The pandemic has been blamed for many things. Whilst it was a key factor in driving the majority of workforces into work from home models, the challenges of remote and hybrid work first appeared with digital transformation and the associated cloud-first environment. Broadly defined, hybrid work describes a situation where employees spend a proportion of their working hours in the office and the rest working remotely (which can include working from home, WFH and also an assortment of restaurant, shops and any other quiet corner). It looks like hybrid work is here to stay with many people unwilling to return to the days of full-time commuting to work in an office. This has thrown up a number of challenges for businesses, with perhaps the IT department left with the biggest headache - cybersecurity.
Traditionally, an office-based workforce would rely on a centralised network which had clearly defined security parameters. Now, organisations have to manage a disparate workforce who want to access company resources from numerous locations and numerous devices - mobile phones, tablets, smart devices. To this end, traditional, on-premise security tools no longer fit the bill. Especially considering the malicious hackers have ALWAYS been working from… wherever they like!
It will be interesting to see how the threat landscape develops under these conditions. Security gaps will need to be plugged, the challenges of cloud computing met, and data will need to be secured wherever it resides in real time. Cybercriminals are rubbing their hands in anticipation.
There are all kinds of ways that hybrid work plays into their hands. Weakened perimeter security allowing them a wider choice of weak spots to attack as people are connecting to the quickest, most accessible, perhaps unsecured, networks available while they work.
The relative ease of phishing links exploited by workers who are using their own devices during hybrid work is heightened too. Many people do silly things on their personal devices (clicking on dubious links) that they probably wouldn’t do on an office PC.
Don’t forget that one single breach via an employee’s device might allow cyberthieves to steal login credentials for your organisation’s network - this single breach can lead to massive data theft or ransomware demands.
All is not lost though; technology does provide some answers. Zero trust network access, multi-factor authentication, endpoint security, ransomware response…these all serve to tighten security and address arguably one of the weakest links in your security chain - your people.
The mention of weak links within personnel, ‘affectionately’ referred to as PEBKAC (Problem Exists Between Keyboard and Chair) naturally lead to topics of user education and specifically, cyber security training. What creative ways have you used to make it interactive, fun and informative? Christelle Heikkila, ex. Arsenal IT Director, and keynote speaker at a recent CIO/CISO roundtable we hosted on the Thames talked a lot on the topic of creating a cyber security culture which you can read more about here.
At the end of the day, it is important for us all to remain diligent and remember that, while we continue to adapt and get comfortable with the autonomy and flexibility of working from home, that has always been the circumstance for the bad guys. It’s time we caught up.