Mivy James at BAE Systems Applied Intelligence outlines the new cyber-security concerns that are appearing in the wake of the pandemic
IT and security professionals have read for the past year how threat actors have ruthlessly exploited remote working in their campaigns. But now that offices are starting to reopen and a hybrid model is emerging as the new normal for full-time work, different concerns are starting to appear.
In some ways, these risks may make the transition out of lockdown more challenging than the one we all went through in early 2020.
The future’s hybrid
According to Microsoft, two-thirds (66%) of business leaders are considering redesigning office space and 73% of staff want flexible working options, while two-thirds (67%) are after more in-person collaboration. A hybrid weekly blend of in-office and at home working for most employees would help to meet these demands, maintaining productivity and keeping staff happy.
The attacks we saw over the course of the pandemic were ultimately aimed at the weakest link in the corporate cyber-security chain: the human. Whether phishing emails targeting distracted home workers, exploitation of unpatched systems like VPNs, or the hijacking of RDP endpoints protected only by weak passwords, they were all made possible through human error. The same will be true of the hybrid world, with some slight differences.
The main challenge is that employees will no longer have a single working pattern that would otherwise encourage automatic behaviours that help with security. Working in different locations such as office, home and co-working hubs means they’ll be carrying corporate resources around with them more frequently. Lost or stolen devices and physical documents represent a serious security risk.
It’s not just the prospect of missing devices and documents that should concern CISOs. Employees may also be connecting via unvetted networks. They could be sitting next to eavesdroppers, joining video calls that others can easily listen in on. Plus, personal devices will continue to be a risk unless properly patched, managed and protected.
Little and often
With the shift to mass remote working, infosecurity teams rushed to make sure working from home could be as secure and productive as working in the office, and those technical measures will still be relevant today. That means mandating strong passwords and multi-factor authentication (MFA) for all accounts and devices, regular phishing awareness training sessions, and ensuring staff switch on automatic updates.
If there’s budget, ensure they’re using secure, corporate-issued laptops and smartphones. A Zero Trust approach can be particularly effective at reducing risk through continuous authentication, network segmentation and minimising privileges, although it may require significant time and effort.
For the new world of hybrid work, these policies must be enhanced with a greater focus on protecting data if devices are lost. They should discourage local storage of data and ensure strong encryption is applied at rest and in transit. Employees also need to be reminded of best practices, including password management and ensuring screens can’t be seen and calls overheard.
If this is unavoidable, consider new practices including obfuscating sensitive information like client names and contract values that shoulder surfers may be interested in. And minimise the amount of printed material that gets carried around. This may mean providing greater access to shredding facilities.
User training should be expanded to cover rules around making work calls when out and about. IT security teams need to encourage a “little and often” approach—nudging users with training and policy reminders to build up a helpful set of habits irrespective of location.
Employers will need to act quickly and decisively in order to streamline the transition to the hybrid workplace without inviting additional cyber-risk. That means choosing how much equipment to supply employees with for home working.
Should they be able to select their own or will they have to choose from a preapproved set of products from a specific source? If there’s no way of controlling what additional IT equipment people use when away from the office, the most sensible course of action is to focus on dynamic, context-based security at the authentication layer, which is where Zero Trust comes in.
Printer security also remains a challenge. Allowing staff to print from home or a co-working space undermines the security measures implemented for in-office printing.
Options could include placing constraints on what can be printed and what cannot; providing alternative tech for reading large volumes of text that reduce eye strain; and offering digital whiteboards and other solutions for presentations in third-party environments.
Employers will have many awkward decisions to make as they transition to the hybrid workplace—not least, choosing which days to allow staff to work from home. However, the ones they make around cyber-security will remain critical to the success and longevity of this latest social experiment.
Mivy James is Digital Transformation Director at BAE Systems Applied Intelligence
Main image courtesy of iStockPhoto.com