Cybersecurity tips from Microsoft

Over the last decade, tech giant Microsoft has been celebrating tech experts who rely on, and champion, its tech tools extensively in their field by making them Microsoft Most Valuable Professionals (MVPs).

Security powerhouse Paul Keely has won this accolade a record 12 times, including seven times for Microsoft Azure, a computing cloud platform.

Paul Keely, 12-time Microsoft MVP.

Talking about the MVP award, Keely explains that the program fits with “Microsoft’s tag line [of] independent experts” and listening to their views and opinions. “It is one thing to come up with a product, it’s another to deploy it to 100,000 users – that’s a whole different ball game”.

Keely, who now serves as chief cloud officer of Open Systems, shares some advice with UNLEASH for HR teams grappling with the rise of cyber attacks as millions across the world shift to working remotely.

Cyber risks of working from home

Remote working during the pandemic has been a net positive for many – not least because it means they no longer waste time and money commuting to city centers on a daily basis – but the biggest winners have been cyber attackers and hackers.

Keely explains that one of Open Systems’ clients is an American hospital that pre-pandemic had 20 public-facing IP addresses connected to its internal network.

But when the pandemic hit, the hospital sent 9,000 people home from work – “so instead of 20 connections, we were looking at more like 10,000 connections”.

This meant the “attack surface” grew exponentially. This was also the case as some people allowed their kids to play games or do their homework off work laptops, while other people used their personal home devices for work.

“Once a device becomes shared, it is more difficult to secure”, notes Keely. Therefore, working from home made it so much easier for attackers to get into the laptops people were using for work.

The importance of MFA

Hackers were particularly interested in attacking companies’ employees – and HR departments by proxy – because of the range of “super valuable” personal data that HR holds about workers.

Examples include your date of birth, next of kin, and the bank details they use to pay you.

“If you attack HR, you can find out the town I grew up in, or what school I went to”, which may be a security question answers, because HR has your CV, explains Keely.

Because of the value of this data and the growth in the number of attacks during pandemic remote working, Keely calls on HR departments that are yet to implement multifactor authentication (MFA) to do so now. “HR has an obligation to protect people data” and the best way to do that is “through an additional layer of authentication”.

“If you won the lottery tomorrow, and you opened a bank account and put in $2 million, and the bank had no MFA, and they said ‘just log on with a username and password’, you wouldn’t want to keep your money there”, notes Keely. So why would you treat HR data like that?

“If I am going to access a HR system, there should be an additional layer of security between you and the HR system”, according to Keely.

He notes that this should be accepted and understood by employees since they are used to MFA for their banking and their iPhones with fingerprint or Face ID.

HR and zero trust

Another suggestion Keely has for HR team is to rely on a “concept in IT called zero trust”. This is where systems and teams validate people logging into a company’s network or its applications.

He explains this is similar to what happens at the airport – no matter how many times you have flown out of that airport, you have to authenticate your identity and your flight number with your passport and boarding pass, then they assess you with the metal detector.

“The opposite of zero trust” is just using a username or password to log on and access all resources. But “with zero trust, we would add another layer”, which is the assessment part, notes Keely. This could be around your location or the device itself.

If the system and teams are unable to authenticate and assess your device as safe, then they will not let you have full functionality in the network. For instance, it may let you look at your emails, but you will not be able to download or upload files or print.

This is known as conditional access. “If it is possible to take your HR application [and data], and put it behind a zero trust infrastructure, that is going to be your safest bet”, notes Keely.

Investing in cyber training

While Keely lays out all the things that HR and IT must do to keep employee data as safe as possible, he is very clear cybersecurity is not only the realm of HR and IT.

“If we are depending on IT for security, then we have no chance”, Keely notes. “You have to depend on everyone being secure”, and to achieve that HR needs to do is invest in education and training.

It is clear that companies are already on the case, with the security training awareness market set to reach $10 billion annually by 2027; this ten times its value in 2014.

Examples of tech providers that can help companies with their security training are Barracuda Networks and its simulation training and UK GCHQ accredited The Defence Works.

Of course, the need for training is becoming even more important as remote work looks set to play a role in the future of work. As well as the fact that state-sponsored cybercrime is likely to rise given the US’ relationship with Russia and China is hardly improving despite the change of administration in January.

Despite this, Keely remains optimistic about the future.

The likes of “Microsoft, Google, Amazon and Apple have the firepower (aka the cash) to build data models to protect us”, he explains. So far, the balance of power has been in hands of the attackers, but that could definitely start to change.

In addition, “more and more people are starting to realize that you personally can be victim of cyber crime and you could lose any disposable income you have,” he concludes. This worry will hopefully mean they will take any workplace cyber training more seriously.