Hybrid work marks a paradigm shift in how organizations think about security: Satyavrat Mishra, Godrej Industries
“The lockdown in India happened quite suddenly and at that moment nobody knew what the future of work would look like,” says Satyavrat Mishra, assistant vice president – corporate IT, Godrej Industries Limited.
Despite the suddenness of the nation-wide lockdown last year due to the pandemic, the Godrej group, whose business interests span across industries like consumer products, diversified agri business, chemicals, real estate and housing finance sprang to its feet and rolled out a remote work model within days for its 12,000 employees spread across four continents.
Mishra, who oversees all things IT, attributes the success of this migration to early adaptability of technology.
“We implemented complete Enterprise Mobility Security (EMS) Suite solutions, along with Microsoft Defender for Office 365 (erstwhile Office 365 Advance Threat Protection) for our email security in 2018,” he says.
When the pandemic forced governments to extend lockdowns constantly, Mishra’s job of securing the company’s networks and data became drastically different and much more challenging.
“The one thing that worked in our favor was that we’d already adopted Microsoft’s cloud-based solutions for secure connectivity earlier, but we were using it for a smaller user base. After the lockdown, all we had to do was roll it out for all our employees,” he says.
The cybersecurity leader recently spoke to Microsoft Stories India about sustainable hybrid work models. He also shared his thoughts on the changing face of cybersecurity during the pandemic, while insisting that the only way for companies to succeed is to invest in employees.
Edited excerpts from the conversation follow:
What were the biggest challenges for Godrej after pandemic forced employees to work from home?
Godrej Industries has 12,000 employees, most of whom are in India, but some are spread across the United States, Latin America, Africa, and Indonesia. When the lockdown was announced and it was decided that people will start working from home, nobody had imagined that it would last for over a year-and-a-half. We had to provide seamless connectivity for 12,000 people who are spread across four continents, almost overnight.
Our journey towards enabling employees to work remotely had started before the lockdown, but we still did not have a work from home culture. One of the biggest challenges we faced was related to identity and security. In an office, there are physical boundaries, so it was easy to secure the perimeter. Now that wasn’t the case.
How did you overcome these challenges?
We’ve been using Microsoft to provide multifactor authentication and advance email security for some of our employees for several years. So, after the lockdown was announced, it did not take us a long time to roll it out on a large scale and it was business as usual for us.
We also use over 150 business applications across verticals, and we connected each one of these to Azure AD to enable Sigle Sign On (SSO) authentication. This helped us to securely manage all our apps centrally, which saved a lot of time. We made sure that we enabled this solution not just for our employees, but also our vendors and consultants.
We also enabled conditional access to our networks, and only a few people could access sensitive information. We also began using Office 365 Data Loss Prevention (DLP) at Godrej Housing Finance and we plan to deploy it across the group companies next year.
The biggest plus point was that since these are SaaS solutions, we didn’t have to spend too much time or effort in training and deployment. We’ve implemented a Zero Trust framework to enable employees to access the tools and documents they need.
Why did Godrej Industries choose Microsoft?
We began using Microsoft Defender for 0ffice 365 (erstwhile Office 365 Advance Threat Protection) in 2018 after a couple of incidents at the organization. After the breach, when we did our security review meeting it became very clear that we cannot opt for multiple security solutions from different partners. So, we zeroed in on Microsoft, which gave us tools for multifactor authentication, SSO, and mobile security. No other solution could take care of all our needs.
Had we opted for different solutions, it would’ve taken us a couple of years just to roll them out. Then each solution would’ve required separate teams with expertise to deploy, manage, and monitor them.
With Microsoft, we could complete this in just 6 months, and we didn’t have to take care of the integration process because there were no hardware boxes involved. Everything was happening automatically and being stored on the cloud.
How has the job of IT security professionals changed because of the implementation of hybrid work model?
In the last two years there has been a sea of change because before that at least 90 percent of the workforce used to go to the office or some regional points. But now, except our manufacturing units, which cannot be operated remotely, everyone is working from home. The way we access software has completely changed.
Earlier, there used to be discussions on how to secure the perimeter, how to put more security and network access control solutions. Now, we’re implementing Zero Trust frameworks. That is a major paradigm shift in the way that a security team would define resource access. There’s no hardware ensuring security in a remote work model. All of it is via SaaS-based solutions.
What advice would you give to organizations looking to secure their networks and data?
Our dependence on digital applications has increased because of the pandemic, which has led to an increase in cloud access and cloud usability. Traditional on-premises security solutions that companies used to deploy in their data centers won’t work anymore. Before embarking on a big journey towards cloud adoption, companies need to be aware of emerging technologies like cloud support plan management, cloud security, and posture management.
Apart from this, organizations need to conduct Digital Risk Management. They need to have a complete inventory of their digital resources. All the applications they use create a digital footprint. They need to identify this footprint and ensure they are secure. So, if any identity leak happens on the dark web, there must be a way for them to know and take remedial action.
Same goes for social media, as organizations have relied heavily on these networks for marketing activities. There can be fake social pages, which can hamper the brand’s image. So, we need to monitor social media and take proactive action in case there has been some impersonation.
How can employees contribute to the strengthening of cybersecurity?
There is a lot of awareness needed for employees to understand cyber hygiene. As it became clear that hybrid workplace model will continue, we began to let our employees know if there had been a problem in their workstations. If a person was going to a malicious website, for example, they’d be notified about it. While all these incidents were recorded earlier too, now we have started capturing this to understand the user behavior and launched employee user behavior score card which is similar in design to CIBIL scorecard used for Credit Score. It comprises of Threat Score and Awareness Scores.
This has helped us in creating user groups based on overall scores and we use that to run campaigns and simulations with Attack Simulator in Microsoft Defender for Office 365 for awareness. We also run a lot of bite sized micro training programs to keep our employees updated with best practices.