If you are looking to build agility into your practice, a move to the cloud is inevitable. However, with greater freedom comes increased individual responsibility from your staff to ensure the security of the network. In 2020, malware increased by 358% overall and ransomware increased by 435% from the year previous, according to New York–based cybersecurity company Deep Sink, as reported by Help Net Security.
If you have only one physical office location, you can build security on a centrally protected model. The server is physically contained, and good IT providers will limit the number of IP addresses. As firms allow their workforce to become more distributed and move data into the cloud, they will need to add virtual barriers for protection.
This article offers lessons learned from the security teams of globally distributed technology companies (including Salesforce and Slack, where I currently work) and from best practices and interviews with IT support firm Agile Networks.
Before we jump into solutions, a quick primer on common cybersecurity terms and their definitions, with help from the SANS Glossary of Security Terms.
Ransomware is malware that holds an individual’s or firm’s data hostage until the victim pays a ransom to regain access. Attackers have become more sophisticated, often targeting an organization’s backup files before hitting the active ones, and then sending out the notice that your entire system is in danger.
Social engineering is the art of manipulating people to give up confidential information, often through an email that appears to come from a friend or a trusted source.
In phishing, attackers try to get individuals to disclose account and financial information through email or to send money to them directly, often in the form of gift cards.
Smishing is phishing via SMS, or text messages to your phone, through which attackers try to encourage people to click on suspicious links or call a number to access additional information.
The following steps will help offices with a hybrid workforce move to the cloud and provide low-hanging strategies to upgrade security.
1. Move Everything to the Cloud
At the start of the pandemic, much of the slowdown was due to the limitations of physical networks in the office that were not appropriately sized for every employee to access them remotely. This was particularly true for small and medium firms. The speed of a physical network is limited by factors such as your network provider’s bandwidth, which is divided over the number of users accessing the network at any given time. Moving your firm’s files and software systems to the cloud (think Autodesk 360, Dropbox, or Amazon Web services) comes with a lot of advantages.
- Reduced Cost. While you will need to make initial investments in hardware, moving your file management system to the cloud can result in long-term cost savings. Maintaining, updating, and creating backups for a physical network is expensive and time consuming, particularly if your firm is running its own physical backups. (One of my past employers did this twice a week). It also means that you or your IT specialists need to understand when to increase the network capacity or update the hardware. Running applications off the cloud also means your investment in computers can go further due to a reduction in the processing and memory capacities that are required to run modeling programs locally on individual computers.
- Scalability. Cloud-based services give your firm the ability to scale up and down based on your needs by simply editing your subscriptions to cloud products.
- Disaster Recovery and Business Continuity. With your firm’s data stored on the cloud, you do not have to worry about the physical location of your data or its backups. Cloud-based recovery solutions are available in many formats that service different organization sizes. As long as your employees have internet access, they can access the data they need.
- Data Security. A security breach to a physical office network can compromise data security, especially if laptops or computers are stolen. When your data is on the cloud, you can delete confidential information remotely or move it to a different account, cutting off access to those who have your hardware. Cloud providers are still subject to cyberattacks. However, few, if any, architecture firms can afford the level of cybersecurity teams that the cloud providers deploy. Service providers have become more sophisticated as well; Dropbox, for example, has the option to store the entire history of any file from a project’s inception to occupancy.
- Increased Collaboration. When everyone is accessing, editing, and sharing documents at any time, from anywhere, they’re able to do more together, better. Operations, policies, and procedures for cloud-based workflows and sharing apps help provide updates in real time and enable each employee to know what everyone in the office is working on.
2. Provide Tech Support for Remote Team Members
All firms, regardless of size, have that go-to person or people for in-house IT support. With a hybrid workforce, reaching these individuals is harder. As you set up your digital headquarters (see my previous article, "7 Tips for Managing Teams and Productivity in a Hybrid Workplace"), you should create pathways to reach these experts when people need support. For example, a firm might have a digital message board, dedicated to technical questions, where anyone can ask a question for experts to quickly answer.
3. Use a VPN
Without a virtual private network, you will have no privacy online. A VPN essentially creates an encrypted tunnel for sending and receiving data over the internet to and from computers. Employees may be reluctant to use VPNs because they can slow connection speeds—which inevitably happens due to a VPN’s encryption process. However, the speed reduction should be negligible for a high-quality VPN, which has become essential for firms since more employees are connecting to wireless networks from anywhere, including public spaces.
4. Understand Common Cybersecurity Terms
Agile Networks report that 43% of cyberattacks target small businesses because their systems are easier to attack. Since attacks are unavoidable, businesses should take a defensive posture and develop a cybersecurity response plan that, at a minimum, outlines whom you should call and simple protocols to take when an attack occurs.
5. Implement Simple Security Measures
Individuals can take personal precautions both as company employees and as private citizens to thwart cyberattacks.
- Two-Factor or Multifactor Authentication (2FA & MFA). More software developers are requiring multifactor authentication before users can access their accounts. For example, your phone might receive a six-digit code after you’ve entered login and password information on a computer. Google and Microsoft have created solutions that send a notification to your phone asking if you just signed in, and you have to enter a number that changes every 30 seconds or so on their authenticators.
- Single Sign-On (SSO). A growing number of cloud-based software applications allow businesses to create SSO protocols that give users access to different programs with one complex password. This helps admins or whoever is in charge of license distribution to give—or revoke—access to any of those applications. SSO can work in tandem with MFA.
- Password Managers. In lieu of or in addition to 2FA and SSO practices, cybersecurity experts also highly recommend the use of password managers. Why? How many passwords or derivations of the same passwords do you use across multiple accounts? Password managers will both generate and keep track of the ridiculously long, crazy, and random passwords across your accounts while making them easy to retrieve when you need them.
- Education. According to Agile Networks, 95% of all cyberthreats are preventable through employee education. Make sure your employees are aware of the threats and follow company protocols you have put in place to protect data. For example, let it be known that partners will never contact anyone digitally to ask for or distribute gift cards.
This is the fifth article in Evelyn Lee, FAIA's series on building and running a successful hybrid practice. The views and conclusions from this author are not necessarily those of ARCHITECT magazine or of The American Institute of Architects.