When talking about security, you usually think of servers and the network and defending them against attacks. After all, workstations are in a protected intranet. Except this is no longer the case. The COVID-19 pandemic has dramatically increased remote working. Although some people are returning to the office, remote and hybrid working are here to stay.
How is security a part of the digital employee experience?
This is a good question, because often security and its requirements are thought to have been imposed by an external and superior entity:
- it's the law
- customers demand it
- the legal department demands it
Services and servers are being transferred to the cloud, where security is at a higher level. This means that attackers – and consequently their targets – will have to focus on their workstations. This means that their security is an important part of the digital employee experience.
However, security and data security are among our basic needs. If employees suspect that their technology or indeed their own operations are not secure, it is obvious that productivity and work satisfaction will suffer.
Digital Employee Experience (DEX) means how well the information technology is serving employees to enable them to perform their work and reach their targets.
Good or evil security?
Yet many employees feel that security is making their work more difficult. Maybe you still change passwords regularly. This practice has actually been found to weaken, not to improve, security. Still many organizations swear by it.
Often security is carried out regardless of and without understanding employee experience. As requirements imposed externally and from above. It becomes something that makes work and life more difficult.
At best, however, security is fluent and invisible, also called default and inbuilt security.
Remote work takes defensive methods from the Dark Ages to an open society
A little over a year ago, people worked primarily at the office, operating from within a protected intranet. Remote working was an exception, maybe one day a week. Now the situation is quite different.
Many of the people I know have barely been to their office since March 2020. And as the fourth wave of the pandemic is on us, it’s still not clearly known when you can return to the office as it was before the pandemic. And once more people feel that working at the office is safe, we will still not be returning to life as it was before the pandemic.
The security defense doctrine will change.
In the Middle Ages, cities defended against attackers by building a wall. But within the walls, there was very little protection. If anyone got in with a Trojan horse, you were done for.
Still very recently, organizations were applying the same approach. To create a protected intranet by means of walls, access control and firewalls. And virtually by means of VPNs.
Now security must take a step towards an open society, to protect from within, not by means of walls, as most employees work remotely from just about anywhere, and the performance of VPNs is not enough at all.
Today the reality is that computes are constantly, not occasionally, threatened in the open network. So you cannot be lulled into any sense of security behind a wall, even if you were using services over a VPN connection. If attackers get into your computer, they will also access the intranet.
Patches were sent - but were they properly installed?
It's all in the "should". You should, but you cannot be quite sure.
The distribution and configuration management systems and installation packages can be used to distribute patches and settings, but it is not guaranteed that they will be properly installed.
Like snail mail these days. It was sent off, but did it reach its destination?
It’s enough that employees do not switch their computer off and back on regularly when working remotely. This is very common, as you want the computer to be instantly ready when you need it. In terms of security updates, this is a very poor practice.
Therefore it is very important that the installation of updates is monitored separately – and also whether computers are restarted regularly. This can be done with Applixure’s Security Readiness Monitoring feature.
Laptops "out there"
When computers are mostly “out there”, and not within the protected walls of premises, risks for losses are higher.
One of the key things to ensure is that Bitlocker or Filevault really has been switched on. Applixure is maybe the best way to stay on top of this, too. All relevant can be found in one place.
The era of strict standardization is over in many organisations. One-size (that is, one type of computer with identical software set) is usually not suitable for everyone, if indeed for any individual.
The more software – and different versions of them – the more there are places which can be attacked and which must be updated. It’s a matter of managing active selection. You bring in new software products, offer alternatives but also make sure you get rid stuff that is not really used.
So a bit like the neighborhood wish of the local Grocery Store, under which some other title will probably have to give up.
But it’s not just about software names, it’s also about their versions (and operating system versions) that should be kept up to date and under proper management.
The reality is nevertheless quite different from this. Instead of running three versions, you have ten or more, half of which have holes like Swiss cheese.
Applixure will show what software and versions of it you have and how they are used (if at all). The always up-to-date visiblity shows clearly what can be got rid of and which versions should not be used any more. Or whether you have software on your computer that should never have been installed in the first place.
Of course there is more to this, too, such as the right attitude, awareness and practices. But let’s talk about them some other time.
The basis for a secure workstation is built on a properly configured and updated computer, containing everything the employee needs but nothing unnecessary (exposure to attack) and no unnecessary (admin) rights. When everything runs smoothly, the employee will be as pleased.
And this can be achieved when IT has an up-to-date picture of the situation:
- What hardware, operating system, software and versions of them do we have?
- How they are used, what is useful and what is not?
- Are they working or not?
- Is Bitlocker on and have unnecessary admin rights been removed?
- In which respects are we below our target level, and are there any updates that have not been installed?
Applixure is the ideal tool to do all this, performing things beyond other management products. The key to data-driven workstation management and a giant step towards a proactive approach.
The Center of Internet Security (CIS) has a list of the TOP 20 security controls & resources, and up-to-date hardware and software inventory (#1 and #2).
We talk about the digital employee experience and its improvement. Data security is one of the key elements.