Panel - Secure Work Anywhere: The New Normal from Corporate Policies to Security Practices

So let's make a quick introduction. So to the audience, most of you probably already have trust, listen to the mink who is head of it, security at the European investment bank. And with step we have also Scott, who is GRC consulting director at one trust and the topic of our panel secure work anywhere, the new normal corporate policies to security practices, I think fits well in, in both a lot of the other talks we already had today and into what we, what most of us are confronted with. So the way we, we work the way we do security need do security has fundamentally changed some eight months or so ago already. So nothing is as it has been, maybe for, for many of you, for me, it's a little easier. I've been working most of the time for my home office anyway. So, so I'm a little bit probably on the better side of things, but so I think let's get started. And what I'd like to do is maybe that that's cut you and Dan Haven give a very quick introduction on, on your person. And then we, we directly move into discussion. So Scott, do you wanna start?
Yeah, absolutely. So Scott bridge, I actually head up our GRC function. They always changed my job title for these different webinars. So spent most of my career in vendor land. Prior to that, I worked for the UK ministry, defense, NATO, and us department of defense in risk management.
Okay. Stephan.
Yeah, Stephan miners, the name and I'm heading the it security unit here at the European investment bank. Before that I I've explored a bit the, the word of my development bank. So I was with the word bank in DC, Asian development bank in the Philippines before that distinct in Hong Kong. And I started off my career in Frankfurt, Germany with Pricewater housekeepers.
Okay. So a very international person here let's get started. So what, what are some best practices organizations could put in place right now to protect the data when everyone is working from also not sure whether we have chance to listen to my keynote, but I brought up this topics of data governance at the end. We want to protect data. And I think this is clearly one of the big challenges. So what, what are best practices you see to protecting the data in a changing environment? Or is it just the same? We did every time. Chef, do you wanna start? And then
Yeah, perhaps let me, let me, let me respond. Going back in time to March, 2020, when all of a sudden everybody was, was asked to, to work from home and the lockdown lockdown kicked pretty, pretty much in you see the, the, the thing is that a lot of organizations that I know they, they were struggling because they didn't really have this work from home attitude. They, they didn't really have this as, as a, as, as a real need, identify people come to the office and they worked from there. We were a little bit different because we already had this tele working arrangement in place. And we have a lot of people on the road that basically need to have access to company resources. What we had put in place as, as, as, as what I believe a good practice is to have a solid, you know, VPN solution and then no other way to connect into, into our internal network. I know from other C places and companies that, that they basically were surprised by, by the certain change. And they didn't have thought about such solution. They had to open up the, you know, the, the ports so that people from their own computers at home could connect into the company network. And that of course opened, you know, the gate for, for data leakage left right. And center. And you can only imagine this is probably the worst case you could possibly think of as a cyber security professional.
Okay. Scott, what is your perspective on that?
Yeah, so looking at it from a slightly different angle, it's really focusing around the people part. So the unaware employee traditionally pre COVID was difficult enough. They were distracted with their day job and even just trying to get basic cybersecurity and general security information out was always been tricky. But during COVID and with everyone thrown into sort of the new normal, it's really about making sure that we as security professionals measure how they're doing. There's a pastoral aspect that I believe is often missing and sometimes an academic or a sort of traditional sort of training type of thing that's often focused around. And really it's making sure that we give people clear, actionable guidelines, advice, make sure policy is clear if we are taking risks and adapting and evolving with shadow it, then we need to make sure that we've clearly delineated what we allow, what we don't allow. And we probably changed policy and appetite around that as part of our digital transformation journey. So I think it's the people process technology piece and starting at the bottom with the people, because they're the ones that quite often will make the mistakes.
Yeah. And one point I have around your answers is so, so work from home is, is a lot of these big trends. But another trend we, we, we are facing is many organizations have a cloud first strategy. And so it also means that the data is shifting away. Data is sometimes sprawling across the cloud, which on the other hand means that may maybe just using the VPN to go inside might not be sufficient than modern resources are outside. So how do you, how do you see that? And, and in general, from your perspective, how prepared were companies transitioning to work from home and in which tendencies have you observed this regard to issues since pandemic started?
Well, perhaps let me answer. First cloud strategy is indeed something that a lot of companies are dealing with. I can tell you, there are still a few out there that, that take a little conservative approach to cloud computing. Even though this, this is, this is changing right now. Yes, indeed. I mean, the moment you, you entertain cloud computing and you put confidential data into the cloud. I think what, what a lot of companies that I have seen doing is, is to have significant control over the way who has access to the keys with the, with which the, the data is being encrypted. I think a good strategy is also to have information classification control that's in place, because I mean, one thing is to put things in the cloud, but what can possibly leave an organizations network through the network? It's, it's equally important and you need to have a good eye and a good view on what's going through basically your emails and leaving the organization as well.
So, so, so what you're saying is you need data governance, you need data security in place, which means you need to understand where, which data resides. You need to classify data, classify data, you need to apply policies and you need to encrypt data to, to ensure that that the data doesn't leave in an uncontrolled manner, which spite be interesting also to observe that data leakage prevention, which has been a little bit of, let's say traditional more traditional technology for, for a while, from the perception really seems to make a comeback these days, which would fit quite well into that really putting more efforts on, on protecting the data and Scott, maybe what is your perspective here?
Yeah, so actually something that a customer was telling us on another webinar we were doing recently was, again, it kind of goes a little bit back to the people aspect was when they moved and evolved their cloud program, they looked at the people that are involved now, they had to get additional third party assistance from external. So they brought contractors in and they had to ensure that they were keeping track of those during the initial part of the COVID piece, because some were doing or performing specific actions. And going back to what Stefan said about who has the keys effectively to your kingdom was they found that people weren't being offboarded correctly and securely and keeping track of that. So that's probably the only snippet that I've got to add from that perspective.
Okay. So, so when, when you look at your practices, then what would you rate overall as the biggest risks that come specifically with, from home and maybe Scott, you like to start this time?
Yeah. So there's a couple of things. I mean, the biggest risks are really common number of, well, it's gonna be employees using their own devices for work intentions. So if we hadn't made that clear in the first place, then one of the biggest issues we're gonna have is potentially sensitive, confidential, secret financial information, making its way onto devices that don't meet or match out additional secure policies. There's another aspect that we're beginning to see. And I did an interview recently with an anonymous member of a hacking group where their dumpster diving's coming back into fashion. Now this is something that was big pre COVID anyway, and certainly around journalism and, and news and stuff like that. But it's come back into fashion, certainly in France, Spain, Portugal, we've seen outbreaks of it where people are being, given the capability to print from home. They print stuff, they don't dispose of it securely. They just throw it in their bin, creating new pockets of data security. I mean, all kinds of issues that come up at the back of that. It seems something quite small, but I suspect's a bit of a time bomb that will eventually catch a lot of organizations up at some point. That was a key one that really stood out to me from that perspective, though.
Yeah. So bring your own device. On the other hand, we need to be fair for, for many employees and at the end organizations, it was the only way to continue working because when you looked at the, the time it took to sometimes to procure new notebooks for organizations in a larger amount, larger quantity, then sometimes it was, was challenging. So that's the other side of the story. Stephanie, what do you wanna add to this?
The physical security aspect that, that Scott was alluding to indeed. I mean, when, when, when you, we look into data security, we're looking into indoor securing the access into the network, but okay. I mean, who protects the people that work from home and like if they were in the office and could basically do from the safety of their home, whatever they could do in the office, and if they were being in a situation where they are forced to execute certain transactions, cause somebody is just threatening to do so is something which I personally find always as an aspect to be overlooked.
Yeah. Which is that, that thing was security. You know, and I, I had a presentation done quite a while ago and I repeated a couple of times around there's no 100% security. And the point I always bring up is that, you know, if someone really wants to bypass security security, then there always thinks such as blackmail cetera. So we, we need to be very well aware. That's what we can do as security guys. It security with cybersecurity has its limits and there will be always a ways to, to bypass that. And yes, there might be a bigger risk. I also like the point with printouts that are not handled appropriately. And I think this is also really also, which can't go fundamentally wrong. And then you're in the news with oh 80 pages with confidential data being found somewhere on the street or the, that must not happen for sure.
Another aspect, which I believe is, is a very important one. At least it's a very intensively discussed one that is, so we have a lot of technologies which help us monitoring security. And on the other hand, we have these employee privacy rights and we also have that thing. When you take, bring your own device devices, you're not allowed to do certain things on that. These devices, you're not allowed to, to put some controls in the home office you, you might have in your office. So, so what is your experience from, from your daily work and from your, from your business experience on, on how to balance that and maybe also where, where you don't need to balance that. Because sometimes I also think it is that a lot of things which are security, they are, they have a rightful purpose. So certain things are largely doing, it's not really the privacy it's probably, but it's us of doing so other things we need to be very careful. So back to you, what is your practice? Stephan?
We, we are a little bit on the cautious side of bringing own devices. In other words, we don't do that. So for us, it's all company issue devices, which is cutting down on this particular risk, quite significantly. Having said that, of course people have, have their iPhone, they have their iPad and we cover the, the business part. We are not, you know, we're not encrypting or not managing the entire device. There's a part that we leave for private purposes. So with which we don't touch and which we don't monitor. And we, we just rely on the underlying, you know, all by device management solution to make the cut between the business side and the private side, having say that, of course there's monitoring that needs to be monitoring whenever it impacts company data, you need to have something in place. Otherwise I would act in a way, when you look into the guidance that's given by the European data protection supervisory authority, they make a clear cut. Yes, data privacy is very, very important, but you also have to make sure that data company data is protected. So it's, it's a fine line. And, and it's clear that you should, and you shall not infringe and then impact privacy rights of an individual. But every time people work on behalf of the company, they just need to accept the fact that there are certain rules put in
Place. It's not really new, to be honest, it's not
It's
From, I think it's, since we have the first data protection laws in Germany, which is some model 40 years ago, we had these things. Okay. Let's cut your points.
Yeah. So that's an interesting one. It's a fine balance of, of Orwellian versus trust. This is the thing, right? Because there's both of, you have rightly said this isn't you. This has been around a long time, certainly in the, the years that I've been working from home on and off. So I feel like organizations, what certainly what we've experienced. And again, with Stephan, a lot of we aren't allowed to use personal devices. I think one of the issues that we are beginning to see a lot of organizations as times evolved, is very typically employees can be exceptionally creative in their ways of bypassing internal control, not a malicious act by any means. Yeah.
That's the fun part for my job.
Absolutely. Yeah. It's the hunting part of, of finding those gaps. But I, I, I think when things like that happen, it's down to then going almost back to that appetite piece and going back to the business and saying, look, we have to do a certain level. That has to be a tone from the top. It's getting that support from the top to ensure that we have the right level of monitoring against the right level of trust and employees know. And again, it comes back to clear communication cause you can put all these mechanisms in pace and it's like a house of college. People can be that again, piece that just comes along and knocks it down.
Okay. So I think we are very close to the end of the time, maybe one, one closing sentence, one single concise number one recommendation. You'd like to give to our, our audience for securing work from home and balancing sort of security and enabling people. Scott, you start and Stephen,
Okay. Everyone is fatigued, tired, overworking, trying to display presentee cause they don't want to lose their jobs. They are your number one focused outside of the traditional technology aspect. Don't forget them and utilize other resources that are experts are communicated with them already.
Okay, great. Thank you, Stephen.
Well, what I would like to chip into the discussion here is, I mean, usually the, it security guys are the guys that put controls in place and that inhibit proper working. That's what I usually being accused of. But you know, it was us in March this year that enabled remote access and that allow people to work from home. And that also means it. Security can actually, if you wisely add significantly to the success of an organization, just trust them sometimes.
Perfect. Thank you very much. Thank you for the, to the audience for listening to us. Thank you. Thank you, Scott. For all the information you brought in the back to battle.