Is Hybrid Working a Security Threat?
As the pandemic has receded, the workforces of many organizations are continuing in remote working mode for at least part of the time. What are the implications of hybrid working for the security of the organization and its data?
While many of the worst aspects of the pandemic and life under lockdown have receded, remote work seems to be here to stay. According to McKinsey, 90% of companies — across industries and regions — plan to shift to a hybrid model, and for good reasons. During the pandemic most organizations saw a rise in productivity and customer satisfaction.
But, from a security point of view, what was a temporary expansion to the system perimeter is now permanent — and security is a top, but often unaddressed, concern as organizations plan for the hybrid future.
Hybrid working security risks
There are a number of risks presented by remote worker management, and organizations must understand that a hybrid environment means accommodating employees in more than just a “work-from-home” situation.
Many remote workers don’t stay in their home office, which means organizations have to prepare for the inevitability that workers will set up shop in coffee houses, AirBNBs, and other public WiFi environments. These ‘third-spaces’ present additional risks and organizations should be able to provide VPNs, require multi-factor authentication and employ access management solutions to combat them.
Even when workers are in their home offices, there is no guarantee their home networks are secure. Cloud access management and authentication solutions can help create more secure home environments, but we should also consider the rise of IoT devices which create more access points for would-be hackers.
Even some of the tools companies rely on to enable remote work present their own risks. Collaborative tools like Zoom or Slack may not be secure and can be easy prime targets for cyber-attacks.
Hybrid working risk assessment
Executives may be ready to embrace the remote future, but they have yet to fully prepare for hybrid work management. A Pulse survey found that only 1 in 5 companies “are fully confident that their infrastructure security can support long-term remote work.”
The research also found just 7.5% are very confident in the adequacy of their organization’s security protections against phishing and ransomware. The survey also found that more than 70% of survey respondents said remote employees need the following:
- security software for devices
- an easy-to-use file-sharing system
- strong IT support
Proofpoint highlights five more potential risks that organizations must consider. Here are a few of the most urgent:
- Data loss: As we already noted, collaborative tools can make easy targets for hackers. “Consider, for example, the massive breach experienced by video game publisher Electronic Arts (EA),” says Proofpoint. “Using stolen cookies from an underground marketplace, attackers infiltrated a Slack channel at EA, posing as an employee needing tech support. The attackers created a plausible backstory to persuade an IT administrator to give them a multifactor authentication (MFA) token, then compromised a development service to download more than 780 Gb of source code.”
- Legal Concerns: The increased use of chat platforms creates compliance issues, according to Proofpoint. “Online work conversations previously occurred exclusively over email, but chat is increasingly the digital channel of choice. Employees need to consistently apply policies that align to mandates, such as the Health Insurance Portability and Accountability Act (HIPAA) and the Sarbanes-Oxley Act (SOX), even over chat. Organizations that don’t monitor and save chat content can have difficulty ensuring compliance.”
- Insider Fraud: Think beyond data breaches when assessing potential risks. Proofpoint points out that, “many employees think of chat platforms as safe places to share proprietary information or customer data…Goldman Sachs learned this lesson the hard way in 2018 when the financial services company agreed to pay a $110 million fine for foreign exchange trading fraud that occurred when employees discussed upcoming customer trades in a chat room.”
Tips for managing security in hybrid work environments
While there are plenty of considerations to be made when preparing for the hybrid future, no challenge is so great that it can’t be overcome.
- Formalize your policies: Creating a written policy that guides workers on computer and internet use can help, while working from home allows you to enforce them both technically and administratively. Consider a “Zero Trust” policy.
- Adopt an identity-centric approach: Researchgates says, “With an identity-centric architecture access to every resource is controlled by the user's identity.”
- Implement collaboration security: With the risks of collaboration tools mounting, Researchgates says, “Enterprise security practitioners should assess a range of collaboration security tools and platforms.”
Unified platform security
Securing a distributed work operation like that of a workforce in hybrid mode is also a question of choosing the right technology. Eidosmedia platforms have been in use for over two decades in mission-critical roles in sectors from news-media to finance and incorporate a number of highly evolved platform security features. Their “unified platform” architecture is easier to manage and more secure than the collections of applications that make up the conventional enterprise IT environment. Data flows are secure even across the most geographically distributed, cloud-based operations using mobile devices.
In addition, Eidosmedia SSO (single sign-on) access integrates with popular corporate MFA solutions for increased access control security. All this is available as a service, hosted on bespoke private clouds with managed applications services if needed.
Eidosmedia products and processes have received certification to ISO 27001 and 27017 standards and are used by leading organizations in financial services and media.