The COVID-19 pandemic opened the remote working floodgates. Over a year later, there's little chance of closing them. Whether it be white-collar workers or students at school, the UK has become quietly accustomed to working remotely, with 87% of UK office workers now desiring to work from home "at least some of the time."
However, many employers are keen to draw staff back to the office for culture purposes. This will likely mean a hybrid approach - deep or solo work at home, and offices optimised for collaboration.
This means yet another change for IT departments. How should they address cybersecurity for a hybrid workforce? We caught up with a top cybersecurity expert to find out. He didn't want to be named - drawing attention to your cybersecurity skills can give hackers a reason to target you - but shared some useful advice.
Before you deal with any outside threats you need to think about internal staff behaviour. People will be out of practice when it comes to being in the office. There are bound to be lapsed security practices and things not being updated as efficiently as they should be.
It's also much harder to monitor and control the behaviour of staff who are working from home, especially if they're on their own devices. So a clear policy that details what's expected when people are working from home and what's expected when they're in the office is of paramount importance.
Adding fuel to the fire is the fact that there are a lot of businesses that might have panicked at the start of the first lockdown and pushed people out remotely. With everything else that has been going on in the last year they still haven't fixed those issues. Now that people are returning, some part time, those issues are going to be even more problematic.
Policies should ensure that staff are not putting sensitive files on removable devices and then taking them home - or vice versa. Anything that is put onto a removable drive needs to be properly encrypted.
The way that people use the internet in their own home is also very different from how they use it at work. But it's important for staff to understand that if you're running a VPN, the chances are all your traffic is being routed through the business network.
"If you're downloading copyrighted material or looking at content you shouldn't be, the business is liable for that because that traffic is coming from a work IP address. So you need to make it clear to all staff that they need to use the internet the same way they would at work, even if they're sitting on their sofa in their pyjamas. It's down to policy and education."
'Bring Your Own Device' (BYOD) policies have gained popularity over the last few years and will probably become even more popular in a hybrid working situation. But they also present a range of security risks that need to be managed.
"A lot of companies are supplying staff with a device. As the device is supplied by work it should be up to date, and locked down so end users can't just go installing anything they want on there."
The same level of scrutiny should also be shown when it comes to work machines. Said machines might not have been used for many months, so you'll need to make sure they're up to date.
Check that the antivirus is working and that everything's patched. Also, if people are working in a hybrid environment, they could end up with business critical data on a device they are taking home that shouldn't be leaving the office building.
"If it's a work laptop that's been taken home, then it's been outside of the network so it should be thoroughly vetted and updated before being returned to the office. If they're both up to date and all the data is where it should be, then in theory, you should be able to log in and work from anywhere.
Changes in the way we work will have an impact on the services we rely on. You need to make sure that your licensing is up to date and can handle remote working at scale. Some licenses can take longer than others to upgrade or change, so it's worth reviewing your licenses ahead of time, rather than waiting until you hit capacity.
"What we've seen across the industry is that the people who supply licenses have started to struggle because they're waiting for distributors who sometimes take a week to process things. There's never normally a rush and suddenly VPN licenses are at the top of everyone's priority list."
When faced with capacity or bandwidth issues, some businesses can be tempted to take shortcuts - such as split tunneling to reduce bandwidth consumption - in order to keep people working. But as we've already mentioned, these quick fixes sometimes undermine security.
Speak to anyone who works in cybersecurity and they'll recommend using multifactor authentication (MFA). It may take users a second or two longer to log in, but your account will be 99.99% less likely to get hacked.
"We have a simple software token that installs on your mobile device and it gives you a sixty second password you can use to log into the VPN. So even if someone gets hold of your laptop & credentials, they'd have to also steal your mobile and know its pin to get into your network."
Times of change and uncertainty provide the ideal environment for threat actors to make their move. At the beginning of the pandemic, security processes were disrupted and users were so busy trying to figure out how to keep working that they often looked for shortcuts or ignored advice. Now is the time to ensure those decisions made in haste don't cause long-term damage.
If you're seriously considering implementing a long-term hybrid working strategy, our expert's advice is to take a step back. Review your policy, your processes and your licensing, and adopt simple changes. It can make all the difference. Hackers look for easy targets, so even small steps can make your business a less viable target.
Ultimately, whether someone's working from home one day a week or five days a week, the level of risk is still the same. There might be a bit more risk with hybrid working because people are moving devices and data back and forth, but the general best practices for cybersecurity should remain pretty much unchanged from where they were last year.
The real question isn't going to be what you should change but whether or not you can focus on perfecting and doubling down on the policies that are already in place.
Posted in Business
Published on 25 Sep 2020
Last updated on 05 Aug 2021