Security for a Hybrid Workforce
The move to hybrid working is a perfect time to update and run cyber-hygiene awareness for employees
Over the last two years, we have become used to working from home, and even as things return to normal, employers are allowing remote work for the foreseeable future. This creates a dynamic, hybrid workforce – a mix of office and remote working at different times of the week.
The Dawn of Hybrid Working
Many surveys have been carried out in the last year to gauge the success of remote and hybrid working, but overwhelming employee feedback is that the benefits outweigh any disadvantages. In a report from Boston Consulting Group, more than 50 percent of respondents stated that they had been able to maintain or improve productivity by working more from home. Combine this with a better work/life balance, more flexible hours and reduced stress from less travel, and the employee benefits are clear. Employers benefit too as a hybrid working model enables a richer talent pool that includes previously unfeasible remote locations for hiring and cost savings from hot-desking and reduced office space requirements.
With Change Comes Risk
In 2020 when the pandemic first pushed most people to work remotely, many CISOs had their hands forced. There was no time to plan, only to react, as the change had to happen overnight. Decisions were made based on speed, without the opportunity to perform any risk analysis. Tools and applications previously used by the 10-20% of remote employees now had to scale to nearly 100% of the workforce reliably.
The speed and success of adapting to this new way of working was nothing short of amazing, but cybercriminals could also take advantage of the situation. We saw threats at scale to vulnerable targets such as education and healthcare. The media regularly carried stories of ransomware and data theft, and everyone learned new words such as “Zoom-bombing.”
Now, 18 months later, it is time to pause and look at the new work environment that has emerged. The tools we are using should be checked against the security principles of confidentiality, integrity and availability, and re-evaluated to ensure the proper regulatory compliance and data security levels.
Changing Priorities for Hybrid Working
Before remote working became standard, the budgets for IT and InfoSec were allocated to projects that improved the corporate network, consolidated data centers or brought new offices online.
With a hybrid work model, these budgets should be re-evaluated, considering new expectations for how, where and when employees now work and the customer experience when doing business.
• Budget priorities need to adapt. Remote working may be more effective if cloud solutions are adopted, mainly where employees rely on collaboration, always-on system access or immediate access to current/confidential business data.
• Internet of Things expansion caused by home devices running on home networks that are now ‘part of the corporate network’ increases risk. Attackers realize home IoT devices can be vulnerable to weaknesses in firmware and password settings. They will leverage these weak spots to gain access to corporate devices and data.
• New security policies are needed to support hybrid working for all employees. The corporate network experience should be the same whether an employee is office-based, at home, in a hotel or wherever else. If a VPN or CASB has been deployed, it should always be applied to users regardless of their location. Not only does this provide a better user experience, but it also makes it easier for the security team to spot anomalies faster from a clearer view of their environment.
Establish Zero-Trust Policies
Endpoint management must evolve to address the expanded security perimeter created by remote working. Every remote device is a risk to the business if not adequately protected. A Zero Trust strategy can address this by never automatically trusting any device or connection, inside or outside the corporate network perimeter.
Zero Trust is not just for user endpoints. The policies can be expanded to support connected devices on the network. Any device in the home would be untrusted by default, reducing the risk of a home-based IoT attack being successful as the affected device cannot access corporate resources.
The home network is an extension of the corporate environment in the new hybrid world and must be treated as such to establish the most robust security posture.
Insider Threats from the Outside?
Ransomware, phishing and Business Email Compromise (BEC) have been among the most common attacks of the last 18 months. Employees become the weakest link in the security chain and hybrid working has accelerated this because remote employees want to be visible, high-performing and effective.
With so much communication moving from in-person to electronic, it has been relatively simple for an attacker to craft a targeted email or make a pressured scam phone call. The result is either unauthorized system access or financial loss.
The move to hybrid working is a perfect time to update and run cyber-hygiene awareness for employees. A mix of training sessions for awareness and custom internal phishing campaigns to test effectiveness helps to keep people on their toes.
The ranging effect of these insider threats is also broader than just the loss of sensitive or financial information. With globally effective data governance regulations, organizations must report breaches, and regulators can levy substantial fines if security is lacking.
Hybrid Working is the Future we Must Embrace
We have had to accelerate into remote and now hybrid working models over the last year and a half. Now that we are getting back to work, there is still much to do as everything moves fast.
A hybrid environment can offer a perfect balance between remote and in-office working, which benefits employee work/life balance and employers in reducing office space and investing in new technologies.
We are all entering the future of work. A seamless transition is perhaps too much to hope for, but people should embrace and expand into these new models successfully with continuous review and communication during the process.