When an organisation considers purchasing a security product, they are placing their trust in the technology, processes, and human beings behind its design.
Trust for the remote enterprise
From a security perspective, enterprises need to trust that their employees understand and prioritise security. A significant amount of their workforce is now likely to be working via home WiFi networks, or even public WiFi networks. Accessing the digital corporate environment from these networks is significantly less likely to be secure than the office-based ones, so employers need to exercise trust in their employees that they are taking the precautions necessary to keep the corporate network safe: Avoiding public WiFi where possible, changing the password on their home WiFi network regularly, as well as ensuring that any security tools their employers invest in are accurately installed and regularly updated on the device they are using for work. All of these activities, should they not be undertaken appropriately, could result in a breach and damage the trust relationship between employee and employer.
Trust for the remote employee
This, however, is a relationship which extends both ways. A significant amount of the remote workforce is now working from a device not provided by their organisation. A recent survey by IAM company OneLogin discovered that of the 5,000 workers surveyed across the UK, US, France, Germany and Ireland, 29% of remote workers had been working on a device owned by them, and not their organisation – with 5% of these individuals working from a shared device. This means a significant amount of the remote workforce are merging their personal and professional worlds to a previously unknown degree.
Therefore, in order to keep their personal data safe, employees must have confidence and trust in their employers to have put appropriate security controls in place, to avoid security issues at an enterprise level from spilling into their personal data world, which could lead to personally held accounts – including bank accounts, or sensitive documents being compromised.
This is particularly relevant for organisation at an SME level. SMEs or start-ups in an embryonic or growth stage are unlikely to have a dedicated security team, meaning an added level of trust is required between the enterprise and their security provider, who they are placing their faith in to defend their online infrastructure. This likely amounts to their entire company when adhering to a remote working model.
Trust at a governmental level
There is a third actor in play when discussing trust and security – that of the government, and of government initiatives to put the minds of both enterprises and security professionals at ease when attempting to keep themselves secure.
It is with this in mind that the government introduced departments such as the NCSC, responsible for researching and documenting cyber criminal activities to increase awareness for those in the digital ecosystem, as well as initiatives such as the governments Cyber Essentials, to help organisations manage their own security posture.
The impetus is also on governments to step in when the trust and security relationship breaks down: The most evident example of this is of course GDPR, which steps in to penalise organisations who fail to protect the data which they have access to.
Trust as a fundamental of security
Trust is a fundamental cornerstone of any business relationship, but security and trust are intertwined to a point which makes them almost indistinguishable from one another. If an organisation has trust in its security technologies, providers and practitioners, the issues which keep security teams at less secure companies awake at night can become secondary to more existential questions of how you can grow your business, new markets or areas to invest or move into, and generally creating the best business that you can, unburdened by the shackles of security concerns.