A New Cybersecurity Challenge: The Hybrid Workforce Environment

Posted on by Robert Ackerman

If you follow the news and work for a sizable company, you likely know that we’re on the cusp of what is likely the biggest new workforce development in decades—the so-called hybrid work environment. Starting next year, this means most staff at many companies will be allowed to split their time indefinitely between working in the office and working remotely at home.

As it turns out, most managers were surprised to find that productivity didn’t fall off a cliff, as many had expected. And employees, predictably, like their new work-life balance and spending less time and money on commuting. In some quarters, this is regarded as “the best of both worlds” post-pandemic-driven solution for staff and employers.

But not everybody and everything will come out on top, and this certainly applies to the world of cybersecurity.

Things are likely to get worse there, as time is split between enhancing the security of employees at both work and home, rather than one or the other. This will likely create more cyberattacks because employees will be regularly coming into the corporate environment from their home networks, which seldom have the same level of security.

One piece of the problem is that home networks are typically shared with others in the house, such as spouses working from home and children playing games or distance learning, entailing additional risks that can undermine corporate security. Cyber pros, already overwhelmed by a huge worker shortfall, will have to spend additional time looking at more user behavior patterns to spot anomalies and detect threats. Worse yet, some employees will no doubt bring thumb drives and laptops used at home to the office, and some will be infected with malicious malware.

It doesn’t help, either, that many business executives remain vague about security strategy details for their new hybrid work environment.

According to a study by McKinsey of companies planning to go hybrid, 68 percent of them have yet to communicate a plan or put one in place. Cyberthreats often thrive in the absence of strategic decision-making and preparation.

It’s noteworthy that while remote work has turned out to be successful on many fronts, this doesn’t include cybersecurity. Home security can seldom compete with corporate security because it’s not professionally managed. Among other things, this means many systems on home networks don’t get software patches regularly, and they are often out-of-date as well in other types of vulnerability mitigation.

As a result, the FBI’s Internet Crime Complaint Center last year reported that its number of cybersecurity complaints skyrocketed from about 1,000 complaints daily to 3,000 to 4,000 since the start of the COVID-19 pandemic. The Bureau mostly blamed this on the fact that tens of millions more Americans were working from home. Separately, a study last year by Tessian, a London-based cybersecurity company, found lots of security complacency among remote workers in the United States and Great Britain. More than half of those surveyed admitted they had sometimes ignored security policies.

One intriguing solution to heightened security threats posed by the hybrid work environment—and perhaps the best—is the adoption of so-called Zero Trust architecture. This concept is centered on the belief that organizations should not automatically trust anything or anyone inside or outside its perimeters. Instead, they must verify anything and everything trying to connect to their systems before granting network access.

Even after users pass the authentications, security checks constantly exchange information to verify whether users can access select systems or files. In short, they aren’t allowed to move freely through the network even though they passed through the security gateway. A Zero Trust system at Microsoft checks employee identities constantly, sometimes including eye and fingerprint scans. Even verified users are then pushed to cloud-based applications, avoiding the corporate network.

Here are some other tips to improve security in the hybrid work environment:

+ Catch up on software patches. While corporations are much better at patching than remote workers at home, they need to be better still. Updates are extremely common. If companies miss just one, they can ultimately be breached. Security pros are way behind the curve because a number of PCs and other devices have been turned off for many months while employees have been absent and unable to accommodate download patches. Each machine could need dozens of patches. Negligent remote workers also have to come up to speed on patching if they want to reconnect to the corporate network.

+ Use a company VPN. A virtual private network could be leveraged with remote desktop protocols to secure communication channels between the office and a remote employee. VPNs encrypt all the user’s connection data and are the most practical solutions to minimize data privacy and security concerns.

+ Develop the strongest security possible. This can minimize data security risks throughout the workforce. Start by providing security training, both virtually and in person. This can help instill heightened awareness, especially among today’s full-time remote workers.

Before thinking hard about such things, corporations must finally get around to writing their policies for the new hybrid workforce. They also need to adopt the proper attitude. “Hybrid work means a loss of control, which adds to the cybersecurity challenge but not necessarily cybersecurity woes,” says Zia Hayat, CEO of London-based cybersecurity company Callsign. “It requires security teams to rethink policies, and that’s a good thing.”

Robert Ackerman

Founder/Managing Director, AllegisCyber, AllegisCyber Capital

Security Strategy & Architecture

authentication zero trust endpoint security identity management & governance endpoint detection visibility & response

Blogs posted to the RSAConference.com website are intended for educational purposes only and do not replace independent professional judgment. Statements of fact and opinions expressed are those of the blog author individually and, unless expressly stated to the contrary, are not the opinion or position of RSA Conference™, or any other co-sponsors. RSA Conference does not endorse or approve, and assumes no responsibility for, the content, accuracy or completeness of the information presented in this blog.

Share With Your Community

Related Blogs