In a hybrid world, cybersecurity is as much a cultural change as it’s about tech: Sandeep Karan, LTTS

“During the early days of the pandemic, we not only had to enable our employees to work from their homes but to do so while keeping our networks and data secure,” says Sandeep Karan, the head of cybersecurity at L&T Technology Services (LTTS).

LTTS is the engineering services arm of the L&T Group—one of India’s largest conglomerates with business interests across construction, financial services, manufacturing, engineering, and technology.

With around 17,000 employees, some  of whom live in shared residences, known as “Paying Guests” in India, juggling between enabling everyone to work remotely and keeping everything secure was probably one of the biggest challenges he’s faced in his career.

Microsoft Stories India caught up with Karan to talk about how the engineering services  giant reimagined its security architecture with Microsoft’s solutions.

“When we were planning and designing our security architecture, we looked at various tools to see what makes the best fit. Every system would have given us some insights, but it would have been challenging to develop a comprehensive understanding of risks. Opting for Microsoft enabled us to take care of our security and compliance needs through a single consolidated system that no one else could provide,” he says.

Karan also shared his thoughts about how the notions around cybersecurity and compliance were changing during this era of hybrid work.

“Now it’s important for organizations to see this as a cultural change, and not just a technological one,” he says. “In the end, employees are potentially the weakest links. So, one must invest in educating their employees and making them champions. Organizations that will succeed in doing this are the ones who will survive and have the least number of cybersecurity incidents.”

Edited excerpts from our conversation follow:

For someone responsible for the cybersecurity of LTTS, what were the biggest challenges you faced as the world went into remote working at the beginning of the pandemic last year?

Before the lockdown, almost our entire workforce used to work from the office, and our cyber infrastructure was designed to support a small percentage of people to work remotely. The system would have collapsed if the entire workforce shifted to remote work within a day. So, we had to work rapidly to upgrade our entire IT infrastructure. Earlier, there was just one remote gateway through which all the employees signed into our network, but now we have location-specific gateways.

Since we are primarily an engineering R&D services company, and not a typical IT company, a lot of our work happens on high-end computers. So, we also began to ship our workstations to our employees’ homes because heavy engineering work cannot be executed on regular laptops.

At this stage, security was our biggest concern. All our earlier security solutions like proxies and DNSs protection work were on-premises tools, which were made useless when people began to work from home. So, we had to upgrade our security infrastructure and move to Cloud-based solutions.

How did you overcome these challenges?

Microsoft Teams has been our go-to tool for collaboration between different teams. Our delivery, sales, IT, quality, human resources, and facilities teams made different channels on Teams to work smoothly, and we managed to transition to remote work with minimum mail exchanges. This saved a lot of our time.

Before the pandemic, we had deployed multiple on-premise security solutions to safeguard our employees. But we soon realized that we needed a comprehensive solution. So, we redesigned our infrastructure using Microsoft products.

The first thing we did was connect our VPN with Azure AD and enabled multi-factor authentication for people who were signing into our network. We  began using Microsoft Identity Manager to enforce conditional access to sensitive documents and data. We also used Microsoft 365 E5 security structure to continuously monitor our security scores and fix problems preemptively. Most of our employees do not need access to our core network as they do majority  of their work on SaaS applications or applications opened in internet. We integrated all these apps with Azure AD as well, which gave us the advantage of enforcing conditional access. We also began using Microsoft App Proxy and it became the primary gateway for our employees to open applications on the internet.

In order to manage devices that we had sent to employees’ homes, we implemented Hybrid Join through Azure AD, which truly enabled the hybrid work model. We then transitioned from using a traditional anti-virus to Microsoft Defender Advance Threat Protection. We enabled Microsoft Cloud App Security (MCAS) on all our SaaS applications.

Why did LTTS choose Microsoft for its security and compliance solutions? 

When we were planning and designing our security architecture, we looked at various tools to see what fits the best. While doing that exercise, we realized that we had deployed many different, segregated systems. Every system would have given us some insights, but it would have been challenging to develop a comprehensive understanding of risks.

Since we were already using Microsoft products, we thought of investing more in its solutions. So far, we have managed to get everything we wanted. Right from Azure AD to identity management, multifactor authentication, getting insight from the dark web to see if any password has been compromised, conditional access, and attack simulator, everything is now interconnected.

Opting for Microsoft enabled us to take care of our security and compliance needs through a single, consolidated system that no one else could provide.

As the world moves from a remote to hybrid work model, how have your notions about cybersecurity, compliance, and data protection changed during hybrid work model?

Over the last year, we have seen an increase in incidents of cyberattacks. This has led to more awareness around cybersecurity within the company’s management, the board, and our customers.

Now, when we meet the audit and risk committee, and the board, cybersecurity is always in the agenda. Similarly, when we meet potential customers, the first thing they ask before getting down to business is to ask about the company’s cybersecurity posture. Even colleagues in sales teams  now must become aware about cybersecurity since they deal with customers every day.

On the security side of things, we now not only have to protect the devices of the employees, but also their identities. If there is an identity theft, others can get into our network. We can no longer protect identities through passwords and multiple factor authentication.

We have moved towards a Zero Trust framework, which allows us to restrict access controls to networks, applications, and devices without sacrificing productivity.

Before the pandemic, it was easier to ensure compliance (with policies) because everyone was working from the office and that environment could be controlled. Conversations could happen behind closed doors. Now, that’s not the case. So, we have configured Microsoft’s Insider Risk Management (IRM) to ensure compliance by detecting, investigating, and minimizing malicious activities within the organization. We also implemented Office 365 DLP to protect confidential documents and sensitive organizational information.

How did you make cybersecurity an inherent part of your organization’s culture?

We have generated a lot of awareness since the start of the pandemic. Conversations around cybersecurity are not just limited to boards now and it has become extremely important to minimize risks and manage security across the organization. We use Microsoft attack simulator to conduct phishing simulations. If people fail that, we ask them to attend training sessions.

Once employees started working from home, we no longer had a physical periphery in the form of our physical offices that we could secure. Earlier, employees used to open their laptops at home on a need basis, but now even conversations about projects happen outside the office. We also had to consider that many employees live in “paying guests” or residences they share with others, who may be working for a competitor.

In the end, employees are potentially the weakest links. So, one must invest in educating their employees and making them champions. Organizations that will succeed in doing this are the ones who will survive and have the least number of cybersecurity incidents. Now it’s important for organizations to see this as a cultural change, and not just a technological one.