23 Nov Dispersion – the next big wave of business disruption

Globalisation and the impact of technology have had huge impacts on the way we live and work. The digitization of business processes alone has transformed what is possible in most industries. In other areas, technologies have opened up new opportunities and solved a myriad of problems. Now the next great wave of business disruption is upon us: Dispersion.

Dispersion has been flagged by commentators and academics such as Professor Scott Galloway of New York University Stern School of Business as being both a challenge and a huge opportunity.  Dispersion breaks down distance and traditional distribution channels. We all know how the likes of Amazon are already dispersing retail to desktop and mobile. And since 2020, the pandemic has accelerated this trend in new sectors such as healthcare, education and hospitality. It will impact many others.

Dispersion changes the face of security

Dispersion means that many services or experiences that were previously 100% in person, are now at least partly digital. For example when you visit a hotel but check in digitally, and that has big implications for the hotel secures and manages the environment. 

Such deep-set changes also have an impact on how businesses should think about security. George Dionisopoulos is Head of Security at NEXTDC:

“Well, effectively, what we’re talking about is converged security. And that is how the physical and cyber environments really interact with each other. Effectively, one can’t exist without the other today, let’s be realistic. And we really need to start talking in this manner around a holistic approach to security. And it needs to be reevaluated constantly.” 

He talks about “multiple layers” of security which now need to be considered:

“If you start at the perimeter, there’s the integration of the physical security at the perimeter with the fence, but also that integrated into your electronic security management system, […] And what we tend to do is walk our customers through the different layers on how they get through to their environment, and then look at what is it they’re actually trying to protect. Key in assisting customers- in putting in the right risk posture, security risk posture – is understanding what they’re trying to protect.” 

Security threats often come from “an insider” – a staff member, contractor or other associates. Sometimes these threats are not malicious. Mistakes can be made. So it’s not always about someone trying to inflict harm on purpose. Rather, it’s about trying to minimise the mistakes that humans associated with your business make.

“So, if you think of Swiss cheese, which has multiple holes, there’s what’s termed the Swiss cheese model. And if all the right environments aligned, you can actually penetrate right through your environment. So, The more layers you add, the more complexity that you can add to your posture, which effectively then assist you in protecting your environment, the better.” 

Dispersion poses the biggest threat for larger organisations

The pandemic drove a decade of change in just a few months. For organisations with a big staff or user population, or multiple locations, this created a challenge.

In the education sector for example, School Boards suddenly found themselves faced with more complexity than they could have predicted.  Michael Martinrano is Superintendent of Schools for Howard County, Managing 10,000 students, 6,000 teachers and 77 schools sites with a whopping $1bn budget.

“The biggest thing was that we all recognized that we were woefully under-funded and under-supported in providing the platforms that were going to be necessary to offer virtual education.  That was a major concern from not having the networks and the platforms that were fully secure and an archaic system, that whole had older machines.”

But this wasn’t just about not having the right technology in place. It was also about understanding the matrix of technology and their vulnerabilities:

“And I say that about all the different levels of computer devices, which we had that were vulnerable to attack, vulnerable to individuals hacking. We had a number of events that we had to then address from a disciplinary point of view, with students and individuals coming in from other places, creating environments that were not conducive for instruction. [Or] being disruptive, providing elicit materials during those times, and how we put protections in. [We] found that [this] was another arena that we didn’t predict was going to happen.”

In some cases, law enforcement had to be involved. So with dispersion, suddenly new security threats materialised.

This experience was echoed in universities and colleges around the world. This is most likely driven by the size and spread of the organisations. 

Located in California, the University of Berkeley has approximately 900 staff in IT roles, serving over 44,000 students. According to CIO Jenn Springer, along with the benefits of dispersion came some additional threats.

“One of the most frustrating things I think, as a technology leader, particularly during the pandemic (and it continues to be the case) is the thing that is the most important about whether or not someone can connect to us remotely is the thing that I have no control over, which is the network that they’re sitting on, that’s not mine. And one of the things that was the [biggest] lesson for me is that when you have everybody leave the campus, all of the sudden they are on a bunch of private networks, they’re on their local network service provider, they may be sitting in a library somewhere. And that’s something that I don’t have control over: how strong is that connection. We definitely want to make those connections secure. And so making sure that we had what’s called the VPN, a virtual private network, that people could log into when they were not on our campus to make sure they could access things securely, was incredibly important.”

It wasn’t as if the university had never run VPNs. It had. But previously, they ran them “for just a few people” at a time. Overnight, that number rose to “thousands of people”.

“That was something that we had to make much more robust, and I know that that is a place where we will continue to invest.”

Are dispersed networks going to drive the “new security tech normal”?

We asked Colby Prior, Security Operations Engineer at Octopus Deploy, whether dispersed networks and associated cyber security threats are going to be a key part of the landscape from now on.

“We live in a world where there have been a lot of malicious attacks happening online, especially with [events] overseas. Geopolitically, we’re seeing a lot more, traffic scanning for vulnerabilities […]. But also, just in terms of a profile of more traditional business: everyone comes into the office, plugs in their laptop or connects to a computer that is there physically in the room. And in terms of a security team, our job is very easy. We have, you know, security cameras, we have a lot of building protection, protection of that internal network.” 

But just like Jenn Springer’s comments about the challenges universities face, Colby says that having people working from home changes the playing field. He explains:

“When you take all those people to work from home, especially for businesses where people were not previously working from home, so they weren’t necessarily prepared for something like this, it becomes a massive risk.”

Prior says that even if devices are managed securely, they are still plugging into a home network which may not necessarily be secure. Or they may change their behaviour without warning:

“They may turn around and work from their home laptop, or their home desktop computer, instead of their normal work laptop. They may do this because they just prefer the different monitor or keyboard setup they have. The problem is that this is something that isn’t necessarily easy to catch in a spreadsheet like a risk matrix.”

So dispersion brings massive benefits, but in some ways complicates some of the security requirements of larger organisations. Experts like Colby Prior predict that it will be “a long time” before the industry truly figures out watertight solutions.

This article reflects some of the core topics discussed in Episodes 5 of Security TV – watch it here.  Security TV is a new online series which launched recently, focussed on the world of security. There’s never been anything like it before: it promises to become a key resource for those of us thinking about security. Torus is proud to be the premier sponsor of Security TV. You can watch episodes here, or join our mailing list to receive early alerts when the Security TV team releases each new episode.