As the COVID-19 pandemic progressed, more and more organizations quickly digitized their workplaces and business models. Many organizations shifted to remote work and online transactions, leading to a surge in demand for digital capabilities. Unfortunately, these transformations came with new cybersecurity challenges.
The disconnect between cybersecurity and hybrid work
A recent survey puts this situation into perspective. During the survey, 83 percent of organizations reported a significant increase in remote work activities due to the pandemic. Almost 90 percent of the respondents said that remote work made cybersecurity efforts much more challenging. And the majority of organizations that participated in the survey expressed concerns over the security of remote work.
Although things are now gradually returning to normal, most companies are not out of the woods yet. The mass shift to remote work was only meant as a temporary continuity strategy to sit out the pandemic, but it seems telecommuting is here to stay. According to Gartner, 90 percent of organizations plan to continue with remote work, but mostly through a hybrid work arrangement where employees can work both remotely and from the office. This trend is quickly catching on as the new workplace norm, further extending the cybersecurity headache of remote work.
But what actually makes remote and hybrid work so taxing in terms of security? Here are the main cybersecurity challenges facing hybrid work environments:
- Lack of control and visibility into remote endpoints
- A broader and more complex IT footprint increases susceptibility to attacks and alert fatigue
- Amplified human vulnerabilities
- Poor security awareness among remote workers
- Breakdown of the corporate defensive perimeter
- Relying on traditional cybersecurity solutions that don’t naturally translate in the hybrid environment
- Weak authentication systems, especially for cloud services
It’s time to rethink your cybersecurity for hybrid work to mitigate all these issues. Let’s look at the best security practices to safeguard a hybrid workplace:
Implement a Zero Trust security framework
A Zero Trust cybersecurity model assumes that no device or user can be trusted unless verified. Zero Trust goes by the notion “never trust, always verify” as opposed to the traditional methodology of “trust, but verify.” It’s an ideal security approach suited to any hybrid work scenario.
Zero Trust is a rather sophisticated concept that touches on every aspect of cybersecurity, from endpoint security and user authentication to network security. To apply this strategy to, say, endpoint devices, you have to define trust tokens in those devices and verify them before granting any access permissions. Trust tokens could be a combination of digital certificates that uniquely and correctly identify a legitimate device, user, or action.
You can implement Zero Trust on various levels through the following strategies:
- Constant endpoint, backend, and network monitoring
- Identity-based user authentication control
- Least privilege access
- Network micro-segmentation
There’s more to Zero Trust. Check out the NIST 800-207: Zero Trust Architecture for more information about developing an effective Zero Trust security model.
Train employees on threat awareness
The human factor remains cybersecurity’s weakest link. Innocent mistakes, blatant negligence, and ignorance among employees account for the majority of data breaches today. And giving employees virtually total control over their work environment only exacerbates this problem.
The only way you can strengthen your telecommuters’ security posture is through intensive training. Educate your employees on cybersecurity best practices for remote work on these topics:
- Threat awareness (identifying, containing, and reporting threats)
- General cyber hygiene when working from home
- Password best practices
- Protocols for sharing data remotely
- Personal device care
- Professional conduct in remote work settings
- Overview of security policies
- Individual roles, responsibilities, and accountability in cybersecurity
Make employee training a regular thing, ideally every quarter with monthly refresher courses. And don’t forget to test your staff’s threat awareness through regular tests and drills. Remember, employee training not only equips your team with essential knowledge and skills but also helps instill a security-oriented organizational culture.
Embrace multi-factor authentication
With remote or hybrid work, you can’t tell whether an access request comes from a legitimate user or a threat actor by verifying passwords alone. This is because compromised passwords and devices can be used to falsely access the corporate network.
It takes more than passwords to protect remote user accounts and cloud-based services. The ideal solution is multi-factor authentication (MFA). MFA combines the conventional username-password login with additional user identification tokens. Secondary factors can be one-time passcodes, biometric information, or behavioural data. This renders stolen or compromised credentials completely useless in gaining unauthorized access.
You can implement MFA as part of a Zero Trust strategy or as a standalone multi-layered security feature.
Optimize your cloud infrastructure
Remote collaborations depend largely on cloud solutions designed for data sharing and communications. Unsurprisingly, these systems have become popular targets for cyberattacks due to their increased user traffic.
There are two ways you can minimize cloud risks in a hybrid workplace. First, reduce and optimize your cloud footprint by consolidating multiple cloud functions into a single platform instead of having a different cloud app or service for each one. For instance, instead of having an exclusive cloud service for group chat, another for video conferencing, and another for sharing files, you can access all those functions through Microsoft Teams.
Second, step up your cloud security by enabling and installing extra security features on all your hosted systems. Protect your cloud assets through encryption, firewalls, managed cloud security (where possible), and data backup and disaster recovery systems.
Manage endpoints and network security
A hybrid workplace calls for a whole new approach to network and endpoint security. The problem is, you have no control over how remote workers access the corporate network or which devices they use to do so. For all you know, employees could be connecting to sensitive assets through insecure public Wi-Fi hotspots using their personal laptops or smartphones.
Try to gain some level of visibility into remote endpoints, perhaps through remote device management tools. Earmark the device each employee uses for work and ensure they are safe enough to access the corporate network. Better still, ditch independent endpoints altogether and have your employees use virtual desktops instead. Doing so will standardize all endpoints and drastically reduce security risks as well as management complexities.
You can also leverage Intune MDM for corporate devices to require managed device access to corporate resources in the cloud or using Cloud App Security & Conditional Access policies for Access Control to limit functionality to cloud services such as only web access to Exchange Online limited to read only on unmanaged (personal) devices. Additionally, Mobile Application Management for personal devices can help limit the risk of data leakage on personal devices (iOS & Android) by restricting where corporate data can be saved, copied, or shared between corporate and personal apps.
Another thing you could do is virtualize access to the corporate network to eliminate the risk of questionable, random connections. Tunnel user connections through a commercial or custom virtual private network (VPN) and enable end-to-end encryption between users and hosted resources. Robust network security that includes encryption, VPNs, and active monitoring can eliminate several risks such as Man-in-the-Middle, DDoS, code injection, and IP-jacking threats.
Bridge the security gaps in your hybrid workplace
There are many ways you could reconfigure and bolster your cybersecurity efforts to secure a hybrid workplace from various threats. But first, you must ensure that your cloud collaboration tools are secure and well suited to your HR community. Softlanding can help you make the right choices when it comes to remote work efficiency and security. We help businesses adopt and implement robust Microsoft solutions to empower digital processes, including remote and hybrid work. Partner with us and start your hybrid work journey on a solid footing.