Research and advisory firm Gartner has found that, after the Covid-19 pandemic abates, businesses will face a new kind of challenge: managing hybrid workforces.
According to Gartner, 82% of business leaders plan to let employees continue to work from home (WFH) in at least some capacity, while 47% plan to allow employees to do so permanently. Others are even adapting work from anywhere (WFA) practices.
Major banks — including JP Morgan and Barclays — and technology companies like Google, Twitter, Facebook, and Square are just some of the organisations that have embraced remote work as part of their business models. Spotify’s WFA initiative gives employees the option to work from an office or home — and even their own choice of geographic location. In fact, three-quarters of the 43 large companies surveyed by The Times spoke of moving towards flexible working policies permanently.
Getting serious about hybrid work security
Temporary or not, the shift to remote work has caused lasting changes to the way people work. Even companies that are going back to having an office presence have developed WFA (Work From Anywhere) practices and will continue to enhance them, whether by hiring more remote employees, retaining employees who move out of town, or even shifting entirely and permanently to remote work.
“More employees working from anywhere means more devices connecting remotely, i.e. outside of the secured corporate network. As a result — businesses’ control over data is slipping rapidly. As such, it is critical to understand what remote workers are doing with that data and rework the new ‘normal’ to make it more effective and secure,” says Juta Gurinaviciute, chief technology officer at NordVPN Teams.
The elements that build for security and privacy that may normally be available in a controlled corporate physical environment setting with defined physical barriers are routinely obliterated in WFA environments. And the risks associated with WFH are amplified when the move is made to WFA. This is because it includes not only our home base, but also working frequently on the road at customer locations, airports, coffee shops, and just about anywhere with wired or wireless connections.
”CISOs had to ensure that all endpoint devices connecting to network resources could effectively fend off attacks. Hackers, cybercriminals and nation states accelerated their attacks with a cold harshness during this pandemic. It’s time for organizations to get serious about implementing the security measures necessary for securing remote edge devices and entry points. It’s vital to make these measures part of a unified, comprehensive strategy. All of this forms a single, integrated security framework designed to simplify management and expand visibility and control,” says Gurinaviciute.
Fortunately, most organizations now have the data and know-how necessary to understand how remote work impacts their applications, life cycle, and IT infrastructure, as well as its effect on traffic to applications that are located on-premises and in the cloud.
Mapping the future of work-from-home security
The consequences of poor cybersecurity hygiene while working remotely can include anything from compromised sensitive data to unauthorized access to the organization’s infrastructure. Secure communications while working remotely can be ensured by the combination of technical solutions and controls with proper employee operations security (OPSEC).
“Typically, when it comes to securing your teleworkers, the first item on the agenda is developing a corporate policy. This policy should outline what’s acceptable in a remote working environment, how data is handled, what levels of authorization are available, etc. Risk-based decisions can also be made depending on the types of devices employees use for teleworking (for example, company-issued devices, personal laptops or smartphones, etc.). Devices that haven’t been issued specifically by the company should be subject to more stringent controls,” says Gurinaviciute.
Organisations need to get up to speed and take measures that ensure data security:
* Content storage should be allowed in the cloud only. Use cloud or web-based storage software that allows for sharing and editing of documents (for example, Cisco Cloudlock).
* Endpoint security using two-factor authentication. This adds a second layer of security when logging in to important applications. Multi-factor authentication uses OTP (one-time password) technology, certificate-based USB tokens, smart cards, and additional advanced security technologies.
* Any connections to the company’s network should be performed through a VPN (Virtual Private Network), which uses either SSL (Secure Sockets Layer) or IPsec (Internet Protocol Security) to encrypt communications from the remote worker’s machine; This safeguards both the end user and corporate environment, ensuring that no one is able to decipher sensitive data traffic.
* Risk management contingency plan. It’s essential to have the possibility to either track a laptop or wipe it remotely in case a remote worker loses a laptop with sensitive business information on it.
“Security teams have to develop new policies to respond to these challenges. Some of them have already done so, but their work doesn’t end there. They need to communicate those new policies to the entire workforce and train employees on how those changes affect them,” Gurinaviciute adds.
Combining remote workers with cloud infrastructures can present numerous business opportunities. But without the right cybersecurity and operational framework, the cloud presents serious challenges that can have far-reaching repercussions.