What is the hybrid working model and how does it affect security?
The Hybrid working model incorporates both remote and office-based working, giving employees flexibility and a greater degree of trust. It recognises that the office is not the only option when it comes to the day-to-day tasks that fill most of our working hours, and, understandably, it’s become a popular set-up even before COVID-19 made shared workspaces temporarily untenable.
For all its virtues though, remote working, and therefore the hybrid working model in general, poses a greater amount of security risks that simply cannot be ignored. In order to successfully implement the hybrid working model, organisations must understand these threats and take action to mitigate them immediately.
A huge 49% of data breaches between March and July 2020 (when remote working exploded) were caused by phishing scams and insufficiently protected devices. With employees reluctant to go back to a rigid, controlled, office-based work life, it’s vitally important to get on top of potential security issues to make the hybrid model work for everyone.
Keeping data secure using the hybrid working model
In the days when everyone worked in an office all the time, or only worked on low security risk tasks at home, it was easy to implement a ‘castle and moat’ approach where closed networks and firewalls made it easy to stop potential breaches in their tracks. With personal machines being used for work purposes though, cybersecurity will have to cover more bases to account for these open endpoints and the greater potential for user error.
In this regard, hybrid working is actually a greater challenge for IT teams who will have to manage potential security risks both inside and outside of the office. Obviously, that’s less of an issue at the moment, while offices stand empty, but providing a safe, seamless flow of data between the hub of the office and numerous remote endpoints is a top priority.
The biggest concern for IT departments facilitating a pivot to remote working is still security, specifically phishing scams. A huge 82% of IT industry leaders are of the opinion that employees pose a greater risk of succumbing to phishing attacks when working remotely. It’s a valid concern, as 68% of those using personal devices for work purposes between March and July 2020 admitted to clicking a link or downloading a file from a suspicious email.
The best way to curb these attacks is with enhanced technology and a zero trust approach to security.
Zero trust security and two factor authentication
It may sound hard-line, but the reality of zero trust security is that it’s the best way to protect against security breaches from inside the network or endpoint devices accessing it from the outside.
But does zero trust look like in practice? Two factor authentication is one of the most commonly used applications of zero trust security, as it is often used in consumer banking and other cloud -based systems. Two factor authentication requires the traditional username and password login to be paired with either a security question or a validation code that can be sent directly to the user via SMS or email. It’s a small addition, but this extra step makes a drastic difference when it comes to stopping malicious attacks.
Separating networks into micro segments which require authentication to access can also help to contain threats in one area. This is especially useful for anyone who needs to access sensitive information and data remotely thanks to a hybrid working model.
This way, tasks that make use of secure company data can be placed inside a privileged location, with a secondary zone with looser restrictions also available for more general browsing and work. If the latter is targeted, the malware cannot escape into the former. Another benefit to this approach is that it keeps information on a need-to-know basis, lowering the likelihood of a phishing attack as less members of staff are given access.
Put the right technology in place.
One of the biggest security headaches involved with the hybrid working model is that workers are probably going to need to access company servers and cloud accounts over public networks. Since this restricts bandwidth from home routers with exposed modem control interfaces, it creates opportunities for hostiles to try and gain access to the company network.
An easy fix is to make sure all staff access company networks via a VPN. VPNs offer encryption that will secure traffic between devices, providing a much-needed security boost. With video conferencing and project management apps, and IoT technology such as TVs and printers being particularly vulnerable to attack, it’s an extra step worth taking.
Investing in better testing and monitoring technology is another step that keep sensitive data and company networks more secure going forward.
Running penetration tests on servers, carrying out policy analysis, and checking repair times will all allow businesses to keep on top of potential issues. Endpoint protection and detection is also key, especially when dealing with non-secured devices like personal PCs and laptops. With the right program in place, it is possible to rapidly quarantine any device that falls prey to malware or spyware, stopping a spread that could be catastrophic if it reached the rest of the network.
Thankfully, software defined parameters now exist that will keep sensitive data such as customer applications and data more well-hidden. When used with a zero-trust security stance, security becomes more robust.
With the hybrid working model likely to be here to stay and gather more support in the wake of COVID-19, thoughts have to turn to how it will work for the benefit of staff and the company alike.
By putting these security measures in place, business owners and management can focus on their staff with the peace of mind that comes from knowing that data is as safe as it was when everyone was in the office.