During the first wave of the COVID-19 pandemic, many organizations were confronted with the challenge of securing remote and hybrid environments via integrated security solutions that were deployed in a pre-COVID-19 environment.
What seemed like a momentary disruption to business as usual has now become the new normal in the corporate world. All signs point to remote and hybrid work looking set to stay, with Gartner predicting that 51 percent of all knowledge workers and 32 percent of all employees worldwide would be working remotely by the end of 2021. In the United States specifically, Gartner predicted remote workers will account for 53 percent of the workforce in 2022. This dynamic shift has led to an increase of more than 23 percent in public cloud spending just to support these numbers.
One thing is clear, corporations are deftly and swiftly embracing this new virtual frontier. In the push to do so, however, some companies may rush forward without fully understanding how too many discrepancies or inconsistencies could impede their progression to deliver an effective security platform in today’s remote environment.
When there are unmitigated inconsistencies within an organization’s security management system, it could effectively appear that the right-hand doesn’t know what the left is doing. When planning for a return-to-work environment, these discrepancies can present significant risk as well as economic impact and need to be overcome before the remote work evolution ends in a corporate dissolution.
In strengthening one’s organization to withstand the challenges of tomorrow, it is critical to focus on the three most common disconnects taking place today, primarily around standardization, personnel, and system maintenance.
Nonexistent or inconsistent systems standardization
Whether it is related to supporting two different access control platforms simultaneously or trying to oversee a video solutions system that has numerous site/location naming configurations as every vendor has their own preferred format, a lack of standardization generates a disparate environment, thus preventing true platform oversight, administration, and visualization. This is a real challenge for anything beyond a single building approach, commonly resulting in unnecessary spending to replace non-compliant equipment and an unclear usage footprint with multiple forms of credentials being issued thus allowing ghost credentials—credentials left active from employees who leave the company—to litter the systems.
Often falling low on the task list, ghost credentials are one of the most overlooked items providing undue risks and popping up out of the shadows during the most unfortunate of times. Nevertheless—and despite significant security investments by organizations—they continue to float around haunting even the largest of multinationals.
But how could a single item like a credential impact an entire company? It’s simple. Without standardization across disparate systems and setting expiry dates, former employees or contractors may continue to access corporate spaces after their departure with no oversight of what they may be doing or what confidential information they may be seeing or accessing, because they may still be listed as employees or contractors in other systems.
In some cases, there could be up to five or six times more employees in organizational databases than are actually on the staff, a QCIC case study found it is not unusual for major organizations to discover that former employees have simply continued going into their buildings and branches to use their facilities, access data, and potentially expose personnel to undue harm. As organizations begin to shake off the aftereffects of seeing millions of Americans quit their jobs as part of the Great Resignation, what may seem like a perfect time for companies to reassess and realign their priorities has instead been pushed aside to rapidly fill vacancies and redirect resources.
Moreover, across vast geographies in disparate environments, many organizations overspend on office space because they have no clear oversight on actual use. We commonly see large organizations around the world investing in office space designed to accommodate the total number of employees they have without realizing that only a fraction of their current staff is truly using that space. When organizations lack true oversight and standardization this ultimately leads to uninformed decision-making in terms of managing their portfolios from both an operational and a security perspective.
When organizations utilize a secured-by-design approach, this initiative improves the security of buildings and their immediate surrounding areas to create a safer environment to live, work, or visit—inclusive of system standardization and security harmonization—they can overcome disconnects between disparate environments and locations. Thus, delivering real-time oversight of all buildings, areas, people, property, and assets. By cleansing and merging multiple databases into a single source, companies remove duplicate, invalid, or expired records, and they can gain a better understanding of who is using what and how.
Too few qualified personnel
Globally, organizations that are being tasked with doing more with less are also being challenged by a reduction in the number of qualified personnel they have available to implement and manage security cohesively. Regional and fiscal constraints, as well as long upskilling times, can leave organizations overwhelmed and vulnerable.
Because of this, leaders tend to depend heavily on a handful of competent, skilled, senior-level staff who unfortunately take their knowledge with them when they leave, thereby creating an internal knowledge divide.
This default gap in skill sets forces smaller teams to take on multiple roles often leading junior staff to operate with little oversight or be thrust into critical scenarios where experience and specialized training are crucial. This could result in a lack of sufficient certified personnel with enough real-life experience and a dependency on one instead of a pool of many.
In addition, corporations heavily rely on third-party vendors that are contracted through longstanding relationships, rather than being selected for their technical specialities. This can often result in decision-making that lacks vital strategic direction from industry experts.
Virtual system administration and application support enable continuity and resource optimization. In a holistic security environment, hosted either on the premises or in the cloud, organizations can reinforce their security teams with external experts to enable continuity in procedure and policy management, system administration, and software maintenance.
As employees struggle to find the elusive work-life balance, many are choosing to step away from their current roles to pursue a career in alternate industries or leave the workforce in general. With this mass exodus, organizations are rushing to fill the void however the time, as well as budget, needed to upskill existing staff shrinks day by day.
”As employees struggle to find the elusive work–life balance, many are choosing to step away from their current roles.”
Therefore, companies are looking for some T.R.U.S.T (technological resources utilizing system transparency), yet they are unsure where to turn.
Systems support & maintenance disconnects
When system support and maintenance parameters are not established or followed correctly, they create vulnerabilities that open organizations to potential data leaks, repetitive undocumented issues as well as multiple system points of failure.
The assumption that things are being done right, often, and as scheduled, has found many an organization on the wrong side of a basic software upgrade with maintenance remaining far down on the priority list in established environments.
Platforms not operating on the minimum supported version and a lack of cross-system awareness creates vulnerabilities—yet in many organizations, all those boxes have been checked and the assumption is that everything is in order. But checking boxes doesn’t mean the task is being accomplished correctly, with assumptions signalling a break in communications leading to an overall lack of consistent security management. Therefore, when a manufacturer announces a vulnerability, teams frequently must scramble to assess their environment to learn if they have been exposed and what potential impact that brings to their security program at large.
Organizations need verification, qualification, and the surety that their security requirements and systems are updated and standardized. Developing a plan that backs a 24/7 “always on” model ensures organizations that any support and maintenance disconnects are overcome quickly and any vulnerabilities are mitigated swiftly.
Overcome disconnects by future-forward planning & standardization
As organizations move into a new workplace model, the risk of disconnects has become greater than ever. People and systems will be more widely dispersed across more locations, increasing the odds of the left hand not knowing what the right is doing.
To curb the growing risks this change brings, organizations must move now to address the most basic disconnects and build on that foundation for a more integrated, holistic approach to security.
This article was previously published in Security Management, a publication of Asis International.
Vanessa Dobrick is a director at QCIC and has a further 20 years of experience within the security industry. Her portfolio focuses on developing tailored and innovative solutions for clients ranging from start-ups to Fortune 100 companies. Dobrick’s role as a global strategist ensures the alignment of three key areas in the industry—vendor, integrator, and end-user — while providing vital oversight and support to aid all parties in achieving their respective business initiative through a global, collaborative manner.