Securing Remote Working In The Digital Age

Thomas Frénéhard

Part 15 in theControls and Risk Management” series

With multiple benefits for both employers and employees, remote working was already quickly gaining traction, and the current situation is further accelerating this trend. To be able to continue operating in geographies where confinement is being enforced and enable employees to keep their jobs, many organizations have opted for a remote working approach.

A sustained trend with multiple benefits

This trend started many years ago, though, with the emergence of the technology that allows employees to access organizational IT systems from anywhere in the world – as they would if they were within the four walls of the company.

As a matter of fact, the number of people who work from home has increased by 91% in the last decade, and by 2028, it is expected that 73% of all departments will have remote workers.

It’s also undeniable that this is driven by quantifiable benefits with estimates that average business could save $11,000 per remote worker and 65% of respondents claiming that they are more productive in their home office than at a traditional workplace. But it’s not just about productivity or costs, as people who work remotely at least once a month are 24% more likely to be happy.

As a result, I can only concur with Jennifer Christie, head of human resources at Twitter, when she stated, “We’ll never probably be the same.” People who were reticent to work remotely will find that they really thrive that way. Managers who didn’t think they could manage teams that were remote will have a different perspective. I do think we won’t go back.”

But there is also another side to the coin. In a previous blog (Internal Control – From Necessary Evil to Operational Excellence), I referred to ISO31000’s definition of risk management, where a risk is the effect of uncertainty on objectives, be it positive or negative. Well, there are unfortunately also threats associated with the positive aspects (benefits) of remote working. These will need to be addressed by the organization.

Going back to statistics, a concerning finding by a study from OpenVPN shows that 90% of IT professionals believe remote workers are not secure. And over 70% think remote staff members pose a greater risk than onsite employees. Note that this is a perception, of course, but it still needs to be addressed – especially when considering the fact that there has been a 10-fold increase in cyberattacks in some regions at the moment.

As a result, organizations need to target the root causes of both external threats to deter both the cyberattacks and the insider threat. IT professionals are concerned that internal actors may pose a significant level of risk to the organization’s IT infrastructure.

Effectively addressing these challenges

  1. Managing system accounts and ensuring the correct authorization assignments

By putting in place a sound identity and access management process, companies could more easily manage access to enterprise applications, be they cloud or on premises, via user-role- and attribute-based access. Companies could further implement multi-factor authentication to improve security. And to remove the burden of excessive login procedures, simply putting in place single sign-on would help them achieve this objective without additional workload for the employees. Effortless security, in a way!

  1. Protecting the applications that run your business

A company’s internal systems make an appealing target for hackers, as they run business-critical processes and house sensitive corporate information that can be used for cyber espionage, sabotage, or fraud. To prevent data breaches, organizations could monitor business applications for suspicious activities (i.e., anomalies) and attacks. They could also analyze the business transactions themselves for fraudulent or unusual patterns. By correlating insights, companies could take a proactive approach and identify threats early.

  1. Addressing data protection and privacy concerns

In some cases, users need to access sensitive data in the course of their daily tasks. To protect them from unwelcome suspicion as well as to protect the organization’s crown jewels, companies could implement data-masking tools so that unnecessary information is hidden by default but can be revealed on demand. And of course, data logging will help cyber investigations if a data breach does occur. Data logging not only helps to identify the culprits but also to understand the scope of the breach and to notify impacted parties and regulators in a timely manner.

These three processes create an additional security layer for the organization, but this would nevertheless not be at the detriment of the employee. Indeed, these processes would run in the background and not create additional workload for the employee. It’s a win-win situation, I believe, since all parties would feel better protected.

Finally, I’d like to leave you with a quote from SAP’s chief security officer, which I find extremely relevant as I believe it really represents our mission statement: “SAP is not in the security business, but in the business of securing our customer’s business.”

What about you? Has your company changed its security policies and procedures to adapt to recent events? I look forward to reading your thoughts and comments on Twitter @TFrenehard

Improve the implementation and operation of your SAP solution by exploring how SAP Next-Generation Support real-time channel Schedule an Expert can help you in this process.

This article originally appeared on SAP Community and is republished by permission.

Follow SAP Finance online: @SAPFinance (Twitter)LinkedIn | FacebookYouTube

Thomas Frénéhard

About Thomas Frénéhard

Thomas is part of the Global Centre of Excellence for Finance and Risk solutions where he has a focus on Governance, Risk, and Compliance topics. Prior to that, he was a Senior Director in the Governance, Risk, and Compliance Solution Management team. His particular responsibility was with Risk Management but other functional areas of focus were in Internal Control & Compliance Management and Audit Management. He is also a regular contributor on social media and presenter at various SAP and non-SAP conferences on GRC matters.