Many workforces globally are either planning for or in full swing with their return to the office. Whether employees are heading back on a full-time basis, only part-time, or remaining fully remote post-pandemic, cybersecurity teams are faced with a new, complex challenge: how can they protect their organization and employees in a hybrid working world?
Before I delve into the security challenges of returning working in the office, I’d like to add that I’ve seen many discussions around the implications of 'returning to work’. This isn’t the case. Employees globally have still been working and facing many security issues – but we’re now potentially starting to shift back to working on-site rather than remotely. Like with cybersecurity training, carefully chosen language is key, which is why we’re discussing ‘hybrid’ working models here as opposed to the ‘return to work’.
One thing is for sure; there is no one size fits all approach. When we look at the large-scale breaches we have seen over the past couple of months, these indicate what attacks can look like in such hybrid environments, as employees globally are spread between the office and home environments. And the outcome can be catastrophic.
What we’re seeing is that systems that have been long disconnected from the robust security of the corporate network are now becoming more connected. Add to this the use of work devices for personal activities and family members using corporate devices – the controls that we once had in place in the office to prevent personal device abuse have essentially gone out the window. These devices are now making their way back onto the corporate network, bringing security implications.
And this is just the tip of the iceberg. Employee behaviors have changed, and the way teams collaborate has shifted. Furthermore, unknown new faces are joining teams. So, what should cybersecurity teams prioritize as we move to a hybrid workforce?
Level Setting Devices on the Network
As employees have been working from personal devices, and have also had their corporate devices connected to home networks for over a year, vulnerability management as part of the return to office security checklist is vital.
Cybersecurity teams need to ensure that all devices coming back onto the corporate network are cleaned up. Cybersecurity teams should also analyze the full security posture of these devices to ensure employees are not potentially bringing back malware onto the network that can compromise the organization’s systems.
There needs to be a massive effort in asset management, asset control, asset reconfiguration and ensuring that all devices are patched and updated. Many people don't even restart their machines, so seemingly basic actions like this need to happen.
Assessing and Addressing Employee Behavior Changes
The majority of us have been working out of the usual confines of the office for a while now, and with that comes a natural behavior change. Outside of wearing pajama bottoms on Zoom calls and sending emails from the sofa(!), many employees’ security behaviors have likely shifted, and, unfortunately, become laxer.
These new potentially risky behaviors need new training efforts. People have built new cultures and new ways of working, so security teams need to reinforce what ‘good’ looks like. They need to define what good looks like in this new hybrid world and then need to reinforce it with security and awareness training that marries up to the new behaviors and cultures we are seeing. Old messages also need to be reinforced to allow people to fold back into the security constraints within the corporate network.
Despite the potentially risky behaviors that organizations need employees to shake, some significant behaviors should continue to be encouraged, for example, collaboration.
Maintaining Collaboration
Due to the pandemic, the shift to remote working has forced employees globally to find new ways of collaborating with each other, suppliers, or third parties, or customers. This shift has proved highly successful for organizations in terms of business continuity – but how can it be done on an ongoing basis securely?
While email remains the number one channel of doing business, people have increasingly started using different telecommunications services for video calls or chat functionality. Many employees may have downloaded new and exciting applications that not typically used within the day-to-day business.
These new applications will likely continue to be a big security challenge. Cyber-criminals are opportunistic and are all too aware that collaboration tools are a rife target to spread malware into an organization, even as we head into a hybrid working world.
Organizations must be aware of all the new channels, applications and services that employees use that potentially might be that new attack vector. You don't want to lock down systems and prevent these new ways of working, but you need to be aware of them and protect them.
Same Threats, All Targets
Regardless of location of work, one thing remains the same: people are the prime target.
The latest Verizon DBIR demonstrates this. Last year, the tactic most responsible for cyber-attacks was phishing (36%), with 85% of the breaches profiled involving a human element.
Cyber-criminals will continue to use carefully crafted phishing attacks to target employees. They understand that one click is all it may take for a successful cyber-attack – whether the employee is in the office, at home or on the move.
They also understand that credentials are the new crown jewels: providing access to data ever more moving to the cloud. In fact, credentials were used in 61% of all breaches last year.
New Faces, New Threats
Lastly, we need to focus on the risks that new employees may bring. Firstly, new employees are ripe targets for social engineering and phishing attempts. They haven’t been introduced to many employees yet, and perhaps haven’t gone through the organization’s security training and will be eager to please.
In addition, there’s the challenge of physical security threats. With many new people hired throughout the pandemic without meeting any members of the team face-to-face, it’s likely that you – and your receptionist - won’t recognize new faces in the office. This opens up the opportunity for unauthorized visitors to sneak into the office and potentially cause heightened security risks.
No One-Size-Fits-All
The security challenges organizations face with the return to the office are ‘hybrid’, and there is no one-size-fits-all solution.
Organizations can protect users and improve their defenses by modifying their security controls to address how people work today. Preventing today’s incidents involves strengthening the defenses of three aspects: people, processes and technology, all within a people-centric security strategy.
Businesses must assume that someone within their organization will always click and craft a security strategy that protects people first. Organizations must train their employees on the sophisticated attacks found in the wild. Companies should ensure that they assess end-user vulnerability and training on today’s threats, providing actionable skills for protecting themselves in the office, at home and in a hybrid environment.