Many experts agree that the workforce of the future will combine in-office and remote work. In fact, 77% of business leaders believe their company will use a hybrid model next year.
Ensuring cybersecurity with remote work is no simple task, as the skyrocketing number of cyberattacks the past year demonstrates. And even though large enterprises dominate the headlines, many small and medium-sized businesses (SMBs) — companies with fewer resources to devote to robust cybersecurity than Fortune 500 whales — were also heavily targeted.
Many organizations were vulnerable to hackers because they implemented only fragmented security practices at the beginning of the pandemic. The vast majority (85%) of CISOs admit that they sacrificed cybersecurity to enable remote work. Now, since remote work will be a constant fixture rather than a temporary measure, it is time to fully address its challenges to ensure both flexibility and resilience.
Challenge #1. Lack of control over remote endpoints
In early 2020, many organizations equipped their newly remote employees with corporate laptops. Most of them took several steps toward securing them, such as installing antivirus software and establishing a patching policy. However, when corporate devices are outside of the company’s perimeter, the IT team cannot fully control them, and remote workers often put them at risk. Indeed, 41 percent of employees use personal applications when working from home — applications that are not monitored by the IT team but often contain vulnerabilities that cybercriminals can exploit. Therefore, it is essential to provide your IT team with extensive visibility into the state of your remote endpoints, including the ability to spot outdated and unsupported applications and update or remove them.
Challenge #2. Obsolete cybersecurity practices
The shift to remote work has also exposed the limitations of a perimeter-based approach to security. To enable secure access for remote workers, many organizations began relying on VPNs. But once a user connects via a VPN client — which all too often requires only traditional username-password authentication — they are considered to be trusted and are granted access to corporate systems.
Only recently, the credentials for 900+ VPN servers were compromised. Those credentials provide hackers with access to the entire network of the companies using the VPN servers, unless additional security checks are in place beyond authentication at the perimeter.
Accordingly, experts recommend that organizations adopt a Zero Trust model: No user or device should be trusted until verified. A comprehensive implementation of Zero Trust involves multiple strategies, such as network segmentation, strict password complexity policies, multi-factor authentication, and least privilege access. Begin by prioritizing Zero Trust practices based on your specific needs.
Challenge #3. IT complexity
8 in 10 IT professionals say that the complexity of their job increased over the past year. Adding technologies to enable remote work on top of all the legacy tools and processes has increased IT complexity. The associated stress and fatigue increase the risk of misconfigurations, missed patches, and other mistakes that could lead to a security incident.
A thorough IT asset inventory can be invaluable in helping IT teams regain control. With accurate insight into the IT ecosystem, they can remove duplicate systems, simplify workflows, and develop a viable strategy for operational security across the hybrid workforce.
Challenge #4. Lack of cybersecurity awareness
The US has had an official Cybersecurity Awareness Month (October) for nearly two decades, but 85 percent of cyber incidents still involve human error. One reason is that employee training is often woefully insufficient: A single online course followed by a quick quiz cannot establish the strong cybersecurity culture required for cyber resilience — especially when the stress of extended remote work during a global health crisis is making more people prone to mistakes.
Improving the situation requires changing the corporate mindset. Instead of treating people as cybersecurity liabilities to be blamed when they make mistakes, see them as cybersecurity assets. Set up and facilitate discussions about cybersecurity, and encourage knowledgeable individuals to educate their peers. Emphasize how internalizing cybersecurity best practices will benefit the company and transfer over into employees’ personal lives.
Challenge #5. Cloud security risks
Cloud adoption is expected to increase even as some workers return to the office. In fact, Gartner forecasts worldwide cloud spending to hit $304.9 billion in 2021, an 18.4 percent increase from 2020.
However, organizations that venture hastily to the cloud often leave security gaps. Common mistakes include not fleshing out security requirements before deploying solutions and having siloed teams implementing overlapping cloud technologies.
Now it is time to define and enforce appropriate security controls centrally. Good cloud security hygiene involves adopting a Zero Trust model as described earlier, with particular emphasis on visibility, access control, policy enforcement, mobile device management (MDM), insider threat detection, patch management, and disaster recovery.
Mike Walters is co-founder and President of Action1 Corporation, which provides remote monitoring and management software. Mike has more than 20 years of experience in IT technology and IT security. Prior to Action1, Mike co-founded Netwrix, whose visibility platform for cybersecurity and risk mitigation is helping more than 10,000 customers. Mike lives in Laguna Beach, California.
Mike’s LinkedIn: https://www.linkedin.com/in/mike7walters/