How IT balances Cyber-Threats, Regulation, and Business as Usual

Data protection has always been a balancing act between maintaining security and letting people get on with their jobs. But the rapid transition to hybrid work took this challenge to a whole new level – compounded by stagnant security budgets, more frequent and elaborate cyber-attacks, and stringent new regulations.

So, it’s not hard to see why 54% of cybersecurity professionals surveyed in 2020 said they had left a job due to burnout or knew someone that had. The pandemic might have pushed IT departments to breaking point, but the pressure was already building before it.

As the threat of cyber attacks have intensified, so have the laws governing organizations, ensuring they follow strict protocol for protecting users’ data. Following the EU’s landmark General Data Protection Regulation (GDPR), governments and regulatory bodies introduced privacy laws worldwide, with significant penalties. South Africa’s Protection of Personal Information (POPI) Act is another example of this and warns offenders that they could be slapped with a maximum fine of R10 million ($652,609.20) or ten-year jail sentence. 

Cyber criminals are constantly changing their tactics, meaning cyber-threats have expanded in frequency and type. Search results were hijacked, fooling even suspicious users. Ransomware evolved from mass attacks to focusing on more vulnerable, more lucrative targets. Newsworthy events give hackers new ammunition, hoping to take advantage of people who wanted to believe their stroke of luck – even if it appeared too good to be true. 

And as workers vacated offices, phishers adopted a new strategy: Business email compromise (BEC). Posing as the CEO, CFO, or other influential figures in an organization to gain access to sensitive or financial information.

It’s a tactic tailor-made for a workforce flung from the purview of the IT department, equipped with unmanaged personal devices, or rushed home working implementations. Law firm Baker McKenzie found that over a third of businesses deployed new technology without considering regulatory risk in a rush to maintain continuity in the face of stay-at-home orders.

The result? A shocking 73% of Chief Information Security Officers (CISO) had encountered leaks of sensitive data over the previous 12 months.

Preventing data breaches often comes down to simple good data hygiene.  The trouble is, enforcing best practices can be a challenge when staff are away from the office.

That’s where remote security protocols come into play. Using tools built into common software such as Microsoft 365 and Windows, IT departments can implement and monitor hierarchical access requirements.

For example, data can be tagged according to sensitivity using Microsoft Information Protection. Access can then be granted to specific individuals or departments using Conditional Access to reserve the ability to view, edit, or share sensitive information on a need-to-know basis.

Security protocols such as Multi-Factor Authentication (MFA) – which can thwart up to 99.9% of attacks – can also be enforced for authorized individuals when logging in from unknown networks or devices.

Having established this framework, Microsoft Endpoint Data Loss Protection tools enable IT to remotely monitor which devices are accessing critical information – allowing intervention in the event of suspicious activity.

Protecting sensitive data used to be a case of keeping it within the physical perimeter of an office network: The trusted, on-premises, firewalled network of managed devices. 

As hybrid working has become the norm, the perimeter has expanded, amplifying what was already a substantial data protection challenge. But it isn’t insurmountable.

Using the security tools built into standard business software like Microsoft 365 and Windows 10, IT departments can construct a ‘zero trust’ data perimeter that allows access only according to verified identity.

With these tools likely already installed on work devices, perhaps the heightened stakes of data compliance needn’t be a cause for burnout after all.

Find out more about how to create a new culture of work in your organization with Microsoft.