With a hybrid working model, there is a greater reliance on technology which can bring additional cybersecurity risks. DigitalWell’s Chief Technology Officer, Kevin Paige, examines the top 5 considerations for successful hybrid working.
Throughout the COVID-19 pandemic, much attention has been given to the more visible elements of working from home. The fervour to set up Team and Zoom calls, home offices and settling into the new work from home routine has subsided.
Now, as we enter into the third year of remote working, businesses are adopting what is known as a hybrid working model.
This model offers benefits for businesses and employees alike, but it has created a headache for IT leaders, with significantly higher technical issues and data security risk levels to contend with. According to Deloitte, cyber-attacks are becoming increasingly sophisticated, with those using unseen malware methods rising from 20 per cent to 35 per cent since the outbreak of the pandemic led to a change in working practices. This figure is dramatically rising since the outbreak of the Ukraine War.
Office systems afford us a higher level of security with firewalls and blacklisted IP addresses. In the new age of hybrid and remote working we have an increased reliance in technology which proportionally increases the risk of cyber-criminal activity. Without the proper solutions, an organisation risks not only a ruthless cyber-attack like Log4J & Foxblade but a deterioration brand trust, increase in time-to-revenue and regulatory fines for data breaches.
The core problem is that whilst remote working has been common for some time, networks and security systems were usually built around the assumption that most workers were in the office most of the time. Remote workers were supported, but as a minority that would essentially just ‘latch on’ to the office network. Now we have reached an inflection point where the old ratios have flipped: for many companies most workers now work remotely most of the time. This throws up a dilemma: either carry on with the old model, and see the office network become a bottleneck, or allow users to break out directly to the internet from home, and risk losing visibility, control and compliance.
To maintain effective security amidst this new paradigm, different approaches are needed, and most companies will need to re-evaluate their systems and security architectures to accommodate these changes.
In many cases temporary changes wrought by the pandemic have slowly drifted into the status of permanent changes, which potentially opens up massive vulnerabilities. It is vital that companies re-evaluate, and make sure that what is in place today is suitable for the long-term.
Whatever direction your company has decided to undertake, there is one question that rises to the surface — is your IT infrastructure able to support this new model effectively and more important securely?
Remote Working Poses New Challenges for IT Managers
According to a recent industry report, 72% of security leaders find that procedures and controls have become more complex as their businesses pivot to remote and hybrid work.
Another survey, the HP Wolf Security Rebellions and Rejections Report shows that 83% of IT team members agree that the increase in home workers has created a ticking time bomb for a corporate network breach.
Companies have heard employees loud and clear and hybrid and remote working will remain after restrictions ease. Going forward, it is imperative for companies to create a rock solid plan of approach for their IT, information security, and technology infrastructures.
Top 5 Considerations for Future Proofing Your Hybrid Working Model
1. Getting the Basics Right
As systems change and the attack surface grows, it can be easy to lose sight of some of the more fundamental challenges.
According to a recent report by the Ponemon Institute, 60% of breaches in 2019 were attributable to vulnerabilities for which a patch was available, but not applied. So if you can only stay on top of patching, your overall risk profile can be massively transformed.
This is easier said than done, however. The reason why this issue persists is that patching systems is no easy task, and often consumes significant resources that are needed elsewhere. Many companies know that they are vulnerable but feel powerless to do anything about it. So all options need to be considered, including outsourcing. If you don’t have time to patch, maybe you need to pay someone else to do it?
Visibility and awareness are also key. Regular vulnerability scans are a step in the right direction, but are you tracking the resolution? And once you know where you stand, can you effectively prioritise? CVSS scores are the standard measure of vulnerability severity, but these will often fail to consider the criticality of the systems being scanned, or other offsetting countermeasures elsewhere within your systems, so relying only on these alone may be a mistake. Effective prioritisation is more of an art than a science so expert help may be needed to ensure you are focusing your limited resources in the right direction.
2. Remote Connectivity and Infrastructure
To enable hybrid working, companies often turn to cloud technology to enable employees to work the same way they do in the office while at home.
An end-to-end communications platform can help as employees move from the safe four walls and networks of the office to their own home networks, or even public networks. IT infrastructure should be well equipped and up to date using the latest technologies like cloud virtualisation, data storage and inbuilt security tools to power collaboration and connection in the most secure environment possible.
But hybrid working can also mean hybrid cloud: Most of the leading security vendors do not want to punish loyal customers for moving with the times, so you will often find that in many cases existing onsite architectures can be seamlessly extended into the cloud without a rip-and-replace approach. This can ensure that remote workers are subject to exactly the same level of protection and control as office workers, whilst still being able to leverage existing investments in office-based security.
3. Create a Security-Centric Culture
Irrespective of where your workers work from, human factors remain hugely significant in the realm of security. Employees are now, largely, their own first line of defence against a multitude of security risks.
According to the 2021 Verizon Data Breach Investigations Report, phishing is still the top variety of security breach, and has used quarantine to boost its frequency to appear in 36% of breaches (up from 25% in 2020). What’s more, 85% of breaches involved a human element.
Whilst technology can still help, it is vital that employers educate, train, and empower their staff to be accountable for how their actions can affect company security. Having best practice training and tools in place will create a security-focused culture, where security becomes the common standard, regardless of where they are working.
4. Investing in the Right Technology
As your working model evolves, your technology stack should too. Hackers are also aware of this, which is shown by a rise in cyber-attacks on cloud services and VPN gateways.
As new frontiers continue to emerge, it is imperative to carefully consider your business infrastructure and consider solutions that are scalable, flexible, and adaptable to any circumstance. Cybersecurity is a changing landscape and the risk of data loss is severe. Your technology should have backup and recovery services, up to date with patch management and vulnerability testing.
More importantly there are overarching implications of not investing prudently and the unfortunate circumstance of an attack. Financial implications from having to down tools can be catastrophic as witnessed by the recent HSE virus in Ireland, estimated at nearly half a billion euros. There is also the reputational cost to consider. Data security breaches can inflict unrecoverable brand damage. Once news of the incident hits the news, customers will look for a more trusted vendor therefore sales lost. It also can result in fines and sanctions for breaching data protection laws. Lastly, the impact on the company from morale to retention to attracting new talent will be impeded – stymieing a company’s growth.
5. Implement a Proactive Strategy
Companies should educate themselves on new attack strategies, such as pandemic-themed social engineering scams which may pretend to have critical news and information about COVID-19.
If a company is proactive and always looking for the new threats and risks that may arise, that in partnership with investment in best practice cybersecurity and IT infrastructure will give the company the best possible defence against an unpredictable environment.
Hybrid working is here to stay. Now, the focus shifts to learning how to best use technology to create a secure, connected working environment, whether you’re in the office or your home office.
Ready to put the research into practice? Contact our team at +353 1 254 1800 or fill out the form and we’ll get in touch.