The pandemic has caused a tectonic shift in how we live and work. Many companies are slowly returning to offices while an estimated 40% of the U.S. workforce continues to work remotely. A year into the pandemic and one thing is crystal clear, the future of work is hybrid. 83% of employers attest to the fact that their shift to remote work has been extremely successful and in fact, 82% of company leaders are planning to allow employees to exercise “flex days”, where workers can work from the convenience of their homes. Employees too have expressed a preference for a blend of home and office with research suggesting hybrid workplaces result in better workplace outcomes.
Regardless of whether employees are on-site or remote, this convenience is now a permanent cyber-risk for businesses. Listed below are the top 5 challenges in this new hybrid environment:
- Remote work infrastructure is facing a rising barrage of cyber-attacks
To enable remote working, companies are increasingly relying on cloud technology and leveraging the use of remote connectivity tools like VPN. Cyber-attacks on cloud services have grown more than 600% while hackers continue to exploit vulnerabilities in VPN gateways. A number of brute-force attacks on Windows Remote Desktop Protocol (RDP) is also rising significantly. In February 2021 there were 377.5 million brute-force attacks worldwide in comparison to 93 million at the beginning of 2020.
- Remote workers are easier targets
Weak or no home Wi-Fi security, laptops shared amongst family members, absent firewalls, unsecure mobile devices, poor security hygiene, etc. are some of the nightmares that security professionals face on a routine basis with remote workers. Remote workers also have lack of internet connectivity or lack of bandwidth which delays software-update patching and this could leave weak points open for cybercriminals to exploit. The use of unauthorized software and shadow IT can also jeopardize a business's entire cybersecurity posture.
- Need for stronger data protection and authentication
Data protection of sensitive information becomes a lot harder across the expanded internet-based perimeter. Access to sensitive data requires a stronger set of checks and balances than you would normally use in a standard traditional office environment. It’s easy for attackers to fake a digital identity and hijack data from a secure environment. Personally Identifiable Information (PII), emails, browsing habits and website visits, online purchases and financial content, social media and dark web data dumps can be easily leveraged to emulate a virtual identity.
- Absent physical security and monitoring of virtual workspaces
One of the reasons why physical offices of large businesses are brimming with security personnel is because the infrastructure helps manage the disposal of confidential information in its physical form. For example, entry barriers can help prevent tailgating while paper shredders can help destroy physical assets that might contain sensitive information. In a digital world, managing the information lifecycle also becomes an important element as holding data for longer periods of time is both a high-risk policy and a liability.
- Human-centered security is taking a back seat
Home distractions are a major cause of security errors and the data from lockdowns prove it. Workers are prone to social engineering scams like phishing and vishing. One wrong move can instantly result in a breach, causing significant financial damages and irreversible loss of reputation. Cybercriminals have a deep understanding of human psychology and stress-related pandemic issues. In 2020 alone, Google registered a record two million phishing websites whereas ransomware attacks increased by seven-fold.
Getting the cybersecurity foundations right in the new hybrid workspace
Similar to the hybrid office, managing cyber-risks too needs a hybrid approach -- one that is a mix of technical controls and user behavior training that is secure by design. Here are two main foundational elements:
-
Address the softer side of cyber: It’s important that businesses understand and apply psychological theory to influence behavior of its employees so that they follow cyber hygiene best practices and avoid putting the business at risk. There are two key areas where this improvement should be focused:
- Transformative Security Education, Training and Awareness: Ongoing security awareness training and live simulation exercises that develop muscle memory or instinctive behavior for employees to recognize, foil and report social engineering attempts.
- Secure behavior by design: Developing security tools and techniques that have cybersecurity built-in, not bolted on. For example: incorporating visual guidance or inconspicuous cues and nudges to gently guide individuals in making sound security decisions.
-
Applying risk-based techniques: Risk management is a continuous and ongoing process in a hybrid office environment. Here are two key areas of focus:
- Modular assessments: A modular, scenario-based risk assessment approach ensures you don’t have to reinvent the wheel every time the threat landscape evolves. Start by creating a behavioral baseline and set benchmarks for improvement. Once you have consolidated and prioritized cyber risks, chart out a plan to implement your controls.
- Evolve architecture with your business goals: Technology and architecture should not be static and that’s why this is a more ongoing, dynamic, evolutionary process. Once you have assessed performance gaps and identified potential vulnerabilities, technology and tools must also evolve with the identified priority areas. Technologies that have come to the forefront which are worth looking at include zero-trust architecture, User and Entity Behavior Analytics (UEBA) and Virtual Desktop Infrastructure.
The pandemic may not have invented new cyber-threats however the emergence of the hybrid office has certainly dialed up the volume. While humans are the weakest link in any cybersecurity program, they are also its strongest defense. A hybrid approach to cybersecurity that brings together the best of both worlds – awareness and technological controls, is certainly poised to take center stage in this new hybrid environment.