How to Better Secure the Hybrid Work Environment

From companies going all-remote to their employees slowly returning to the office, many businesses are using a hybrid model of digital operations to provide flexibility in an uncertain landscape.

Many companies did a stellar work under trying circumstances to get their teams operational at home during the various lockdowns. Fortunately, the trend to remote working was already underway, and apps like Zoom, Google Docs and Microsoft Teams were ready to take up the demand of mass-scale remote working.

For businesses however, underneath the layers of productivity tools came the risks of connecting via insecure networks, of people using home laptops that could be riddled with malware and devices that could connect to any insecure hotspot. IT teams had to deliver virtual and secure networking, use virtual private networks (VPNs) and enable higher levels of security to protect business data.

Things didn’t always go to plan, with hackers infiltrating Zoom business meetings, others using the chaos to launch effective phishing campaigns (with attacks up 220% at least). But firms rapidly came to understand the security risks and cope with them, building improved defences.

With much of the workforce now heading back to the office, businesses should take the time to re-evaluate their security as hybrid working becomes the norm, especially if new outbreaks send workers back home.

What is hybrid working and what are its impacts?

Read any newspaper or news website today and there are many stories about company staff being forced back to work in the office, being offered flexible working arrangements or progressive firms going fully remote.

From the IT perspective, hybrid working covers all these bases and is an inevitable trend that most firms will follow sooner or later. It responds to the needs of business leaders that have seen productivity increase from home workers.

Remote work covers a variety of different user types, with most typically using business productivity applications. However, power users may need access to information on multiple devices across secure corporate applications, while super users need to access executive systems or back-end development systems to deal with critical issues. Each requires different levels of security and access that security tools must cater for.

Microsoft research shows that around 66% of business leaders are considering redesigning office spaces while a WorkAfterLockdown report revealed that 73% of employees would prefer more flexible working. Hybrid working supports these objectives, helping define how businesses go about changing their working practices.

What are the security implications of hybrid working?

During COVID-19, many IT teams were focused on getting people working, with no time to gain a deeper understanding of the security risks, which often took a back seat. Also, traditional IT was largely based around regular updates to a few key tools (antivirus, firewalls). With rapid cloud adoption comes the need for a range of solutions to protect cloud access, data lakes, ensure user security and monitor the vast volumes of data flowing between connected services.

The good news is that there’s a growing range of new and next-generation solutions to protect hybrid workers and business data. But firms need to look beyond the office walls to defend each element. A good starting point is a cybersecurity risk assessment - a test to identify what the company’s protection services cover and what is at risk.

This assessment can score the risk a company faces and help secure the hybrid work environment, regardless of how many cloud services they use and what the varying levels of in-build defences are.

Most businesses expect a breach, hack or weakness to be exploited at some point, with around three-quarters (77%) of businesses saying cybersecurity is a high priority for their directors or senior managers, according to the latest UK government study, “Cyber Security Breaches Survey 2021.”

Security challenges grow with hybrid working

As cybersecurity management approaches evolve, the hybrid working era makes it harder for firms to keep track. According to the survey,

“…direct security and user monitoring have become harder in organisations where staff are working remotely with fewer businesses deploying security monitoring tools than in 2020 (down from 40% to 35%). And fewer businesses (32%, vs. 38% in 2020) and charities (29% vs. 38%) are now undertaking any form of user monitoring.”

Automated tools as part of cloud security can help reverse this trend, ensuring users work safely and in line with guidance and compliance efforts.

Similarly, the report highlights how upgrading hardware, software and systems is more difficult. With staff working at home, there are more endpoints for organisations to keep track of. Fewer businesses (83%, vs. 88% in 2020) report having up-to-date malware protection. Fewer businesses (78% vs. 83%) have set up network firewalls. In large businesses in particular, having laptops with unsupported versions of Windows is a significant security risk, affecting 32% of large businesses.

As firms come out of the COVID-19 working patterns and look to stabilise on new working methods, they will need to realign priorities to address IT security weaknesses and learn new skills to cope with hybrid working. Teaching employees to work safely should also be a priority.

Addressing the human element, IT teams must train workers to be on the lookout for phishing attacks, ensure they create strong passwords for all services that they use and are locked out of services they don’t need access to, especially when leaving the business.

IT must ensure secure VPNs, Remote Desktop Protocol (RDP) servers and other connections are correctly configured and that cloud services are protected, regardless of where workers are operating.

Cloud services make a tempting target for hackers, with known vulnerabilities and misconfigured settings making automated attacks simple to perform. The hackers can browse through lists of at-risk services, regardless of the companies involved, and then trawl through them for useful information. As more firms move to the cloud, they need to ensure the hybrid workplace is secure at both ends.

Fortunately, plenty of firms have been going through this process and there are many best practices guides and articles to help drive a transition. On the technology side, zero trust models are becoming popular to reduce complexity for both remote and on-site workers and the systems they use.

Zero trust eliminates reliance on the old perimeter concept of defence protected by firewalls and other applications. Instead, every user, application and request is dynamically authorised and authenticated. Using multi-factor authentication (MFA) and wider encryption, malicious attempts at intrusion are blocked and rejected at source, and while users might have to go through one or two more hurdles to gain access to their work, it’s all for the greater good.

All organisations must take a fresh look at their policies for hybrid working and invest appropriately to secure the business. A mix of user training, cloud protection applications, data handling compliance rules and a proactive approach to patching and device security will all play a role. Learning from the successes and struggles of others and hiring IT operators with expertise in hybrid working should make this a less worrisome transition to hybrid working.