Michael Cade, Senior Global Technologist, Veeam, explains in detail about why organizations should have a clear strategy for managing data across their cloud and data provisioning at a time when the phenomenon of Shadow IT is gaining ground.
Almost three-quarters of professionals across the Middle East and North Africa (MENA) region prefer jobs that allow them to work remotely, according to a new survey by job site Bayt.com. The impact of the pandemic is likely to see this trend continue as 90% of respondents said they expect that remote work will increase over the next decade. Now that organizations and employees have seen some of the benefits of remote working, many companies are likely to build more flexible and agile working arrangements into their long-term strategies. For IT departments, the impact of this is huge.
The digital fortress
Formerly, a company’s IT infrastructure was contained within its own four walls. Employees used hardware such as PCs, printers, and phones which remained securely in the office, while software programs and data were stored in on-premises data centres. IT had full control over the performance, maintenance and security of the organisation’s technology stack. Early remote working initiatives were tightly controlled with users connecting to Virtual Private Networks (VPN) so that the only thing that left the data centre was the employee and the limited hardware. Over the VPN, the IT department could maintain visibility of security protocols and maintain administrators’ rights to ensure employees were not installing unapproved, potentially high-risk software.
Along came the cloud, which allowed organisations to scale-up their data storage capacity as well as their ability to back up files to remote locations. However, with the cloud came greater agility and choice for employees. Shadow IT, the phenomenon of employees using applications of their own choosing to store and access company data outside the data centre’s four walls – on personal devices and online accounts – became a challenge to IT departments. Fast-forward to 2020, when at some stages a large number of enterprises in the Middle East have been working remotely, and the four walls of the data centre have fallen as far as many businesses are concerned. Some organisations found themselves supporting remote workers for the first time – many with employees who would not be working from company-issued laptops and smartphones. While figures vary across EMEA, an IBM survey of 2,000 new remote workers in the US found that over half (53%) of were using personal laptops.
From a cybersecurity perspective, this is a critical risk. Previously, the data centre was analogous to a fortress. Everything that went in or out was strictly monitored and the threat from external sources was low. This is why one of the most well-known forms of cyber-attack is a Trojan virus – one that tricks the victim into thinking they are receiving or opening a legitimate file, document, link, effectively inviting in the attacker. Now, not only have the gates of the digital fortress been flung wide open, the people who used to be inside are now distributed. And, every single one represents a possible entry point for a malicious threat. The attack vector hasn’t just increased, it’s exploded.
Increased threat vector
More than half of newly-remote employees were not given new security policies and 45% said they have not received training of how to work from home in a secure manner, according to the study mentioned previously, IT departments often have little to zero visibility of whether or not employees are connecting to the VPN, particularly when employees are using personal devices. Furthermore, personal devices aren’t just being used outside the data centre’s four walls, but in family home environments and shared households. Not only do IT teams have far less control over the apps, websites, content they’re employees are engaging with, there is no guarantee they are the only person using that device. While the organisation might not have visibility of data now being stored and used outside the four walls, it is still ultimately responsible for it.
According to the Veeam 2020 Data Protection Trends Report, the No. 1 challenge that will impact Middle East and African organizations within the next 12 months is cyber threats (31%). Over half (51%) have a “protection gap” between how frequently data is backed-up versus how much data they can afford to lose after an outage. Given the vastly increased threat vector and risk to data systems in light of the remote working trend, organisations must ensure they have a robust Cloud Data Management strategy in place to ensure data is backed up, protected and recoverable across all devices and applications. Employee best practices and training are vital to this – helping IT teams ensure that users are connected via the VPN and storing company data in secure cloud environments rather than personal accounts or their own desktops. The Veeam report goes on to show that on average, 19% of Middle East and African organizations’ data is not backed up. If data cannot be backed up, it is not protected, and in the event of unplanned downtime or a cyber breach that data will be unrecoverable. Moreover, organisations are adopting Software as a Service (SaaS) solutions in their droves. For example, Microsoft Teams grew from 32 million users to 72 million between March 2019 and April 2020. For businesses using SaaS solutions such as Microsoft Teams and Microsoft Office 365, backups of data need to be conducted on a continuous basis – either on-premises or in cloud object storage. This will protect the business against a single point of failure that is outside their control.
As a combination of working from home and from offices becomes increasingly commonplace – even for organisations who previously had little to no track record of supporting remote working – the cyber-attack vector will remain high. It is therefore critical that businesses have a clear strategy for managing data across their cloud and data provisioning. This includes ensuring data is backed up at all times, recoverable in the event of a disaster, outage or cyber-attack, and as protected from external malicious threats as possible.