TECH INTELLIGENCE: Promise and peril

Listen to this article

Hybrid work is here to stay. Some reports indicate that more than 70% of employees work from home at least two to three days a week. The trend appears to have benefits for companies too, with reports indicating that 64% of executives say flexible working options motivate employees. The hybrid work model does offer benefits to employees and employers alike, but it also presents significant cybersecurity challenges.

That is because, in a traditional office setting, IT departments have significant control over both the network and the devices that connect to it. Outside of the traditional corporate security umbrella, however, users’ devices may miss essential updates, critical maintenance and monitoring may be skipped. And while the cloud simplifies collaboration, it also expands the attack surface and introduces new risks. 

Businesses can take steps to protect against cyber-attacks and keep their data safe in a hybrid setting, but organizations will need to partner with their cybersecurity solutions provider to review and update their cybersecurity strategies. An effective review and upgrade will typically start with basic security but will go beyond that, to address such issues as a zero-trust approach and educating the workforce users. 

A cybersecurity review takes on additional importance in a hybrid work environment, and will typically address these issues: 

Encryption – As more companies move their digital files and processes to a third-party cloud environment, the organization should question the cloud provider to ensure that the company’s data is being encrypted both in transit and at rest. Highly sensitive data may require a higher level of encryption. 

Patching – Loading software manufacturer updates and upgrades is a vital security step that is, unfortunately, often ignored. Companies should review their patch management strategies to ensure sure that software and firmware patches are applied quickly. To help assure that this is done on an ongoing basis, patching should be automated where possible. 

Backups – Systems like Microsoft 365 include data protection features, but these built-in properties typically have limitations. Companies and their managed IT services provider should reinforce them by implementing a comprehensive, automated data backup and restore plan. 

Risk Assessments – Regular evaluations and penetration testing can highlight security vulnerabilities in the organization. An IT services partner can help a business to use this information as the foundation for designing an effective security strategy. 

Access management

The widespread adoption of cloud collaboration – and the subsequent spread of hybrid work far beyond traditional boundaries – has made zero trust security a must-have component. This “never trust, always verify” approach adds a security layer by requiring authentication for every transaction.  

MFA, or multifactor authentication, is a key component of zero trust. MFA is a multi-step account login process that requires users to enter more information beyond just a password. Along with a password, for example, users may be asked to enter a code sent to their email, answer a secret question, or scan a fingerprint.  

Zero trust goes beyond verifying identity for every access request and encompasses the principle of least privilege: a user should only have the access they need to complete their job. Tools like Microsoft’s Azure AD allow a security team to enforce conditional access based on the user’s role, location, device, and other factors. 

To further meet the security needs associated with hybrid work, organizations should address policies governing data access, passwords, data retention, encryption and other actions that determine how data is created, shared, and stored on devices used to access company data and services. 

Automating security policies can also improve security, by reducing the need for employees to remember and apply critical security controls. Organizations, for example, can tag sensitive data and apply sharing restrictions, encryption or data retention policies according to data classification. 

A successful hybrid security effort will also address the importance of making employees aware of their role in keeping data secure. Targeted and engaging security awareness training can change employee behavior and reduce an organization’s exposure to breaches while minimizing employee downtime. Combining regular training with phishing simulations, for example, can significantly improve a business’s ability to withstand common cyber threats, like BECs, or business email compromise attacks. In a BEC attack, a cybercriminal will skillfully impersonate a high-level executive or other trusted contact and use social engineering techniques to trick an email recipient into transferring funds into a fraudulent account. 

Traditional cybersecurity models were built on the premise of locking down the perimeter and dealing with threats after they got through. That approach, however, no longer works against sophisticated cyber-criminals who are continually developing new schemes; and the threat has been multiplied with the adoption of hybrid work models. Security-conscious organizations are investing in cyber-awareness and education programs that can help keep them one step ahead of their attackers. 

Carl Mazzanti is president of eMazzanti Technologies in Hoboken.