Following a recent webinar we hosted in partnership with UK Finance, one of the things both the teams at Microsoft and UK Finance have seen in the last six months is the ingenuity and agility of financial institutions to navigate the shift to remote and new ways of working. As we reflect on some of the changes in behaviour and lessons learned, it’s also given us the chance to consider the future of security in the financial sector.
At Microsoft, I’m constantly reminded of how advances in security technology can enable productivity and collaboration. How it can actually create and improve inclusive user experiences. We do this by adapting security policies and processes to reflect how users and consumers are utilising and engaging technology, and new ways of working, on an evolving basis.
What does this way of thinking mean? It means that a people-first approach is essential when considering the best approach to cyber resilience and business continuity. Especially as you navigate the next steps, and prepare you for the unexpected. It will also support your employees to do their best, no matter where they are, or what their circumstances.
Here are four shifts that will support your organisation on the journey to resilience and inclusivity.
1. Drive the future of security with digital empathy
The most successful organisations who empower their people to achieve more by being productive from anywhere, are the ones who are empathetic to the end-user experience. Sometimes this can be a friendly voice over a Teams call, or assisting them as they adapt to new ways of working.
Digital empathy also stretches to making digital solutions more inclusive. This means having tools and policies that adapt to people’s ever-changing circumstances.
Bring Your Own Device Policies
With more users becoming remote and working flexibly, it can be inconvenient for users to carry multiple corporate and personal devices. Its great to see financial institutions rethinking their approach to Bring Your Own Device (BOYD) policies. This offers flexibility and choice for users. It can also speed up the onboarding process and reduce costs in sourcing and maintaining devices.
Of course, this doesn’t come without risk. To protect users’ privacy and control access to corporate services and data, the devices need to be both ‘trusted and healthy’. By utilising a management tool like Intune to prevent unauthorised access and compromise you can:
- Manage at the device level. Mobile Device Management (MDM) lets you enroll devices for management. This includes all data that lives on the device. You have full control to ensure the device is compliant and can manage settings, certificates, and profiles.
- Another approach is Mobile Application Management (MAM). This works well for BYOD scenario. With MAM you can publish, push, configure, secure, monitor, and update mobile apps for your remote workers. This provides application-level controls and compliance, while maintaining the familiar user experience for end users.
2. A Zero Trust security approach
As employees started working remotely en masse, the traditional type of ring-fenced security had its disadvantages. It often struggled to meet the need of a hybrid workforce, working from different locations, and from multiple devices. Therefore adopting a Zero Trust approach to business continuity and security became an imperative.
The key principles of Zero Trust are quite straightforward:
- Never trust
- Always verify
- Assume compromise
In a Zero Trust model, access by users and devices – both inside and outside the corporate network – is granted based on an evaluation of the risk associated with each request. The same security checks are applied to all users, devices, applications and data every time.
To start with Zero Trust, it’s important to realign around identity. This can benefit employees, as it makes it easier for them to use single sign-on or access data across multiple devices. For example, multi-factor authentication prevents 99 percent of credential theft and other intelligent authentication methods can make accessing apps easier and more secure than just using traditional passwords. This also helps create robust BYOD strategies that work in unison to enable users to be both secure, and productive.
Of course, it’s important to pair a Zero Trust strategy with advanced threat protection and information protection. This helps to detect and prevent lateral movement, and data loss, no matter where it resides.
3. A people-led focus to a secure control environment
What normally works on-premise does not easily transfer to a cloud or hybrid operating model. particularly when accessing critical services and data from multiple sources.
For example, how is your Virtual Private Network (VPN) set up? It can often force all your network traffic through on-premises data centres, slowing down services and making it hard for employees to work. This may cause frustration. It can cause employees to look for workarounds, potentially bypassing safeguarding controls and policies, and downloading apps from the internet.
This scenario can be fixed by initiating split-tunnelling. This allows trusted cloud services like Microsoft 365 to be accessed straight over the internet. Your VPN can then be used to access critical apps and data that reside in your Data Centre, reducing the load.
In addition, a Cloud Access Security Blocker (CASB) gives you rich visibility over your shadow IT. It provides a centralised approach to monitor and protect access to data, on cloud based apps. As an example, we implemented Cloud App Security for more than 150,000 employees globally. Apps that don’t meet our stringent security standards are blocked. Popular and trusted apps are onboarded to our Azure Active Directory, making it easier for employees to access what they need securely.
4. Providing resilient education to improve security
As cybersecurity matures, so do adversaries. They are adept at changing techniques and tactics, and at exploiting local or global events to lure victims via phishing campaigns. Using cloud-based security means you can take advantage of intelligent threat protection and analytics. For example, we collect and analyse over 8 trillion telemetry signals daily from a diverse set of products, services, and feeds around the globe. At the same time, you need to ensure your employees have the knowledge to protect themselves to reduce compromise. During times of crisis and change, users need to be warned to expect more phishing and social engineering attempts. It’s also useful to understand the psychology behind what makes people click.
This stretches beyond standard cybersecurity training. It’s about being empathic as I mentioned earlier, to what is going on inside and outside of the company. As much as we talk about external threats, we must be mindful to the increase in insider threats as well.
With all the changes that may be happening, we have to be mindful to how users are adapting and coping with the situation. We need to think about the stressors (fear and uncertainty about their jobs, balancing work and home life), and how this could impact a person.
Not all insider risks are malicious in intent. It can often come down to a lack of awareness of policies, knowledge, or frustration of not being able to work productively, that leads to mistakes. Conversely concerning behaviour, such as downloading or printing sensitive files, renaming files, using unapproved apps, or copying files onto external devices could be a sign of malicious intent.
While these behaviours don’t automatically arouse suspicion, it’s important to actively look for patterns of anomalous behaviour and mitigate them. With digital empathy, we can pre-empt and reduce some of the stressors or situations with wellbeing programmes and education that are empathetic and supportive to employees, reducing the chance of insider risks.
An effective security culture allows users to work productively while they help keep the business safe. Our built-in approach to security works across platforms, locations and tools – so it’s easier for your people to comply.
The future of security
One of the things we’ve learnt this year is to expect severe, but plausible scenarios. It can seem daunting to prepare for the extreme unknowns – but that’s what we have to do. Organisations are becoming more reliant on cloud and hybrid technologies. Therefore, successful strategies must include a people-based approach to cyber resilience. These four shifts, focussing on digital empathy and zero trust will help you to take advantage of innovative and integrated technologies that enable you to achieve more, with less.
Find out more
Join the conversation at Envision
Digital technology is changing not just how organisations operate but how leaders lead. Join us at Envision, where executives across industries come together to discuss the challenges and opportunities in this era of digital disruption. You’ll hear diverse perspectives from a worldwide audience and gain fresh insights you can apply immediately in your organisation.
Connect with leaders across industries to get relevant insights on leadership in the digital era.
About the author
Sarah Armstrong-Smith is a Chief Security Advisor in Microsoft’s Cybersecurity Solutions Group. She principally works with FSI customers in the UK and strategic customers across Europe, to help them evolve their security strategy and capabilities to support digital transformation and cloud adoption.
Sarah has a background in business continuity, disaster recovery, data protection and privacy, as well as crisis management. Combining these elements means she operates holistically to understand the cybersecurity landscape, and how this can be proactively enabled to deliver effective operational resilience.
Sarah has been recognised as one of the most influential women in UK Tech and UK cybersecurity and regularly contributes to thought leadership and industry publications.