How can organizations reduce the risk of a cyber attack when an ever-changing mix of employees moves in and out of the office?
The pandemic may be receding, but distance work has come to stay. In this environment, the hybrid work model seems to stand out, with a large number of staff working from home a few days a week, but also having to come to the office the rest.
The solution of the hybrid work model will combine the advantages of "both worlds" for the staff and the employers. But as we have seen from the beginning of the pandemic, distance work has created the perfect conditions for cybercriminals.
The hybrid working model comes bundled with some security challenges
So how big is the risk for organizations as they adopt a new work model?
An ESET survey found that 80% of companies internationally believe that home-based workers have the knowledge and technology needed to deal with cyber threats.
However, in the same study, three-quarters (73%) of businesses admitted that they were likely to experience a cyber security incident, and 50% said they had already been the victim of a cyber attack in the past.
Certainly, this divergence of views does not contribute to the development of a concise cyber security plan.
The fact is that the companies are facing great challenges - many of which were observed during 2020 and the first part of 2021.
These challenges include:
The human factor
Ask any cybersecurity professional and they will probably tell you that the weakest link in the corporate security chain is the employee himself.
That is why we have seen e-fishing campaigns being used extensively in the early days of the pandemic to entice users who were feeling hopeless after the latest crisis news.
In April 2020, Google claimed to be isolating more than 240 million COVID-related spam emails and 18 million phishing or malware emails each day.
We have not realized this, but those who work from home are more at risk because they may be distracted by roommates or family members, and therefore more likely to click on malicious links. Communicating with IT support or checking a suspicious email from a colleague can be difficult when working remotely, and personal laptops and home networks can also offer less protection against malware.
In fact, now that employees are slowly returning to the office, there is concern that they may bring with them bad habits they have adopted over the past 18 months.
Challenges in technology and cloud
During the pandemic the remote work infrastructure was exposed. ESET reported a 140% increase in RDP attacks in the third quarter of 2020.
At the same time, last year the extensive adoption of new cloud services caught the attention of cybercriminals. Typically, 41% of companies surveyed by the Cloud Industry Forum still believe that the office is a more secure environment than the cloud.
In addition, a hybrid workspace will undoubtedly require even greater data transfer between remote employees, cloud servers, and office workers. This complexity will require careful management.
How to design a safer hybrid workplace?
The good news is that while protecting the new hybrid workplace will be difficult, there are best practices that can guide corporate cybersecurity executives.
In this context, the Zero Trust model is gaining popularity as a way to manage office workers and those who work from home through cloud-based systems.
Today, there should be no blind trust in devices and users within the corporate network. Multiple technologies will be required for the model to work properly: from multi-factor authentication (MFA) and end-to-end encryption, to network detection and response, partitioning strategy and more.
But before they even think about implementing new security controls and technologies, organizations need to write their new hybrid workplace policy from scratch.
This policy should include: access rights for individual employees, remote connection procedures, off-office data management and user cyber security responsibilities, among many other elements.
Finally, the recipe for a successful cyber security policy should include regular training and awareness raising for all employees.
Because the human factor may be the weakest link in security, but it is also the first line of defense.