traction, and the current situation is further accelerating this trend. To be able to continue operating in geographies where confinement is being enforced and enable employees to keep their jobs, many organizations have opted for a remote working approach.
A sustained trend with multiple benefits
This trend started many years ago, though, with the emergence of the technology that allows employees to access organizational IT systems from anywhere in the world – as they would if they were within the four walls of the company.
It’s also undeniable that this is driven by quantifiable benefits with estimates that average business could save $11,000 per remote worker and 65% of respondents claiming that they are more productive in their home office than at a traditional workplace. But it’s not just about productivity or costs, as people who work remotely at least once a month are 24% more likely to be happy.
As a result, I can only concur with Jennifer Christie, head of human resources at Twitter, when she stated, “We’ll never probably be the same.” People who were reticent to work remotely will find that they really thrive that way. Managers who didn’t think they could manage teams that were remote will have a different perspective. I do think we won’t go back.”
But there is also another side to the coin. In a previous blog (Internal Control – From Necessary Evil to Operational Excellence), I referred to ISO31000’s definition of risk management, where a risk is the effect of uncertainty on objectives, be it positive or negative. Well, there are unfortunately also threats associated with the positive aspects (benefits) of remote working. These will need to be addressed by the organization.
Going back to statistics, a concerning finding by a study from OpenVPN shows that 90% of IT professionals believe remote workers are not secure. And over 70% think remote staff members pose a greater risk than onsite employees. Note that this is a perception, of course, but it still needs to be addressed – especially when considering the fact that there has been a 10-fold increase in cyberattacks in some regions at the moment.
As a result, organizations need to target the root causes of both external threats to deter both the cyberattacks and the insider threat. IT professionals are concerned that internal actors may pose a significant level of risk to the organization’s IT infrastructure.
Effectively addressing these challenges
- Managing system accounts and ensuring the correct authorization assignments
By putting in place a sound identity and access management process, companies could more easily manage access to enterprise applications, be they cloud or on premises, via user-role- and attribute-based access. Companies could further implement multi-factor authentication to improve security. And to remove the burden of excessive login procedures, simply putting in place single sign-on would help them achieve this objective without additional workload for the employees. Effortless security, in a way!
- Protecting the applications that run your business
A company’s internal systems make an appealing target for hackers, as they run business-critical processes and house sensitive corporate information that can be used for cyber espionage, sabotage, or fraud. To prevent data breaches, organizations could monitor business applications for suspicious activities (i.e., anomalies) and attacks. They could also analyze the business transactions themselves for fraudulent or unusual patterns. By correlating insights, companies could take a proactive approach and identify threats early.
- Addressing data protection and privacy concerns
In some cases, users need to access sensitive data in the course of their daily tasks. To protect them from unwelcome suspicion as well as to protect the organization’s crown jewels, companies could implement data-masking tools so that unnecessary information is hidden by default but can be revealed on demand. And of course, data logging will help cyber investigations if a data breach does occur. Data logging not only helps to identify the culprits but also to understand the scope of the breach and to notify impacted parties and regulators in a timely manner.
These three processes create an additional security layer for the organization, but this would nevertheless not be at the detriment of the employee. Indeed, these processes would run in the background and not create additional workload for the employee. It’s a win-win situation, I believe, since all parties would feel better protected.
Finally, I’d like to leave you with a quote from SAP’s chief security officer, which I find extremely relevant as I believe it really represents our mission statement: “SAP is not in the security business, but in the business of securing our customer’s business.”
What about you? Has your company changed its security policies and procedures to adapt to recent events? I look forward to reading your thoughts and comments on Twitter @TFrenehard
Improve the implementation and operation of your SAP solution by exploring how SAP Next-Generation Support real-time channel Schedule an Expert can help you in this process.
This article originally appeared on SAP Community and is republished by permission.