The Covid-19 pandemic changed the way we work in the UK and Ireland forever. As companies experimented with remote working to maintain productivity, many employees became accustomed to the idea of working from home and enjoying a greater work-life balance.
According to ADP’s 2022 People at Work report, almost three in five (59%) of workers would, or have, considered looking for a new job if their employer asked them to come into the workplace every day. In short, hybrid working is the new normal and it’s here to stay.
As more organisations embrace hybrid working, the security challenges of a decentralised workplace are becoming increasingly clear with data showing that 86% of UK cybersecurity professionals believe that attacks increased due to employees working remotely. IT decision-makers also admitted that their remote workers have knowingly put corporate data at risk in the last year.
Now is the time for organisations to rethink traditional approaches to cyber security and implement some simple controls to build a secure hybrid working environment in 2023.
The first step toward securing a hybrid working environment is to evaluate risks in the employee's current working environment. In practice, this means assessing what type of data employees have access to, what devices and applications they use, what vulnerabilities exist in their environment, and implementing controls to mitigate those risks.
For instance, if employees are going to be accessing protected data that’s stored on cloud storage solutions or collaboration passwords, then using Multi-Factor Authentication (MFA) to authenticate user access, VPNs to encrypt traffic, and downloading security patches could help prevent unauthorised access.
One of the biggest challenges that comes with remote working is ensuring that employees maintain security-conscious behaviour when they're working offsite. Such as whether they're downloading all available security patches, maintaining devices with antivirus/antimalware solutions, and selecting strong passwords.
If employees aren’t implementing basic security practices at home, then there will inevitably be a higher risk of a data breach, so it’s important to make employees aware of how they can protect themselves by using security awareness training to educate them on the latest threats and security best practices.
While some companies enable employees to use personal devices to access internal resources, the use of personal devices creates significant security risks, because there’s no formal process for verifying that these devices are updated and maintained.
As a result, it is safest for organisations to establish remote working policies that forbid the use of personal devices to access work resources. Then an administrator can take responsibility for managing work devices, ensuring that they're patched so that there are no vulnerabilities in the systems that a cyber criminal can exploit.
Although it may be convenient to enable all employees to access a shared file or application, it puts private information at risk of unauthorised access from malicious entities.
Implementing the principle of least privilege and ensuring that employees only have access to the data they need to complete their day-to-day responsibilities is critical for making sure that your data doesn't fall into the wrong hands.
One simple way to control access to applications and services is to use multi-factor authentication (MFA), where employees need to provide multiple authentication factors to log in, such as a password and a passcode, sent to a trusted email or device.
In remote working environments, data breaches are a matter of if, not when. This means that organisations need to have the detection and response capabilities to detect malicious behaviour in an offsite environment, whether that is a misuse of account privileges or a brute force hack and contain the incident in the shortest time possible.
The most effective way to detect threats in a remote environment is to work with a Managed Detection and Response (MDR) provider, who can conduct continuous monitoring of employee devices 24/7, identify malicious behaviour, and respond instantly to mitigate the damage.
As hybrid work has become the new normal, securing the workplace doesn't just mean securing the office but securing all remote sites. In 2023, that means investing in building security strategies that are remote-working ready and prepared to secure devices in remote environments.
While it is difficult to mitigate the risks of remote working entirely, organisations can significantly improve their security posture by ensuring that employees engage in security-conscious behaviours while working from home, enforcing the principle of least privilege, and building the detection and response capabilities to respond to incidents fast.
Contact us today to learn more about our Cyber Risk and Assurance Services.