Remote work and hybrid work environments continue after the move toward these scenarios was sped up by the start of the pandemic in 2020. Some challenges remain, however.
According to research, organizations using remote or hybrid work are experiencing cyberattacks and vulnerabilities. In fact, a study from Tenable found 74% of organizations say cyberattacks recently affecting them are specifically due to remote work. Forrester conducted the report. Let’s learn more about cybersecurity for remote work below.
Cloud services, apps, remote access tools, and personal devices have rendered the traditional security perimeter meaningless. IT managers are working to keep up, but it’s a fast-paced, evolving, and increasingly complex environment.
An estimated 80% of business leaders say they’re more exposed to risk because of remote work. Three factors are potentially driving this. There’s a lack of visibility into remote employee home networks, and expansion of the software supply chain, and migration to the cloud.
Many employees are using their own devices. With that comes the risk of unmanaged devices meaning no updates or patch management are happening. When employees are left on their own to update software or underlying operating systems, your organization is facing regulatory and security risks.
With all of these considerations in mind, the following are core elements of an effective cybersecurity plan for remote and hybrid workers.
Understand the Risks
Before you can begin to build out a comprehensive cybersecurity plan for your remote workforce, you need to understand the risks. Of course, the specifics can vary depending on your industry and employees, but some of the things to watch for include:
· Phishing: This isn’t a threat exclusive to remote workers, but phishing attacks have increased tremendously since March of last year. Phishing scams work remarkably well and they’ve become increasingly difficult to discern from legitimate emails and requests. All remote workers need to be carefully trained on the risks of phishing. It should be part of onboarding and also ongoing training. You should be using at a minimum two-factor authentication for your employees to access any networks or digital assets.
· Human error: When your employees work from home, they’re more likely to be distracted and less likely to follow the cybersecurity protocols they would in the office. This leaves your entire organization open to risk. Employee awareness and training are two of the best ways to combat this. If you don’t already have one, you need a well-defined policy for cybersecurity for remote work.
· Avoiding updates: We touched on this above, and we’ll go into it in more detail below, but your employees might not be installing updates and using patches as they should. Your IT admins no longer have centralized control unless you specifically put it in place so that they can monitor and manage remote devices.
Below we’ll go into some of the more specific things to do to secure a remote workforce in terms of cybersecurity threats.
Remote and hybrid work is entirely challenging everything we know about cybersecurity.
In the past, protecting the perimeter was the idea.
Essentially, the goal of IT teams and cybersecurity professionals was to make sure everything within their network was protected. Once someone was in that network, they could move around freely. That makes a reasonable amount of sense in a conventional on-premises environment. You still have a great deal of control and centralized visibility with this approach, as long as everyone is working onsite on your devices.
What about when they’re not?
Then perimeter-based cybersecurity starts to seem somewhat obsolete. You have to consider the fact that your perimeter is gone, at least in the traditional sense.
Your employees are working from anywhere and often on their own devices. You simultaneously lose both control and visibility unless you find a solution to combat the loss.
Increasingly, it seems Zero-Trust architecture might be the way to do that.
Things to know about Zero-Trust architecture include:
· Don’t trust; just verify is the motto. With perimeter-based security, the motto might be described as trust but verify. Now, that’s not going to work based on the realities of a modern IT infrastructure. You have to take the approach that you trust nothing and no one. No device or application’s inherently trusted.
· How do you facilitate this? Zero-Trust relies on comprehensive identity, access, and device management. These are governed by policies that are built on adaptive authentication.
· IT admins can secure access for their remote workers, but they need multi-factor authentication (MFA) and specific policies to do so.
More About Zero-Trust
· Least-privileged access is a core component of Zero-Trust. In order to implement least-privileged access, you likely need to audit who currently has access to what. From there, every user needs the lowest possible amount of access, as does every device.
· There’s a term relevant to Zero-Trust called adaptive authentication. That means that not only are the right credentials being presented, but they’re coming from the right person. That’s often where MFA is critical. Passwords are the weakest part of your security chain, so you should move away from a concept of “what you know” and instead integrate the second factor of “something you have” or “something you are.”
· With Zero-Trust, you regain monitoring capability that you would otherwise lose in a shift to remote work. You get instant visibility into access attempts and overall network activity through the enabling of real-time monitoring. When issues and threats are quickly identified, you can limit the reach of the attack and decrease the containment period. It’s also possible when an IT admin gets an alert to isolate the behavior and prevent lateral movement to other systems.
· When a user attempts to log in, and there’s Zero-Trust in place, there’s policy-driven control for conditional authentication. This means that there are individual conditions that have to be met before a device is allowed access.
Along with protecting the identity through multiple factors and strong passwords, you’ll also need to protect the device using endpoint protection and monitoring, which, again, should be part of your larger Zero-Trust strategy.
General goals that you should remember when creating a plan for implementing Zero-Trust include having multiple layers of security, enterprise-level security and simple deployment. Also prioritize scalability, improve your network performance and lower your operational overhead.
Multi-factor authentication is such an important part of working securely for remote teams that it’s worth talking about on its own, even outside of its role within a Zero-Trust framework.
You want your employees to have access to what they need no matter where they are, but security must be maintained.
The growing number of devices and applications employees use to make their work easier simultaneously reduces visibility and increases the risks. Multi-factor authentication takes into account not only security but it reduces employee friction in doing so. It’s simple for employees to use MFA because it leverages something they already have.
Remote Device Management Systems
We’ve briefly touched on the importance of remote device management systems. Many organizations are managing a variety of operating systems across employee devices, and that makes device management increasingly difficult.
IT admins need to put in place a modern device management system that will give them a view of apps and software being installed on remote devices. They also need to control, monitor, manage and update devices without interruption to users.
IT teams need to be able to ensure that certain software isn’t installed on any company machines, patch software, and update operating systems when new versions become available. Along with cybersecurity, these are critical objectives for compliance.
Capabilities that a modern device management system should have, as well as being cloud-based, include:
· Patch management
· Operating system management
· Software versioning management
· Complete view of the operating system version installed on all devices and all software
· Capabilities for the admin to remove, manage, install or update software across any device
When IT admins have a holistic view of devices, they can make strategic decisions as far as when to apply updates, patches, and changes in a way that’s not going to impede productivity.
Training and Compliance
Finally, none of the above steps will be as fully effective as they could be without proper employee training and understanding. You also need to keep compliance in mind. You should train employees regularly on the basics, like avoiding phishing emails and more complex concepts like securely working in a remote environment. Your employees need to fully understand their role in cybersecurity and how they can protect their work from vulnerabilities they might encounter when working remotely.
Along with being a general best practice, training your employees on these concepts may be a legal defense in terms of compliance. For example, if you experience an incident resulting in data loss, courts are increasingly assessing the measures you proactively took to prevent it, including employee training.
If you face litigation, you’re going to be measured against the standard of industry best practices.