(Ghostwritten for Zoran Cocoara)
The speed at which change comes to our lives can be overwhelming, affecting organizations even more than individuals. While hybrid or fully remote work models were bound to be “the thing” sooner or later, the 2020 onset of the pandemic poked us all in the back with a hot stick, and the pains that businesses had to endure to make this possible are immeasurable – for most of them, it meant turning their world upside down.
One of the biggest concerns when switching from an office to a hybrid/remote environment was work security. Before 2020, many organizations relied on secure local wi-fi networks to connect to local resources, which is still quite common despite the ongoing move to the cloud. That meant that they needed to introduce VPNs for all public wi-fi connections and to secure all the company laptops for remote work – all in a very short time span. This, in turn, meant that many security teams needed to completely change the focus and put other security risks, such as application vulnerabilities or data security threats, on the back burner.
Since we’re past the emergency period, now is the time for businesses to re-evaluate their security priorities and take steps to focus on everything that had to be pushed back while converting to a different work model. Here are 5 tips for those organizations that are ready to have a deep look at their data security in a new hybrid work environment.
Tip 1. Accept that company assets are used for private purposes
The hybrid work model brings a lot of benefits to the employee. It greatly reduces time wasted on commuting, allows for a much better work-life balance, makes you feel trusted and enticed to take initiative, and more. However, from a practical point of view, it often means having to fit yet another computer in your current home environment. Many employees decide that it’s either impractical or too expensive to have two computers, one for work and one for private purposes, and end up giving up on their own devices, using the same setup for both.
An employer may limit the use of the work computer as a personal device by enforcing strict control, limiting access to social media sites, and more. However, in some cases, access to social networks is needed for work purposes as well, and extensive control is a large workload for the already strained IT department. Such extensive zero-trust endpoint control also makes the employees unhappy. Therefore, most companies accept the fact that the work device is also used for accessing private resources after (or even during) work hours.
From a cybersecurity standpoint, most organizations secure company assets by limiting software installation capabilities – users are not able to install anything on their own or have a library of software that is approved by the employer. The computer is also protected using antivirus and anti-malware software and connects to company assets using a trusted virtual private network. However, many businesses forget that none of these measures has any effect on protecting sensitive data!
In a hybrid/remote work model, it is very likely that the user will copy sensitive information belonging to the organization and accidentally paste it while using social media, causing a data breach that can result in huge fines. Users may also save company information in text files and then attach the wrong text file to a personal email. This makes an endpoint solution that prevents such mishaps absolutely necessary in a hybrid work model.
Tip 2. Do not fall for the false sense of security in the cloud
Today’s hybrid work environments make the appeal of clouds even bigger than before. Moving the company assets and apps to the cloud means that there is no longer a need to maintain a continuous IT presence in your own server room in company offices, there is no need to manage VPN connections between remote workers and the company infrastructure, and you can save a lot on hardware maintenance costs, network security, and more.
However, the move to the cloud also has its drawbacks. For example, it often makes organizations believe that the cloud provider will protect their data and systems, which causes a false sense of security. In most cases, clouds provide just the infrastructure for company applications and security measures related to this infrastructure only. This means that when it comes to protecting your data, the move to the cloud usually does not improve your security and, potentially, has the opposite effect of numbing your senses.
If your user works remotely and accesses company data stored in the cloud, they most likely will need to use this data in another cloud application. While all cloud applications are accessible via the browser, they are rarely interconnected to facilitate data exchange. This means that the good old CTRL+C and CTRL+V are in heavy use, which is an accident bound to happen. The more the users need to move data between applications, the more likely this data will end up somewhere where it shouldn’t be. Again, this calls for an endpoint solution that is able to detect sensitive data and prevent sharing this data outside dedicated applications.
Tip 3. Don’t underestimate the use of USB memory sticks
For many of us, USB memory sticks already seem like “the thing from the previous decade”. New generations react to such technology just like they react to floppy disks or CD-ROMs, perceiving it as outdated. Pendrives seem even less needed than ever with the move to the cloud and with a hybrid environment where the hybrid workforce can carry the laptop between the company office and their home office.
However, in many environments, USB memory sticks still see a lot of use, especially when large amounts of data need to be transferred between endpoint computers. Even at the office, there is simply no easy way for Jane to send a large file with customer information to John, unless through some kind of file-sharing platform like Google Drive or Microsoft OneDrive, which are not always in use by the company. In such cases, employees end up either sending large files via services like WeTransfer, which are most likely not approved from a security perspective, or simply putting them on a USB stick and carrying them over.
If you combine such use of USB sticks with private use of the same USB sticks due to blurring lines between work and home environments, this is a recipe for disaster. The user is likely to take a USB stick that contains sensitive company information and put some private files on it, and then, for example, give this stick to a family member. Only dedicated endpoint security solutions are able to prevent that by either detecting sensitive data and preventing it from being copied onto the stick, or by enforcing encryption of such data before it is transferred to such media.
Tip 4. Be warier of insider threats
One of the biggest benefits of a hybrid or fully remote work environment is freedom. Employees are much less stressed doing work without a boss breathing down their necks, and the new work models promote styles of management that are based more on leadership than control. However, everything comes at a price, and in this case, the price is that less control over the remote workforce means more threat of an insider incident happening, either involuntarily or voluntarily.
When employees are working from the comfort of their homes or even more from the comfort of a fancy coffee shop in Lisbon, they are more likely to be careless. Also, those rare cases of unethical employees are more likely to have enough freedom to do more damage than if they were working from the office – for the same reason ethical employees feel better, due to less control.
This means that your business needs to be more ready than ever for all kinds of insider threats, and specially intended insider threats – unethical behaviour, unfair competitors, or simple pettiness are much more likely to happen when the delinquent is far away from the office and surrounded by nobody or by people not related to work at all.
One way to reduce such risks is to increase digital control, for example, by monitoring all user activities on their laptop. However, this negatively impacts fair and ethical employees who feel distrusted and policed. Therefore, a better way is to make sure that even if the user has unethical intentions, they can’t harm the company by, for example, sharing sensitive information with a competitor or selling it on a black market. This kind of protection can only be achieved using endpoint DLP solutions.
Tip 5. Prepare for an increase in cyberattacks on employees
Reduced control and policing mentioned in the previous tip have yet another consequence – malicious hackers are also aware of it and take advantage of the fact that employees located outside of the office are a much easier target. An employee working in an office is often behind several firewalls with IT teams monitoring for any suspicious activity. And at the office, an employee is also less likely to use their computer to access private resources such as private email accounts. This means that in a hybrid/remote model, phishing opportunities are at an all-time high.
While working outside the office, an employee is more likely to click on a phishing email without first asking for advice from an “it guy” nearby or from even a colleague sitting at the next desk. If such a phishing attempt is successful, it is likely that the perpetrator will get access to sensitive information belonging to a company and located on the same computer. In addition to antivirus, anti-phishing, and ransomware protection, end-user equipment needs adequate protection against bad actors, and an endpoint DLP solution provides such protection.
Hybrid is not going anywhere, so rethink your data security
Most employees do not want to go back to the office and most prefer a hybrid model where they are able to visit the office when needed and when desired, but they are just as free to work from home or anywhere else in the world. Especially in the EU, with easy travel within the Schengen zone and with many countries like Malta and Portugal being very attractive and introducing digital nomad visas, many young people prefer to stay in different places for some time while working for the same employer. Businesses that try to bring back the office model experience huge backlash from the community and lose valuable workforce.
If you haven’t reconsidered your data security policies in this new reality, it is now a good time to do so. While the industry is hit hard from an economic standpoint and many companies realize that they have to scale down on employees, some threats are more likely to be a problem now than ever before, for example, insider threats from workers that feel they are likely to be laid off. While an endpoint DLP solution like the Endpoint Protector should always be part of a comprehensive cybersecurity environment coupled with security awareness training, it’s an affordable and very effective first step to eliminate most of the data security pains brought on by these fast-paced changes in work organization.