Cross-Border
Systems and IT Unplugged: Protecting data from afar
Systems and IT Unplugged: Protecting data from afar
"Ensure staff have all the permission they need to do their work, but nothing more than they need." – Nish Patel, Chief Information Officer, Corpay Cross-Border
In this article, Nish Patel, Chief Information Officer at Corpay Cross-Border, shares his experience and outlines some best practices for preparing your business systems and IT infrastructure, now and for the unpredictable future.
_________________________________________________________________________
Remote work brings more security issues and suggests new best practices.
As remote work has become the norm, it’s important for employers to have policies, procedures, and programs in place to protect systems and data. Corpay has adopted a “zero trust model” as a best practice, treating all endpoints, all aspects of our technologies, as if they are outside the “trust zone.”
We create multiple layers of endpoint protection, especially now that many endpoints are employees’ computing environments, whether they are home offices or public spaces. I said at the beginning of the pandemic that we went from a handful of branch office to hundreds. Every employee’s location has become an endpoint.
We use basic anti-malware and ransomware protection software to ensure people have open and safe workspaces, but the ‘casual observer’ problem is heightened. Some business units, like Human Resources, payroll, or payment processing, deal with highly sensitive information.
Everybody has a different level of “Spidey sense” when it comes to reporting and resolving issues. It’s vital that people take an active role in protecting the environment and protecting their programs and company data.
We have a central place where employees can easily report a suspected attack or phishing email. If reporting is difficult, or takes a long time, people are less inclined to do it. They simply delete the suspicious email, but that doesn’t actually protect the organization. Reporting the issue so that security teams can take action to remove it from everyone else’s inbox automatically – that does the job at Corpay.
We also have policies that force behaviours on the users: for example, shutting off screens and locking computers after a period of inactivity.
Testing security systems and protocols
We use various firewalls, software, and computing protocols. We perform annual failover testing and other testing monthly and quarterly.Our security teams’ practice is to ensure systems are constantly protected, and to report results regularly from that monitoring. If there is anything out of the ordinary, we can take action immediately.
Relying on backup in a time of catastrophe or threat
Suppose you lost power, or you needed to evacuate a building: A failsafe is another variable to add, to help ensure you have backups throughout your infrastructure architecture.
We have adopted a way of working that is quite agile, so we don't need to have traditional types of backup infrastructure the way we once did. We don't even issue desktop computers anymore: It doesn’t make sense to have a box sitting on a desk somewhere.
Learning how to work in this new way has helped elevate our level of protection against future events.
Granting employees permissions and access at arm’s length
When it comes to protecting against hackers and ransomware breaches, another consideration in remote workforce protection is permissions. We make sure staff have permission to access all the systems, applications, and data they need to do their jobs effectively, but no more than necessary. This keeps the threat surface area a lot smaller. It’s a balancing act: granting just enough permissions to staff, but not leaving systems open to outside threats.
Accounting for the human element
It's become more important to ensure that endpoint protection is in place. The most vulnerable computing equipment is people's laptops being left out in the open.
People have physically left the safe confines of an office, with security at the front desk, secure access to the office computing environments. Devices have been stolen, or people have accidentally left their laptops at airport security. It happens!
Having the tools available to be able to locate lost devices, to wipe them remotely or just to ring fence them from the network: all of this has become more important with a remote workforce.
Shifts in business continuity planning
Now that we have remote work, business continuity planning has changed.
Employers need a way to communicate with people about important emergency issues, effectively and efficiently through various modes, like text messaging, phone calls, or email etc. But, at any given time, one of these services can go down and interrupt the flow of communication.
In 2021 and 2022, the largest mobile phone carrier and internet service provider in Canada1, where we’re headquartered, experienced outages that affected millions of customers and lasted for many hours in each case. Our corporate cell phones and many people’s home internet were on that network. Our ability to reach out to all staff became a lot harder. Now that we are remote, it’s more important and more challenging.
We usually rely on tools like Microsoft Teams or any other kind of messaging tools where we can address the entire team at once. Without that, the alternative is text, which isn’t ideal when you have to text hundreds of people.
Navigating corporate environments with residential level internet services
With a remote workforce, we are more reliant on residential-level services. Home internet is undeniably different from business-level services, usually with a lower service-level agreement. When people are in an office, connectivity and up-time typically at a higher level. If a provider had to choose, they would typically shut off residential internet before disrupting their business customers.
In normal circumstances, residential-level services function well enough for people to get their work done and to be productive. And our ability to isolate business activities from catastrophic situations is enhanced because we are no longer tied to an actual workplace.
Business continuity and cloud services – Time to move?
The other aspect of change in terms of business continuity is cloud-computing services.
By moving to the cloud, we no longer rely on monolithic data centers. That has made it a bit easier and more efficient to do tasks like load balancing, keeping systems geographically separated, and providing redundancies, for example.
With the acceleration of moves to the cloud, there are also challenges. Securing data is different. New skill sets are needed, and new ways of thinking as well.
At the same time, we have a lot more flexibility. We can do things in the cloud that we couldn't do before. We can set up servers and services that span the globe without having to open up data centers and ship equipment all across the world.
That’s another emerging trend –a change – in business continuity and systems security.
What comes next?
In the last few years, as the world shifted to remote work, it posed new challenges for global IT departments. Extra pressure is on IT professionals to protect intellectual property and data within their organizations. In some ways it’s easier and in others, it’s harder.
Often the task begins with enhancements to security systems and granting extra permissions to remote staff. However, a fine line exists between ensuring all employees can continue their jobs successfully remotely and protecting sensitive information and avoiding security breaches.
We’ve learned a lot in the past few years and despite new challenges and new threats, there are also new opportunities: new tools, new protocols, and new innovations.
1 To read more: https://www.nytimes.com/2022/07/08/world/americas/rogers-internet-outage.html1https://www.canada.ca/en/innovation-science-economic-development/news/2022/09/statement-from-minister-champagne-on-canadas-telecommunications-reliability-agenda-following-rogers-outage-on-july-8-2022.html