Most businesses that have adopted off-site or hybrid working models over the last two years made the change under immense pressure. The need was incredibly urgent and timing was a major factor. Now that they’ve had a chance to adapt and settle in, leaders are revisiting how their teams work in a more proactive way. They’re updating strategies and policies with a focus on what will be best for both the company and the employees long term.
This is especially true when it comes to data integrity and security. Hybrid/flexible work will be a “standard practice” within three years, say more than 75% of respondents to a survey conducted by Economist Impact and commissioned by Google Workspace. And while the security challenges related to flexible work certainly aren’t new, the last 18 months have highlighted many vulnerabilities at scale.
We’re in a new era of data security where business leaders must abandon traditional ideas of what a workplace looks like. Work is no longer a physical space, but rather a series of interconnected policies on how to get things done. Where the work happens simply isn’t as important as it used to be.
With this thinking, security requires a new approach. It’s no longer just about protecting information or restricting how that information is accessed—it’s about building safe, efficient, and effective ways to facilitate seamless collaboration and information-sharing.
Related: Look back at 2021’s most requested and impactful Google Meet features that help address the challenges of hybrid work, learning, and life.
Take employee-owned laptops, for example. If business leaders didn’t provide workers with all of the hardware and devices needed to thrive when work shifted off-site, many would be using their own personal devices to complete job-related tasks. Their personal devices may not be equipped with the same security protections as in-office devices. Sensitive data loss, leakage, and theft is far more likely when using personal devices than it was when everyone was in a controlled office environment.
The same is true for the opposite scenario, in which employees are using company laptops on personal Wi-Fi. Leaking sensitive company data is among the top security challenges, say 20% of business leaders surveyed in 2021 by Entrust. In the same survey, 21% of business leaders say they are worried about security risks from unmanaged home networks. So what’s a security-minded business leader to do?
On-premises business systems have relied on hyper-controlled environments, most often through in-office network security or Virtual Private Networks (VPN). Cloud-based platforms, on the other hand, promote data sharing and collaboration regardless of physical location. While there are many upsides to moving information to a cloud-based program, anywhere, anytime access is crucial.
And these days, almost all business-critical programs and apps can be accessed through browsers such as Chrome, which means employees don’t need additional device drivers in order to access the information they need to be successful.
Zero-trust models shift the focus to the individual user without a need for VPN technology, so access controls are enforced no matter where the user is or what device they’re using. Any user or device attempting to access a network or its resources requires authorization, which creates higher security limits on file-sharing, application downloads, and data usage. It also extends to employees using their personal devices, which can alleviate some of the worry that well-meaning employees could cause an unintentional breach.
Secure by design
The last thing an employer wants to do is create barriers to collaboration, and requiring an excessive number of checks and balances to access sensitive information can do just that. When tools are secure by design, however, employees can work together seamlessly. Rather than avoiding risk completely, businesses can monitor and maintain security risk governance to open up the lines of communication and foster a more collaborative and innovative culture.
It’s no longer just about protecting information or restricting how that information is accessed—it’s about building safe, efficient, and effective ways to facilitate information-sharing.
When implemented well, this holistic approach prioritizes security while making systems virtually invisible to employees. Aside from the occasional nudge to the end user that their activity may be unsafe, everything happens behind the scenes.
Related: New security and privacy innovations help Google Workspace customers realize the full power of trusted, cloud-native collaboration.
Building a culture of security
Beyond secure infrastructure, creating a company culture that prioritizes security can help minimize risk among a dispersed workforce. But remember, security and privacy policies are only as strong as their latest update. A 2020 report stated that nearly 25% of organizations hadn’t updated their security protocols in over a year.
When updating policies and protocols, business leaders have the opportunity to meet employees where they are. This not only builds a culture of trust, but one of holistic security.
One way leaders can embed security culture into their organization is to collaborate with IT leaders on best practices and share them in actionable bites. Developing security training for employees and holding dedicated “office hours” to answer questions as they arise are two additional approaches to security culture.
Perspective is important and organizations have the opportunity to view employees as both partners and a line of defense, rather than seeing them as potential liabilities. It’s true that the way people work—and the way they access sensitive information—won’t always be perfectly secure, but letting workers know that they’re inherently trusted improves productivity and employee experience.
When organizations block access to things like news, music, and email for employees, it can create tension. The best approach is to create checks and balances that allow for efficient response if and when problems do arise, instead of monitoring every click and download.
The shift to hybrid work compels business leaders to reflect on their practices and adopt new security solutions. And because these work models aren’t going anywhere, it’s important to address potential risks in a holistic manner. With an employee-centered approach, organizations can navigate today’s complex threat landscape with more confidence and better results.
Michael Karner is the Global Head of Google Workspace Evangelism. At Google he focuses on Thought Leadership for Future of Work and driving the awareness of Google Workspace. Before joining Google he was in several leadership positions at the research company Gartner as well as several other companies in the IT & Telco industry. His experience with Google Workspace goes back to the beginning in 2006 where he was one of the first beta testers as a client.
Globalisation has changed the structure and pace of corporate life; the saturation of traditional markets is taking companies to more risky places; the shift towards a knowledge economy is eroding the importance of ‘place’ in the business world; new business practices such as offshoring challenge companies to manage at a distance; and new forms of accountability, such as corporate governance and corporate social responsibility, put added pressure on companies to match their words with deeds, wherever they are operating.
At the same time, security risks have become more complex, too. Many of the threats, such as terrorism, organised crime and information security, are asymmetric and networked, making them more difficult to manage. There is also greater appreciation of the interdependence between a company’s risk portfolio and the way it does business: certain types of behavior can enhance or undermine an organization’s ‘licence to operate’, and in some cases this can generate risks that would not otherwise exist.
As a result, security has a higher profile in the corporate world today than it did five years ago. Companies are looking for new ways to manage these risks and the portfolio of the security department has widened to include shared responsibility for things such as reputation, corporate governance and regulation, corporate social responsibility and information assurance.
There are six characteristics of alignment between security and the business:
- The principal role of the security department is to convince colleagues across the business to deliver security through their everyday actions and decisions – not try to do security to or for the company.
- The security department is in the business of change management rather than enforcement and works through trusted social networks of influence.
- Security is there to help the company to take risks rather than prevent them and should therefore be at the forefront of new business development.
- Security constantly responds to new business concerns and, as such, the portfolio of responsibilities and their relative importance will change over time. Security departments should never stand still or become fixed entities. In many companies today, its role is more concerned with overall corporate resilience than ‘traditional’ security.
- Security is both a strategic and operational activity, and departments must distinguish between these two layers.
- The power and legitimacy of the security department does not come from its expert knowledge, but from its business acumen, people skills, management ability and communication expertise.
Information security risks management framework – A step towards mitigating security risks in university network”. Journal of Information Security and Applications. 35: 128–137. doi:10.1016/j.jisa.2017.06.006. ISSN 2214-2126.
The Big Three: Our Greatest Security Risks and How to Address Them”. Fort Belvoir, VA. Retrieved 18 January 2022.
Firewall security: policies, testing and performance evaluation”. Proceedings 24th Annual International Computer Software and Applications Conference. COMPSAC2000. IEEE Comput. Soc: 116–121. doi:10.1109/cmpsac.2000.884700. ISBN 0-7695-0792-1. S2CID 11202223.
“How the Lack of Data Standardization Impedes Data-Driven Healthcare”, Data-Driven Healthcare, Hoboken, NJ, USA: John Wiley & Sons, Inc., p. 29, 2015-10-17, doi:10.1002/9781119205012.ch3, ISBN 978-1-119-20501-2, retrieved 2021-05-28
Rethinking Green Building Standards for Comprehensive Continuous Improvement”, Common Ground, Consensus Building and Continual Improvement: International Standards and Sustainable Building, 100 Barr Harbor Drive, PO Box C700, West Conshohocken, PA 19428-2959: ASTM International, pp. 1–1–10, doi:10.1520/stp47516s, ISBN 978-0-8031-4507-8, retrieved 2021-05-28
Committee on National Security Systems: National Information Assurance (IA) Glossary, CNS