Securing a New World: Navigating Security in the Hybrid Work Era
After a year and a half of working from home, companies have started calling their employees back into their offices. However, as the COVID-19 Delta variant continues to spread, many companies are expecting to see a hybrid workforce model emerge as the new normal. Uber, Citigroup and Qualtrics, for example, have each issued employee schedules calling for three days a week in the office, although many workers would prefer more time away.
But while a hybrid work schedule may be beneficial for many employees, IT leaders will have to navigate a minefield of potential security risks. Among those worrisome practices are sending company files to personal email accounts for printing at home, sharing company information on personal email accounts and the use of public Wi-Fi stations.
The predictable result, as documented in the Verizon May 2021 Data Breach Investigations report, is that attacks against cloud-based email, remote desktop applications and similar technologies designed to assist with remote work all increased over 2020.
Security doesn’t get any easier with some workers returning to the office, others staying home and quite a few doing a bit of both. That’s because the office, which was once the company’s security standard, is often full of devices that have been sitting idle since early last year. Security patches, which are issued all the time, are important to install at the point they’re published. But a computer that has been turned off for a year, unable to download patches, is a vulnerable device. And there may be dozens or even hundreds of patches waiting in the queue that are needed to bring a device up to par.
There are, not surprisingly, a host of recommendations that experts have offered to help security teams in their work. Educating employees on the threats that people and companies face is one of their top suggestions. A survey from Proofpoint’s State of the Phish report emphasizes the need for a people-centric approach to cybersecurity protections and awareness training that accounts for changing conditions, like those constantly experienced throughout the pandemic. While the survey findings found that 90% of U.S. infosec survey respondents said their workforce shifted to a work-from-home model last year, only 29% said they trained users on safe remote working.
Investing in solutions, including automation tools that relieve teams of manual tasks and solutions that alert them to threats and can prevent security incidents before they happen, are also common pieces of advice. But company executives also play an important role in securing the new normal workplace.
Company leaders will be challenged to create a culture that empowers people to work productively and gives them space to come forward with security issues and errors. They must build a security strategy for a hybrid workforce that doesn’t get in the way of people doing their jobs and involves both IT and security leaders in crafting office reopening plans. They should also make security training into a positive skill—one that builds employee capabilities long-term, arming them with the tools they need to make smart cybersecurity decisions. Beyond these recommendations, I would also offer the following:
- Multifactor Authentication: Implement a multifactor authentication process and apply corporate password policies. This should work the same way for BYOD devices used externally as it works on-premises—requiring authentication using company credentials that WFH employees need to access any on-premises devices and applications. Companies can grant or revoke access rights instantly for incoming or leaving employees, and immediately set or reset account credentials remotely. As businesses increasingly embrace remote work arrangements, IT personnel can manage the company’s network from home, too.
- Conditional Access: To implement conditional access, which acts as a firewall controlling incoming and outgoing connections, define and enforce access rules at the user, account, group and device levels. Then, consider restricting the types of connection (remote access, file transfer, meeting) that employees can use and employ a rule-based engine for access to your corporate network.
- Hybrid Conditional Access: Secure cloud privacy using your own router combined with a licensed third-party network. That limits session traffic to your company’s own corporate network.
- Single Sign-On (SSO): Install a system that gives IT more control over provisioning enterprise user accounts for both remote access and support. Limit access to users with corporate emails only in order to help prevent unauthorized users from accessing your remote access platform.
- VPN Alternatives: Virtual private networks are useful, but have some drawbacks including high cost, security risks, slower speeds, and difficulty with installation and maintenance. Alternative technologies for allowing users to send and receive data across public networks are available including software using end-to-end encryption for remote desktop connections.
- Reporting and Auditing: To create a full audit trail, IT leaders should document all relevant aspects of remote sessions including the who, when and where of their occurrence. Trace all actions taken in the management console, including user additions or deletions and user rights management and centrally restrict who has access to those logs.
A hybrid workforce requires a hybrid approach to security, one that leverages both technology and training to foster an agile strategy. And while the new hybrid work dynamic clearly presents challenges, implementing these elements into your IT security strategy will put you on the path to better managing a complex threat landscape.
