How can businesses redefine their BYOD IT strategy in 2022?

BYOD strategy

 

Pandemic “quick fix” BYOD strategies are simply not enough in 2022.

BYOD Policies have been a hot topic for a while now, even pre the pandemic. But now that the new working environment norm of hybrid and out of office working is here to stay, BYOD strategies need to be reconsidered.

 

Specific examples of BYOD/IT strategies and how these have worked practically, including benefits and drawbacks:

BYOD (Bring Your Own Device) strategies usually work best for organisations when they are limited to mobile phones. After all, the days when employees had a company mobile phone are coming to a close, and for good reason. Most people have their own personal mobile device that can be used for work tasks, so why have two phones?

Indeed, the rise of ‘soft phones’ means that giving out a mobile number over a business number is no longer necessary when dealing with corporate calls or texts. This allows businesses to keep better control of its telephone numbers which are, in effect, company assets.

Also, some employees might feel reluctant to use their phone data for business activities. Although, this issue has started to progressively fade, as most phone contracts now include unlimited calls and data bundles. Whilst businesses don’t need to cover the whole cost of data and calls, providing a nominal allowance can be a good way to deal with any reluctance.

 

Is there a flexibility versus security consideration to be had, or is this a false dichotomy?

With a large percentage of workloads, security that can be implemented on company devices is often significantly greater than a personal device. However, if businesses want to find a balance between flexibility and security, one option is to choose a CYOD (Choose Your Own Device) strategy, which gives employees a feeling of choice but one that is balanced by the secure controls required by an employer.

That said, we would expect BYOD strategies to be more widespread across businesses in the coming years. This is because more and more applications and systems are becoming either web or cloud-only solutions, particularly as interoperability and usability improves to support a hybrid workforce. Until then, the application stack in organisations isn’t quite where it needs to be.

 

Why are pandemic “quick fix” BYOD strategies not fit for purpose in 2022?

When the pandemic first hit, many organisations rushed into a quick fix by making BYOD arrangements in a bid to keep their staff and their business operating. However, a substantial number of companies simply haven’t re-evaluated their risk profiles since implementing these systems, nor have they evaluated the technical and policy-based controls that are required.

This is a significant concern that organisations should look to address urgently, alongside other measures they should consider taking, such as a review of methodology and ideally bringing in a formal IT security governance framework, such as ISO 27001 or IASME.

 

How can attackers take advantage of vulnerabilities and misconfiguration in devices and networks?

Any significant holes in an organisation’s security will be found and exploited by attackers in the current cyber threat landscape. These vulnerabilities may be as small as a simple missing security patch. Or an insecure home or public WiFi, misconfigured local firewall, or even an employee who is unaware of current threats. Whichever gap in security it is, a hacker or one of their automated systems will find it. Especially as they are incentivised by financial gain. Indeed, the global cybercrime industry is now worth over £6 trillion – three times the size of the crypto market, so companies have everything to gain from investing in their IT security to protect them from cyber threats.

 

If you’d like to talk IT Security or Consultancy with us, get in touch here.

Endpoint security in an agile world

WFH small for Endpoint security blog

Endpoint security has evolved significantly over the last 2 years.

The old signature-based antivirus and basic firewalls are simply not enough to protect businesses from an endpoint breach, be it a laptop, desktop or a mobile device. The threat landscape has increased massively through COVID, endpoints are outside of the protection of the corporate network en masse. How the endpoint is protected is going to vary by the workload and application sets used within an organisation.

 

Endpoint Security for SaaS platforms and legacy applications

There are two main camps. Those who are predominately web based, say using Office365 and a couple of line of business applications that run on a SaaS (Software as a Service) platform.  And those who run a mix of legacy applications, probably with Office 365 and perhaps Citrix or Windows remote desktop. There are of course those who use technologies, such as AVD (Azure Virtual Desktop) but for simplicity we’ll bundle them into the latter camp. In reality, the risks to both are similar and need to be assessed.

 

Layering is key 

The key to protecting all endpoints and ultimately all organisations is to have numerous layers of defence. You can’t simply rely on a single control – because if that fails, or has a security vulnerability, then it’s probably going to be breached. The cybercrime industry is simply enormous, global, relentless and moves at lightning speed.

The more controls and the more checks and balances you have, the more chance you have of another control picking up and stopping exploits. This isn’t about doubling up, it’s about using a number of controls that protect against primary risks but may have some overlap. It’s not just about technology, so organisations really need to work on their risk registers to understand how they are controlling against certain risks and where they are thin.

 

Information Security Management System

Ideally organisations should be looking at implementing some form of ISMS (Information Security Management System). Something such as ISO27001 or IASME to continually evaluate, test and improve their IT security.

It’s now critical to have a framework to manage endpoint security as things are moving so fast. A business can’t simply rely on IT support and security teams to be responsible for data security. It’s the boards responsibility to make the decisions on how they are going to protect against particular risks, divert budgets, etc. It’s not the IT team that regulatory bodies, such as the ICO, FCA or SRA will punish if there is a breach. Neither will clients or the media be fobbed off that it’s an IT issue, especially if there is no ISMS in place.

 

Simplify IT environments

As a general rule, all organisations need to be focused on simplifying their IT environments. Over the years there has been too much bloat, in terms of too many applications, servers and data. This bloat has led to complexities.

The more complex an IT environment the more difficult it is to secure. This has to be a primary focus in this new world, simplifying the environment. Needs dependant, generally you can simplify and ultimately secure the endpoint by not having any data or applications running on it, except the bare minimum. The larger the attack surface the bigger the danger of an exploit.

This isn’t always going to be possible of course, but where it is, technologies such as Azure Virtual Desktop, Remote Desktop Services and the like do have their place.

 

Endpoint Security of BYOD (Bring Your Own Device)

More and more organisations are again talking about BYOD (Bring Your Own Device) coming out of the pandemic. In certain instances/circumstances BYOD can be extremely beneficial for a business if, for example, it’s giving access to a web based portal to a 3rd party contractor, obviously with some security measures, such as multi-factor authentication. However, as a general business practice, for all staff, BYOD not a good idea because in the main it’s difficult for an IT team to really lock down someone’s own device properly.

There are various container type solutions that isolate data and applications from the underlying operating system that can be used, but depending on what information that employee is dealing with you might want greater control and monitoring of the device. You can’t really do that on an employee’s personal device without impinging on their privacy.

 

Can CYOD help solve Endpoint Security issues?

One good solution can be a CYOD (Choose your own Device) initiative as a sensible middle-ground. That way people get the tech they prefer but the business can overlay whatever security solutions they like. In particular SIEM solutions and intelligent advanced endpoint security protections solutions are more and more critical.

 

What risks does an endpoint face?

The bulk of the risks that face the endpoint come over the network, as a direct attack against an interface, listening and man-in-the-middle attacks or delivered through an application, such as a web browser or email client. Once the endpoint is breached any follow-on breach to the main corporate network is going to also come from this device.

This is why it’s essential to get some control of the connections to and from the endpoint with technologies, such as SASE, CASB and VPNs. It should be noted that generally traditional VPNs are cumbersome and still problematic, and not ideal in a hybrid world.

 

Next Steps

If you’d like a free initial review of your security controls – without any obligation please fill in your details here and one of our team will get back to you.

 

 

 

 

Being a CISO in 2021 – our Head of Security David Clarke

Our Head of Security, and CISO Service lead, David is recognised as one of the Top 10 influencers by Thompson Reuters, and a Top 50 global expert by Kingston Technology. He is also one of the Top 30 most influential thought-leaders and thinkers on social media in risk management, compliance, and regtech in the UK.

 

In his role as Head of Security at QuoStar, David leads the CISO Service. The CISO service provides businesses with the cyber-security skills and experience necessary to manage the multitude of threats and rapidly changing risk landscape of today, on a flexible and cost-efficient basis. David take’s a moment to share his views on it all.

 

1. How did you get started in the security field and ultimately become a CISO?

David: I was around when some of the first Viruses went mainstream. Back then I worked for one of the only companies that made Multi Factor Authentication systems in the 90’s. It was “leading edge” at the time.

I built and ran one of the largest commercial remote access platforms using Multi Factor Authentication.  Then I ran Infosec for some FTSE 100 companies, one of which was the largest private trading network in the world – trading 3.5 trillion dollars a day.  Another was managing Global Security Services Operations Centres (24/7) across 4 continents, where most of the customers were FTSE 250.

 

2. What do you enjoy most about working as a CISO Service resource/consultant?

David: Meeting challenges of audit, due diligence, and breach management.

Audit is getting more involved and complex and due diligence is often 300-400 questions and an “interview” with the compliance department of potential customers.

Breaches is about managing with around 10% knowledge of the situation and making decisions in a very short time for the best outcomes – while ensuring buy in from the board. They always seem to happen on Friday evening!

 

3. As Head of  Security, what challenges or issues do you regularly see in small and mid-market businesses? Why do you think the same issues keep occurring?

David: 1. Robust management of access and privilege management. 2. Managing risk consistently. 3. Not aligning Cyber Security with Data protection requirements – as they overlap at a core level.

If you have control of the information assets servers and cloud, information security is much easier to manage. It enables savings in resource and effort if this happens and can demonstrate to the business control and improvement.

 

4. How do you think the security landscape has changed in the last five to ten years?

David:  As a CISO Service lead, I believe it is manging the hybrid of internal servers and cloud – and managing the challenge of access control. The company boundary is very fluid, especially where ‘what’s company and what’s personal’ is concerned.

One of the best frameworks is ISO27001. It is good for demonstrating accountability and decision making. It also aligns with SOC2 and parts of HIPAA quite well.

 

5. What do you think will be the emerging risks businesses need to consider in the next 1-2 years?

David: It used to be technology first, then followed by making technology safe and compliant. Now technology needs to be safe and compliant first, and performance orientated second – along the lines of what has happened in the automotive, aerospace, building and food industries.

The risks potentially surround the technology itself not having enough security management capability, or that if it does it can be resource intensive.  There’s also the globalisation of threat actors and the capability of managing multiple global data protection regulations.

More recently the US Biden government issued a memo to US Businesses in summary June 2, Stating the 5 best practices – one being Multi Factor Authentication. Other important aspects are multi-pronged backup Updates, Incident Response, external testing and network segmentation.

 

6. Has the Covid pandemic exacerbated security concerns or introduced new ones for businesses to deal with?

David: Probably, due to homeworking and fast transformations of moving office servers to the cloud, as well as an increase in Ransomware attacks, an increase in Data Protection legislation globally and the increase in corporate security concerns due diligence.

It has been an increasing challenge for a Head of Security. We have seen an increase in demand from due diligence enquiries, especially for more detailed homeworking policies and guidelines. So, the lines have blurred as to what is home device or a work device. The “physical office” is now the home office, and mandating rules now have to be guidelines that are appropriate – as well as using more layers of defence to protect staff and corporate assets.

 

7. Do you think businesses focus too much on the technical/technology element of security (e.g. AI solutions)? What other areas do they need to consider?

David: Potentially yes, without an end-to-end strategy, it makes security technology “tactics” unlikely to see a ROI, Return on Investment.

As Head of Security, I see the human element of security is also overlooked quite often. Especially when you consider that almost half of all security breaches are caused by human error. This is even more disconcerting when you consider that only 60% of employees will report a security breach too.

We are actually hosting a free webinar on that subject on 29th July 2021 at 1pm, so if you’d like to know more register for free.

 

8. How important is cyber-security education? What are the challenges for a Head of Security conveying the risk/educating business? Who in the business needs to receive education/training and how often?

Education is very important, as is having the appropriate training for each role ideally aligned to the companies risks – so that maximum benefits can be realised e.g. developers would require different training from HR staff, as the risk they are managing are different.

Of course, there will always be a need for baseline cyber and data protection training. You can find out more about what Security Awareness Training there is available for employers and employees in our article here.

 

9. Do you feel there is a security skills/talent shortage? What advice would you give to businesses to combat this?

David: I’m not entirely sure. If there is a shortage, there is definitely a misunderstanding of what skills are required.

Personally, I would align the risks and the strategy, then decide what skills are required to make it happen. It may be that companies would benefit from outside help – to formulate the strategy, and always have access to a range of skill levels onboard to achieve skills resilience.

The other issues that many companies seem to come up against are 24/7 and global, so having just one capable Security resource will not be enough to cover these time periods.

 

10. As Head of Security, what advice would you give to businesses who want to reduce risk and increase their security posture?

David: Manage Risk regularly with key stakeholders.

Ideally do not remove a risk or lower a risk without evidence, from at least the following e.g. a Policy, Procedure, Penetration test, Internal Audit, External Audit or risk committee approval. This will demonstrate accountability and assist in managing data protection, to enable a defensible position in the security posture.

Ensure a multi-layer approach to security. Utilise things like Access control, least privilege, Approved applications, strong email defences, layered endpoint security, centralised control of endpoints and access, plus multiple point backups.

 

11. If there was one security investment you could recommend to businesses what would it be and why?

David:

One piece of tech most companies aren’t using

To keep companies ahead, Secure Access Service Edge will help with Cyber security and Data Protection. The ROI is great! It releases staff time, and the payback can be in months.

 One Framework

You can manage risk and accountability using ISO27001 framework. If you are not going to be certified, ISO27001 also helps align with NIST, SOC-2 and can help align some components of Data protection. It can clearly demonstrate accountability.

Training that is focused to the role in the business is most appropriate, using the “Incident” metrics to tailor training and technology requirements.

 One practice
Have a data/Cyber champion in every business function so you’re able to manage threats, risk and increase incident reporting capability to enable “real-time” issue management.

 

We hope you found David’s current take on Cyber-Security insightful. During his career David has worked across multiple sectors, including financial services, government, utilities and FinTech, working with a variety of clients – from start-up level and SME up to FTSE 100. He previously held the role of Global Head of IT Security at BT and Radianz (formally Reuters). He’s also been responsible for managing the security infrastructure and delivery of ISO 27001 for multi-billion/trillion-dollar environments. He is also an active CISO consultant on our CISO service offering.

Find out more about how to improve security within your business by signing up for David’s free webinar The Important Role Your People Play in Cyber-Security  on Thursday 29th July at 1pm.

 

Book an online review with QuoStar’s consultancy team today.

 

contact us button

Security Awareness Training FAQ: Why it’s absolutely vital for every employee

FAQ: Security Awareness Training - Benefits and Best Practice Tips

In 2021, experts estimate there will be a cyber-attack incident every 11 seconds.  

That’s twice what it was in 2019. 

And four times the rate five years ago. 

These shocking statistics probably aren’t even that shocking. Every Director knows that security is a pressing issue. It’s a topic of conversation in every board room and a significant budget has been allocated to invest in various security measures and solutions.  

However, there’s a weak link in the business which is often overlooked. Your employees. While they might not mean to put the business at risktheir actions can do just that.  

From clicking on links in phishing emails and actioning fraudulent bank transfer requests, through to connecting to insecure Wi-Fi networks and sharing personal data incorrectly. All these actions can result in a breach or successful attack, causing financial and reputational damage  

Most employees are not malicious, they simply are not aware of the risks. They don’t understand that they are a target, and they don’t know how to spot the danger signs.  Many don’t understand that security is their personal responsibility and even fewer understand sensitive data privacy best practices. Thankfully, this can be easily addressed with effective security awareness training. In this article, we will cover the benefits and types of security awareness training, as well as best practice tips to follow for an effective program.  

What is security awareness training?

Security awareness training is designed to educate employees about the important role they play in helping prevent information breaches. It provides formal education about the type of risks facing the businesses, how employees might interact with them or be targeted by them, and how their actions can have a positive or negative affect. 

 ‘Real-life’ scenarios – for example, demonstrating how their response to a phishing email could cost the business thousands of pounds – are often included to drive the message home and show the employee what a breach would feel like.  

Quizzes, questionnaires, and games can also be used to test employees’ knowledge post-training and identify any weak spots. There are also various online systems that train and test employees in an automated manner, flagging those users who need additional focus and training. 

.

Turn your employees from a SERIOUS RISK into A STRONG LINE OF DEFENCE.

Sign up for our free webinar: Going Beyond Technology – the critical role of your people in cyber-security.

 

Why is security awareness training important?

Security awareness training ensures everyone in the business is aware of the threats and how they might present themselves. It helps build a security-aware culture and encourages everyone to follow best practice. For example, instead of the accounts department immediately actioning a bank transfer due to an email from the Financial Director, they know to double-check the request with another method (e.g., a call, a Teams message).  

A more security-aware culture will significantly reduce the chance of a successful attack against your business. Research found that security awareness training could reduce the threat of socially engineered cyber threats by up to 70%   

Training is also a requirement for compliance purposes in certain industries. The Financial Conduct Authority (FCA) states: 

Firms of all sizes need to develop a ‘security culture’, from the board down to every employee. Firms should be able to identify and prioritise their information assets – hardware, software, and people. They should protect these assets, detect breaches, respond to and recover from incidents, and constantly evolve to meet new threats.”

Types of security awareness training

  • Phishing – Trains employees on how to recognise potential phishing messages by demonstrating what could happen if they respond to one. 
  • Passwords – Promotes password best practice, ensuring strong passwords are created and are not used across multiple accounts or shared with others. 
  • Privacy PII – Shows employees how to protect personal information in the business, including clients, prospects, colleagues, and partners.  
  • PCI Compliance – This training is required to comply with the PCI DSS (Requirement 12.6). Educates staff on the requirements, roles and processes and demonstrates the severe financial and reputational damage of a payment card data breach. Reinforces best practice to help staff actively keep card data safe and reduce the likelihood of a breach. 
  • Ransomware – Demonstrate to employees just how easy it is to be attacked and the destructive consequences. 
  • CEO/Wire Fraud  Fraudulent emails designed to trick the employee to think they are responding to the CEO (or another senior executive), which shows them how easy it is to be conned. Helps employees to recognise the first signs of risk and encourages the practice of double-checking when unsure how genuine a request is  
  • Data in Motion – Teaches employees data security best practices to ensure vulnerable data is not put at risk. Highlights the dangers of behaviours such as sending company attachments to home email accounts, copying company data to personal cloud storage, plugging ‘found’ USB drives into company devices  
  • Office Hygiene – Educate employees on the importance of physical securitydemonstrating the risk of unsecured paper, unlocked screens, open buildings and more. 
  • GDPR – Ensure all employees are aware and understand data privacy rights – and the severe penalties for breach or non-compliance.  
  • Social Engineering – Train employees on the various methods and guises hackers may use to gain illegal access to their computer, including phone, email, mail or direct contact.

How often should train employees?

Ideally, every four to six months. There are various software solutions that test and train users more frequently than this, perhaps weekly, however they do not cover all areas of cyber-security. 

Research found that after four months, employees were easily able to spot phishing emails but after six, they began to forget the learning. Although this research was specifically about identifying phishing emails, it can be applied to all types of security awareness training.  

However, it is up to you to determine the right cadenceUse this timeframe as a starting point. In the beginning, you may need to test employees more frequently. 

The key is to strike the right balance. Employees need to be informed and educated, but you want them to be proactively engaged. Training that occurs too frequently risks becoming a chore and treated as a tick box exercise. Employees rush to get it done, rather than engage with the learning, as they know they will have to do it again in a few weeks.  

How expensive is security awareness training?

The cost of security awareness training will largely depend on the provider, the type of training and the number of employees. Some providers often tiered pricing with different training methods at each tier. As an example, some of the automated training and testing systems for training users, particularly around phishing and ransomware can be in the region of £12 a year per user.  

However, with the average cost of a data breach $3.86 million, the cost of your training program will unlikely ever come close to the cost of a successful data breach. In fact, research shows that employees with less than 1,000 employees will see aROI of 69% from a security training program.  

Best practice tips for an effective training program

Effective training needs to deliver the right information, at the right level, at the right time.  

1. Repeat, repeat, repeat

Staff will only recall approximately 90% of training after a month. So, a programme of sustained and repeated training is the best way to ensure knowledge retention. 

Plus, the cyber-security landscape is rapidly and constantly developing. New threats occur all the time and you need to equip your staff to deal with them.  

2. Gamify your training

Mandatory training can seem dull, leading employees to switch off and become disengagedYou need to ensure these important messages are hitting home. Experiential learning through game-like approaches can help some staff members remember things more effectively. 

Studies show that using humour and entertainment in the training process boosts engagementNearly 60% of employees prefer training which mixes serious and entertaining content.  

3. Break training down into manageable chunks

Hours of back-to-back training is unlikely to engage anyone. In fact, your employees will probably just see it as another ‘tick box’ chore – not ideal for building a security-aware culture. Instead, break your training into bite-size chunks, spread out across the year.  

4. Try different methods

Employees all have different methods of learning. What suits one may not suit another, so it’s important to switch up training delivery. Posters, books, quizzes, games, interactive demos and small group training are just some of the ways to educate employees. Unfortunately, you can’t just buy an online training and testing package and believe that’s your training box ticked. 

5. Cover a range of topics

While phishing is a top attack vector, it’s important that your training does not focus solely on one area. You need to educate your employees on a wide variety of topics, including those which they might not connect directly with the workplace. For example: 

  • Not to overshare information on social media 
  • Dangers of public Wi-Fi and how to use it safely 
  • Not to plug unknown USB devices into corporate devices 
  • How to manage passwords 

Are you ready to build a security aware culture?

New call-to-action

IT Risk Management: The board of directors’ strategic role in managing IT risk

IT Strategy: The strategic role of the board in IT risk management

We all know that IT brings a wealth of benefits to any business. From allowing employees to work more effectively and supporting better collaboration and communication, through to enhancing service delivering and increasing customer satisfaction. Technology is now involved, in some part, in almost every area of operations and critical process – regardless of the sector or size. 

However, the more entwined IT is with the business, the greater the potential exposure to IT risk. These types of risks can have a catastrophic impact, so it is vital that businesses identify IT risks, take steps to control them, and develop a robust response plan in the event of an IT-related crisis

What is IT risk management?

IT risk management is the policies, procedures, and technologies a company uses to protect their business from threats and mitigate their impact. It is essentially focused on reducing technology vulnerabilities which can affect the availability, confidentiality, and integrity of systems and data.  

By identifying and evaluating potential IT risks, businesses can be better prepared for potential threats, minimise the impact of an incident and recover faster should something happen. Managing IT risk also helps guide further strategic planning by ensuring risks which may impact the business achieving its goals and objectives are identified and controlled effectively.  

What are some examples of IT risk?

Threats to your IT environment can occur internally or externally, and they can be unintentional or deliberate. The potential risks are numerous, but can typically be broken down into the following categories 

  • Physical Threats: As a result of physical access or damage to IT resources. This could include theft, fire or flood damage, natural disasters, extreme weather, or unauthorised access to confidential data – either internally or externally.  
  • Security Threats: Where cyber-criminals or other malicious actors attempt to compromise your business. This could include computer viruses, malware, ransomware, phishing/vishing, business email compromise (BEC), and or other targeted attacks. Or it could involve the business, or an employee, falling victim to a fraudulent website or email. 
  • Technical Failures: Such as software bugs, unpatched software, system weaknesses, computer crashes or complete failure of a core piece of infrastructure. Technical failures can be catastrophic, for example, if a hard drive was corrupted and there was no way to retrieve the data. This could also include legacy technology which is difficult and expensive to maintain. 
  • IT Management Failures: Where a company fails to embrace new technologies or methods of working, which result in lost opportunities and reduced productivity and efficiencies. It could also include failing to deploy new software releases or updates, leaving the company open to bugs or security flaws which could be exploited by cyber-criminals. 
  • Infrastructure Failures: This could include things like the loss of your internet or telephone connection. 
  • Human Error: Such as an employee accidentally deleting important data, failing to follow security procedures properly, or losing a corporate device.  
  • Supply Chain Error: The disruption of critical IT processes outsourced to IT service providers and vendors. 
  • Operational Risk: The risk of technological failures disrupting core business processes. 
  • Compliance Failure: The failure to comply with industry or geographical regulations (e.g. GDPR) or regulatory bodies (e.g. the FCA, ICO) 

Board accountability for IT risk management

Why does the board of directors need to be involved with IT risk management?

It’s understandable why businesses may think that IT risk management is the sole responsibility of the IT department. It is risks related to the use of technology. Technology typically falls under the IT department, therefore, that’s where IT risk management also lies.  

Yet, technology isn’t the whole story.  

A simple technical failure, such as the email system going down, can affect multiple teams across the business as well as clients and prospective clients. Depending on the length of downtime, this can result in lost productivity, lost revenue, and reputational damage. All of which will be reflected in the bottom line.   

IT risk affects the whole business. Not just BAU operations, but the long-term goals and objectives. This risk must be considered and evaluated when determining the strategic direction of the business, which is why it is essential that the board of directors take ultimate accountability for it. 

The IT department should certainly be involved in the process, as they will have a wealth of knowledge and understanding of the technical risks and the changing landscape, but it’s essential that the board understand the commercial impact as well. They need to know what the IT risks are, what the potential impact is, and the likelihood of that risk occurring, in the context of the business environment 

Only with this information can effective planning and resource allocation take place. Personnel may need to be allocated to undertake projects to address certain risks. The budget may need to be redistributed, allocated, or increased to take mitigating actions. It all depends on the board’s appetite for risk, but again, this tolerance level can only be determined with a complete and clear understanding of all the risks.  

Of course, this is not to say that board members need to involve themselves in the minutiae of day-to-day monitoring. Everyone within a business has a role to play when it comes to successful IT risk management. Once the risks have been identified, categorised, and catalogued, responsibility can then be cascaded to senior personnel. They would then hold responsibility for identifying plans to mitigate that risk, and regular monitoring.  

However, IT risk management should be a standing item on the board agenda. This is not an item which can be ticked off the to-do list. It is an item which needs to be reviewed and re-evaluated periodically. The rapid pace of change in the technology and business landscape means not only do the identified risks change, but there are new ones to review. There will be new technology to consider, which comes with its own complex risks. The context in which you evaluate these risks will also change as your business develops. What was once a high risk may become lower, or vice versa. As businesses are required to be more agile in practice and operation, so must they be too when it comes to IT risk management.  

Taking accountability for risk

IT risk management is a business investment. One which will help companies safeguard their ability to achieve their long-term goals. It requires commitment at board level and continual review. The pace of change in the IT landscape is so rapid that not only are their new risks developing all the time, but there is the risk that the business will be disrupted if it does not take advantage of opportunities. 

The process requires a blend of strong IT and commercial expertise, as the board will need to strike a delicate balance when it comes to risk appetite. An extremely high tolerance could put the business in harm’s way with unnecessary risk from being on the ‘bleeding edge’. On the other hand, extreme risk aversion can stifle innovation and development, leaving the business lagging in the market and missing out on opportunities.  

Boards should not be afraid to seek external counsel from a CIO-level Consultant to manage this process. Even where a business has an internal IT resource, a CIO can provide additional expertise. For example, translating the technical risk identified by IT into commercial terms for the board and assessing the impact on business strategy.  

Get more from your IT with a strategy, on-demand CIO-level Consultant: We help businesses to us IT to gain security, stability and a competitive advantage in a rapidly developing marketplace. Click here to find out more.

9 essential cyber-security measures every business needs

essential cyber-security measures for businesses

What are the essential cyber-security measures every business needs?

In today’s digital era, advancements in technology are happening very rapidly. Therefore our defence systems against very real cyber-security threats must keep pace. If the correct measures aren’t taken, your business might be more at risk than you think. Here are 9 essential cyber-security measures your business can take.

Are you relying on the same security basics you were a few years ago?

It’s easy for time to pass unnoticed while all these advancements happen around us. Before you know it, you’re relying on the same old security basics to protect your business as you were a few years ago – firewalls, antivirus and intrusion detection software. Most people update their mobile phone software more frequently than that. So here are our 9 recommendations on how to keep your company more secure.

Why is it so important?

The truth is, we all feel impervious to cyber-crime and security breaches. It’s just something that happens to other people – until one day it’s not. Even if a direct financial attack is not a concern for a business because that’s locked down, many people are unaware of the intrinsic value of the data their business holds in today’s world.

Hackers aren’t just after your bank accounts.

Cyber-crime is now an industry that produces over £1 trillion in revenue for cyber-criminals. Ransomware can be used to encrypt a company’s files and hold them for ransom. Network penetration can enable mass data theft and crypto-jacking to harvest crypto-currencies by stealing your machine’s processing power. Money can even be gained by using social engineering to persuade employees to transfer cash to a fake bank account.

9 steps to combatting cyber-threats

1. A Unified Threat Management (UTM) system

A UTM system is a combination of security appliances and acts as your gateway to the internet.

2. A SPAM filter

A Spam Filter tops potentially malicious files from entering your network via email.

3. Antivirus/anti-malware software

Antivirus and Anti-malware are applications that protect your servers, laptops and other devices from malware.

4. A patch management system

A Patch Management System manages the installation of software updates to close security holes.

5. 2-Factor authentication

2-Factor Authentication gives you a second level of security, preventing unauthorised sign-ins.

6. Device encryption

Device Encryption makes any data stored on the machine useless to criminals and keeps your data secret.

7. A regular data backup

Regular data backups. You should keep a copy of your business data at a secure off-site location in case the original is lost.

8. Content filtering

Content filtering prevents access to dangerous or illegal websites which reduces the risk of infection.

9. A disaster recovery plan

A Disaster Recovery Plan sets out how you will recover from an unplanned event such as a fire or cyber-attack.

 

Regulatory fines and costly lawsuits sting victims of cyber-crime too.

Keeping businesses cyber-secure is even more important since the implementation of the General Data Protection Regulation (GDPR – tailored by the Data Protection Act 2018). Businesses are responsible for their data leaks or breaches if the correct security protections/protocols have not been put in place. Hefty regulatory fines can be levied, and costly lawsuits can follow for the victims of a cyber-attack or security breach.

All businesses should ideally be looking into taking more than just the bare minimum steps to keeping the company cyber-secure, but it’s at least these 9 steps that start the journey in the right direction. The next step beyond the basics is to become Cyber Essential certified.

Cyber Essentials is a Government-backed Accreditation

Cyber Essentials is a government-backed accreditation that acts as a way to understand where your security succeeds and where it needs improvement. It’s similar to a cyber-security audit and allows you to see what your next steps in improving security will be.

Cyber Essentials still covers fairly basic security concepts, such as having the ability to remotely wipe devices, application whitelisting, daily virus scans and the disabling of OS utilities. All of which are simple things that you should already have in place. But it’s well worth going through the accreditation process if you haven’t already – it can improve your company’s image as well as open you up to working with more cyber-conscious clients.

If you want some help implementing the basics, or would just like some friendly advice, contact our team today.

I’ve already met the security basics, but I want to level up >>

How to make remote working secure: 13 best practice tips to increase security

IT Security: How to make remote working more secure - 13 best practice tips

As businesses scrambled to suddenly support much larger, permanently remote teams, certain cyber-security policies and procedures fell by the wayside. Simultaneously, cyber-criminals capitalised on the uncertainty, confusion and panic caused by the pandemic and found new opportunities to attack, via remote workers and unsecured technologies 

Remote Desktop Protocol (RDP) attacks were up by 400% in March and April alone, while COVID-19 related email scams skyrocketed by more than 650%. A survey by Verizon found users were 3 times more likely to click on pandemic-related scams, putting businesses at greater risk of credential theft, data breaches, malware and more  

Remote working is not going away. In the UK, businesses will be subject to at least several months of restrictions. Yet, even when things do return to ‘normal’ its unlikely that operations will be the same as they once were. It is imperative that businesses prioritise making remote working secure to prevent themselves from falling victim to a breach or serious attack.  

13 ways to make remote working secure

1. Educate your employees

New scams, particularly revolving around business email compromise, arrive daily in relation to events, such as the pandemic or a legislation change. It’s important that your staff can identify a one-off or unique phishing scam or at least raise it with IT if unsure. Software can help keep staff sharp with phishing, but ongoing training is critical to protect the business from other methods of social engineering, such as via the phone.

2. Establish 24x7x365 security monitoring

The threat landscape has changed forever and so have the risks as the workforce works remote as standard. It’s essential to continually monitor the security of all infrastructure, cloud environments, cloud applications and end-user devices. The more devices outside the perimeter the greater the potential holes and entry points to an attacker. 

3. Establish advanced threat detection and response

It’s vital that you are aware as soon as possible when major threats appear. Security systems also need to be aware and rapidly notify you of any breach or attempted breach of your security. The system action and human response must be rapid to isolate and contain the threat, even if it’s not on your local network. It’s important to note here that the human element is critical, too many organisations are simply relying on slick-looking AI solutions, which on their own just don’t cut it. 

4. Deploy aggressive vulnerability management

Keeping systems up to date with the right security patches is more important than ever with a disparate workforce. Unpatched systems and system misconfigurations are a key focus for attackers. It’s important to use scan networks but also to use host-based scanning that allows remote workstations to scan themselves outside of the corporate perimeter. 

5. Monitor cloud infrastructure and applications

You must monitor systems that hold your data, even if you don’t actively manage them. Most cloud infrastructure and cloud applications, especially the like of Microsoft, AWS and Google provide large volumes of data that can be monitored for suspicious events and activity. 

6. Monitor the dark web for breaches

Corporate data, particularly passwords, appear on the dark web daily. This may come from large breaches, such as with LinkedIn or Adobe, but also from smaller malware attacks that have skimmed off information during an infection. More than half a million Zoom accounts are currently for sale on the dark web and, at only 1p per login, are extremely cheap to buy. It’s important to know when passwords and sensitive information is leaked, so that action can be taken to mitigate the associated risks. 

 

HOW SECURE IS YOUR COMPANY DATA? RUN A FREE DARK WEB SCAN NOW AND SEE IF YOUR CREDENTIALS HAVE BEEN OBTAINED BY CYBER-CRIMINALS 

 

7. Ensure multi-factor authentication (MFA) is in place

Multi-factor authentication is a basic and essential security control both too many organisations are still not deploying it to improve the security of their remote access. 

8. Don’t forget backups

Most of the attacks focused on the remote workers aim to deploy ransomware on a corporate network. To take that further, they are also looking to encrypt backups to ensure that a company can’t recover their data. Therefore, businesses should be looking at creating an air gap backup to protect against this threat.  

9. Run attack simulation training

Spear phishing is still one of the most common attack vectors. By running this type of training, you can see how employees would respond to real-life attacks and socially engineered campaigns. Results can be used to identify weaknesses and deliver personalised training to those more likely to fall victim to a breach attempt 

10. Implement device risk and compliance checking

You need to ensure devices are secure before allowing them to connect to the corporate network and access resources. Personal devices often do not have the same security protocols and can open several weak points. Businesses need to have clear oversight of all devices connected to the networkbe able to distinguish between personal and corporate devices and be aware whenever a new device joins or tries to join. As it may not be possible to install additional security software on the device, businesses should flag it for unusual activity and put it on to a separate network.  

11. Implement access governance policies

The rising threat of a breach, internally and externally, means it’s important for businesses to monitor and control who has access to key resources. Policies should assume the principle of least privilege (POLP) – giving users the bare minimum permissions they need to perform their role – and clearly define who has access to which resources and under what conditions they have accessWith the right policies in place, it becomes easier to identify areas of ‘privilege creep’ and prevent stale accounts (e.g., ex-employee accounts which are still active).  

12. Manage privileged access

Employees are often given full admin rights as standard. However, increased access means an increased risk level. Instead, you should ensure employees are only able to access what they need to fulfil their job role and responsibilities effectively. There should be systems in place allowing administrators to respond to access requests and be notified of any unauthorised access attempts.  

13. Adopt a zero-trust principle

The increase in cyber-attack frequency and sophistication, coupled with the hybrid nature of today’s IT environment, means traditional security frameworks are no longer enough. While businesses typically focus on defending their perimeters, assuming everything ‘inside’ is already cleared and safe, this is too open of an approach. Zero-trust is essentially about removing all automatic trust. Anything and everything which tries to connect to the system must be verified before access is granted – ensuring it is the right user, from the right secure endpoint, with the right access permissions, who is making the request.  

Remote working security is a critical issue

More than ever, businesses cannot afford anything which would harm their productivity, their reputation, or their bottom lineIt’s understandable why measures may have not been fully in place at the beginning, but it’s imperative that businesses now make security a priority. 

To make remote working secure, businesses must take stock of their current security landscape, assess the risks, and take steps to improve and protect themselves. If you would like advice or assistance in doing this, to ensure all the bases are covered, please contact the QuoStar team for a no-obligation chat or initial risk review.  

New call-to-action

Are you using WhatsApp for business communications? 2021 is the year to stop

Should you be using WhatsApp for business communication?

While WhatsApp is a consumer-grade application, many people are using it for business purposes. It’s free and it’s easy to use – most people are probably already using it – so it seems like the ideal communication tool, particularly now many employees are working remotely. 

But is WhatsApp really suitable for business communication? 

Privacy Policy Updates

WhatsApp was acquired by Facebook in 2014. At the time, CEO Jan Koum stressed how deeply he valued the ‘principle of private communication’. However, just two years later, in 2016, both apps announced they would be ‘coordinating more’– but did give users the option to opt-out of sharing their personal data with Facebook.  

This time around, there is no opt-out. 

Users who want to continue using WhatsApp after May 15th 2021, have to agree to the updates made to its terms and privacy policy. This means being prepared to share their personal information such as names, profile pictures, status updates, phone numbers, contacts lists, and IP addresses, as well as data about their mobile devicewith Facebook and its wider companiesUsers who don’t accept the new terms will be blocked from using the app. The new policy, which applies to all users outside of Facebook’s European Region (including the UK), also means that simply deleting the app from the device will not prevent WhatsApp from retaining a users’ private data.  

Since the privacy policy changes were announced, WhatsApp has now said that it will not be sharing personal data from people who previously opted out of sharing their information with Facebook. According to The Register, this setting will be apparently be honoured going forward next month, even if you agree to the new policy. For all other users though, there is no opt-out.  

A WhatsApp spokesperson also said this update ‘primarily centres around sending messages to businesses to get answers and support’, claiming there will be no change in data-sharing for non-business chats and account information. However, there has been much criticism and concern about the update online.  

Update: 12th May 2021

Originally, WhatsApp planned to roll out its privacy policy update on February 8th 2021. However, due to huge public backlash and confusion, they opted to delay until mid-May. Through a series of updates, WhatsApp attempted to clarify its position, reiterating that the update is mainly meant for businesses using its messaging platform. But nonetheless, WhatsApp stated that the change would not impact “how people communicate with friends or family” on the platform. The company also specified in a blog post that it would continue to provide end-to-end encryption for private messages, and it didn’t keep logs of its users’ messaging and calling.

However, despite the clarification around data sharing, there are still plenty of reasons why businesses should stop using WhatsApp for business-related communication

GDPR Compliance and Liability

WhatsApp makes it abundantly clear that the app is designed for personal use in their Terms of Service. 

“Legal And Acceptable Use. You must access and use our Services only for legal, authorized, and acceptable purposes. You will not use (or assist others in using) our Services in ways that: … or (f) involve any non-personal use of our Services unless otherwise authorized by us.” 

After installing WhatsApp on your device, you’ll receive a pop-up asking for your permission for the app to access your contact. It requests that you ‘Upload your contacts to WhatsApp’s servers to help you quickly get in touch with your friends and help us provide a better experience. Agreeing to this means that all your phone contacts are accessible in the app. The problem is, it doesn’t distinguish between personal contacts and business ones. Your contacts haven’t given permission for a third party to access their personal data, which could be a potential breach of GDPR.  

WhatsApp has been clear that is for personal use. Users must agree to these terms and conditions before they can access the service and WhatsApp can access the users’ contacts. Therefore, the responsibility for GDPR lies with the user, not the app. 

Individuals who use WhatsApp for any business communications are in breach of the terms of service. This limits WhatsApp liability for GDPR because they have given the user all the responsibility for seeking the permission of their contacts.  

Security Risks of WhatsApp

Using WhatsApp for business communications is fraught with security risks tooWhile the app famously boasts security due to its end-to-end encryption, there have been plenty of reported hacks and flaws.  

Just last October, security researchers revealed that links to thousands of WhatsApp chats were accessible online. Although there was a quiet change to stop the links from being indexed by Google, the information was still readily available on other search engines. The group’s title, image, description and owner’s phone number were all readily accessible, you didn’t even need to actively join the group   

WhatsApp communications are also notoriously difficult for companies to monitor. It may be possible if they are taking place on a corporate-owned device, but even then, there are multiple hoops to jump through. Companies could require the employee to surrender the device, but to access the content itself, there would need to be an IT policy that states WhatsApp as an acceptable communication channel for business purposes. Although, this policy would be in breach of WhatsApp’s acceptable usage policy. The IT policy should be crystal clear about the firm’s right to access and for what purposes (ensuring these are proportionate), so the employee has no expectation of privacy.  

Things get even more complex if the employee owns the device and WhatsApp has been installed outside of a mobile device management (MDM) container installed as part of a BYOD policy. The same policy that applies to the corporate-owned device could be extended to employee-owned ones as well. However, given the device is owned by the employee and used predominantly for personal use, it is doubtful whether a forced surrender and access could be seen a legally proportionate.  

If there’s no BYOD policy in place? Access is near impossible. As a personal device, the employee would have much higher expectations of privacy and there would need to be an extremely compelling reason, akin to a criminal offence, for an employer to try and obtain access.

What should you use instead of WhatsApp?

While you could write WhatsApp into your IT policies as an acceptable communication channel for business communications, you would knowingly be in breach of the app’s acceptable usage policy.  

Plus, even with that in place, there is still a myriad of security, privacy, monitoring and accessibility concerns linked to the app’s business usages. That’s before you even begin to factor in cultural problems potentially caused by the informal nature of the app. Employees could post personal messages to work chats by mistakeaccidentally share their live location, or information could get lost between multiple group chats. 

Instead, it’s much better to opt for a business-grade secure communication solution. Many of these solutions function in the same way as consumer-grade apps, giving users a familiar interface so they can get started immediately, but with much stronger security. Solutions are available across multiple devices and will protect your voice, video and text data in transit and at rest, preventing accidental leakage or malicious attack.  

Join the Business & IT Leaders Forum

Do you want to receive more content like this? Then join our Business & IT Leaders Community. Not only will you receive our monthly briefing with more business improvement tips and advice, but you’ll also get exclusive access to virtual events designed for leaders who want to make strategic improvements and get ahead of the competition. 



SIEM Solutions Guide: What is SIEM and why is it an essential investment for all businesses?

An introduction to SIEM solutions

That’s no simple task with the increasingly complex IT environments and constantly evolving cyber-security landscape. With new threats appearing every day, IT Managers need to build an effective stack of cyber-security tools to help them keep their infrastructure as secure as possible. In this article, we will explore the role of SIEM solutions within that toolset.

What is SIEM?

A Security Information and Event Management (SIEM) solution aggregates and analyses activity from existing resources across your IT infrastructure. It collects security data from devices on your network and applies analytics to discover trends, detect threats, and enable your organisation to investigate any alerts.

A SIEM solution is put in place to protect your IT estate from external attacks. It can be configured to automatically isolate and deal with many detected threats, but it also needs to be closely monitored by skilled engineers to handle more sophisticated attacks and ensure nothing is missed.

 

HOW SECURE IS YOUR SENSITIVE DATA? FIND OUT TODAY WITH A FREE DARK WEB SCAN

 

Why SIEM solutions are essential for professional service businesses

Gartner first coined the term SIEM in 2005 when Mark Nicolett and Amrit Williams proposed combining Security Information Management (SIM) and Security Event Management (SEM) to create a new, all-encompassing, security information system.

Since then, the technology has been steadily evolving and improving and has become ever more important as cyber-attacks have increased across the world. A UK government report from earlier this year found that 46% of all businesses suffered cyber-security breaches or attacks in the previous 12 months. And this figure rose to 68% for medium-sized businesses.

A 2020 global IBM security report found that the average cost of a data breach, including lost business due to increased customer turnover, lost revenue due to system downtime, increased cost of acquiring new business due to diminished reputation, and remedial work to resolve the data breach was £2.87 million. This is in no small part down to an average time of 280 days to identify and contain a breach. The report also found that businesses with fully deployed security automation in the form of a SIEM solution saved an average of £2.6 million when dealing with a data breach compared to those with no security automation.

Prevention is always better than cure for any part of your IT infrastructure, and when there is such potential to incur significant costs, it makes sense to invest upfront in protecting your business.

What are the main benefits of a SIEM solution?

1. Data aggregation and normalisation

The larger and more complex your IT infrastructure becomes, the more difficult it is to keep track of every single link between devices and applications across your network. This can lead to opportunities for hackers to exploit and access your systems unbeknownst to you until they choose to launch their attack. SIEM solutions gather security event information from the entire network at a central point, uncovering any potential vulnerabilities or malicious activities. This data is then normalised or reformatted as required by your organisation so that it can be easily understood by your staff and dealt with swiftly and efficiently.

2. Threat detecting and security alerting

SIEM solutions can connect your security team to multiple threat intelligence feeds so that they are always up to date on the latest threats to businesses like yours. Coupled with the aggregation and normalisation of the data across your network, SIEM solutions perform real-time analysis of potential threats then log alerts for your incident management team to investigate and resolve as quickly as possible.

3. Regulation compliance

Virtually every business in every industry requires the fulfilment of at least some regulatory mandates such as GDPR and ISO 27001. This is even more true for professional services businesses and failing to meet these can result in loss of sales or expensive lawsuits.

Many SIEM solutions provide out-of-the-box report templates for most compliance mandates and often much of this information can be collated automatically to save your security team time and resources.

4. Increased efficiency

Incident handling is streamlined by the data across your network being collated in one place, allowing security threats to be dealt with as quickly as possible. As well as having a direct impact on your security team, this can lead to a wider reduction in incidents across your IT department as potential attacks are identified and dealt with before they can create incidents for other teams to deal with.

5. Customer attraction and retention

By showing customers and prospects that you have a fully functioning SIEM solution, you can give them confidence that their data will be safe with your organisation, and the service you provide them will not be threatened by a cyber-attack. Conversely, if your business is the victim of a cyber-attack and is unable to deal with it efficiently and effectively, it may take years for your reputation to recover to previous levels. In the short term, this can result in the loss of existing customers and, in the long term, a significant increase in the cost of acquiring new business

How to choose the right SIEM solution for your business

Defining your requirements

As with any IT project, you can’t do anything until you are 100% clear on your requirements. For SIEM solutions, these fall into two distinct categories:

1. Collection, storage and compliance:

  • What data sources do you need to log, and do you need to collect all data or a subset?
  • How long do you need to store the data for?
  • What compliance regulations do you need to meet?

2. Analysis, reporting and personnel:

  • How will you use your data once collected?
  • What sort of reports do you need, and do you need the ability to customise them?
  • Do you have existing expert staff in-house who can manage the solution, or will you need external assistance?

Assessing available solutions

SIEM solutions can be purchased as an appliance or an application. And they can be implemented and managed entirely by your own team or purchased as a service from an outsourcing provider who can do the implementation for you and provide ongoing management if required. Once you have defined your requirements, you can identify the products which best match and request demonstrations. At QuoStar we have a team of security experts who can assist you in identifying the most suitable SIEM features for your organisation and arrange a live demonstration to help you make the best choice.

Deployment

You need to understand how the solution will be deployed within your organisation before you make your final decision. It’s critical that you are confident in the provider as, even if you are doing the implementation yourself, you will require their expertise for the more technical aspects. If you decide to engage a partner to deploy the solution for you, you need to be comfortable that they have a full understanding of your network and requirements, as well as the SIEM product itself.

Ongoing SIEM management

Any SIEM solution is only as good as its administrators. You need to have a plan in place from the start in terms of who will manage it on a day to day basis. Both in terms of the administration of the solution and the management of incidents created by the SIEM tools.

What else do you need to know about SIEM solutions?

The most important thing to understand is that the successful implementation of a suitable SIEM solution is not the end of the journey. It is only the beginning. The landscape is constantly evolving – both within your network and externally in terms of the cyber-threats you face. If you are not regularly reviewing your SIEM tools and features, you run the risk of being compromised by a new form of attack.

At QuoStar, our security experts are constantly reviewing the latest trends and assessing these against our clients’ existing setups to ensure everyone is fully protected.

We can provide a fully outsourced Security Operations Centre (SOC) incorporating SIEM and any other tools which are critical to the security of your IT network, allowing you to focus on other key projects safe in the knowledge your infrastructure will not be compromised by any malicious external threats.

New call-to-action

How can VDI solutions help IT Managers manage a widespread remote workforce and transform the workplace

How can VDI help IT Managers manage a remote workforce

The COVID-19 has had a huge impact on the way businesses deliver IT services to end-users. The lockdown and subsequent restrictions left businesses scrambling to deal with an unprecedented situation where their entire workforce needed to work from home. Most simply weren’t set up for permanent, widescale remote working but had no option but to embrace it to remain operational. 

Technology like online meeting and collaboration tools, hosted telephony, VPNs and virtual desktop infrastructure (VDI) saw a surge in adoption as businesses looked for ways to keep their employees connected, productive and secure. Of course, VDI solutions are nothing new. Businesses have been using it for over a decade to deliver desktops and applications to end-users. However, it is seeing a resurgence, both due to current challenges arising from COVID-19 and the maturation of Windows Virtual Desktop. This was highlighted in the recent Spiceworks Ziff Davies 2021 State of IT Report which found 46% of businesses were using or planning to use VDI by mid-2022. Furthermore, 26% of businesses planned to increase VDI deployment specifically because of the new challenges that have surfaced due to the pandemic.  

How can VDI solutions help internal IT Teams?

1. Reduced Costs

Delivering desktops through VDI helps reduce the time it takes to provision new desktops. Easy and quick to set up, VDI not only reduces the time required by the IT team and the support costs, but it also provides more immediate value to the business. 

VDI can also help IT Managers optimise and reduce their IT spend. Purchasing and upgrading hardware for remote employees is a significant cost, but as a virtual desktop can be accessed from almost any device it can really help slash spend in this area.  

2. Simplified Licencing

Software licencing is one of the most common issues for IT managers with remote employees. If an end-user uses a personal device for remote working and needs a particular app to do their job, it’s ITs responsibility to licence this. Not only do multiple licences increase IT costs, but it also complicates licence tracking and compliance. The IT team needs to be able to prove that apps on personal devices are properly licenced and differentiate between corporate-owned software and personally owned software. VDI solutions eliminate this challenge for IT teams by keeping the licenced software within the business’s own data centre and removes the need to track remotely installed apps.  

3. Improved Security

Security is a constant concern, even more so with the new threats emerging as a result of the pandemic. It’s a particular issue for IT teams where end users are using personal devices to access company data or systems. There are no guarantees that the device adheres to the company security policy, it may be infected, compromised or running an outdated operating system. However, with VDI, device-level security becomes less important as the user remotely connects a corporate desktop which IT configures to exact security requirements. The personal PC essentially becomes a thin client as all activity takes place in the data centre, with all of the corporate security systems and controls in place.

 

IS CONFIDENTIAL DATA LEAKING OUT OF YOUR BUSINESS? FIND OUT TODAY WITH A COMPLIMENTARY DARK WEB SCAN

 

4. Reduced Technical Support Time

IT Managers’ workloads are higher than ever now they need to manage a fully remote workforce on top of their existing responsibilities. VDI solutions make it easier for IT teams to support remote end-users because it puts them in a standardised environment, with the device itself less significant. It also reduces major technical issues and speeds up resolution time because IT teams already have all the information about the user’s virtual desktop systems to handOf course, technical issues can still occur with virtual desktop users, but these are usually related to connectivity and performance and are simpler to identify and resolve.  

5. Centralised Management

With everything centrally stored, managed and secured, desktop virtualisation streamlines the management of software assets. This makes it easier for the IT team to set up and provide end-users with desktops and applications, no matter where they are located. Administrators can also deploy, patch, upgrade and troubleshoot from a central, singular location, rather than updating end-users’ environments individually.  

Are VDI solutions the right choice for every business?

Desktop virtualisation has continually developed over the last decade, but today the main two categories are VDI and DaaS (Desktop as a Service). VDI is suited to businesses who want to host and manage the virtual desktops themselves, on their own servers. DaaS is very similar but removes the need for infrastructure management by delivering it as a cloud service.  

Both VDI and DaaS are well placed to deal with the most common challenges of traditional desktop and laptop systems, such as software licencing inventory, ensuring compliance and expensive procurement. Outside of these legacy challenges, both solutions also help businesses deal with IT process concerns, such as keeping up with the rapid pace of change and the time IT staff have to dedicate to routine tasks (e.g. troubleshooting, helpdesk requests).  

DaaS has a slight potential edge on VDI due to the shared responsibility of a cloud model. It largely removes the need to manage the physical infrastructure, enabling IT teams to focus on the entire digital workspace and user experience.  

The prominent solution that overlaps both categories is Windows Virtual Desktop (WVD). Previous virtualisation options gave businesses limited options over the type of virtual machines they could use to deliver desktops. They had to either compromise on user experience and deploy Windows Server Desktop experiences to achieve the cost benefits of a multi-session. Or, they had to sacrifice on cost and deploy single sessions in Windows 10.  

This dilemma, plus the opportunities presented by Azure as a platform, ultimately led to the development of Windows Virtual Desktop (WDS). It’s the only virtual desktop infrastructure that offers simplified management, multi-session Windows 10, optimisations for Office 365 Pro Plus and support for RDS environments. An additional plus, just for IT teams, is the relatively short time to go live. A 100 person business with 4-5 servers could be looking at less than a week to set up from scratch. 

Are there any issues with VDI solutions?

However, like any technology option, VDI is not a onesizefitsall solution. Businesses still need to fully evaluate its suitability for their employees and their ways of operating. For example, while VDI is a good option for remote workers and contractors who need to securely access Office applications, it’s not the best for employees who travel frequently due to latency and VPN issues. 

Certain applications also still don’t perform as well in VDI style solutions. Microsoft Teams and Zoom are two of the most widely used conferencing platforms, yet they both have performance issues and limitations in VDI environments. For example, with Microsoft Teams some advanced features may not be available in a virtualised environment, and video resolution can differ. Call and meeting functionality is also only supported on a limited number of platformsAs there are multiple market providers, it’s recommended that you seek consultancy advice or speak to your virtualisation solution provider to confirm you meet the minimum requirements. 

VDI is just one element of the technology stack. Don’t forget you’ll need other complementary technologies to address gaps and round out the experience for the end-user if you’re looking to build a fully functioning digital workplace. 

Join the IT Leaders Forum 

By joining the community you’ll receive exclusive monthly briefings, tech updates from industry-leading vendors and free personal invites to top tech events. 



New call-to-action