There’s yet another debate growing post-COVID. It’s not vaccinations, masks, or whether it’s safe to eat at a restaurant, it’s when and how much workers will return to the office. In considering the impacts of this change, most executives are concerned about employee engagement, productivity, and culture, but should they also be concerned about security?
- What is a hybrid work model? The hybrid work model is a mix of working remotely and in the office in a typical work week. A recent PWC survey noted a disconnect among opinions of executives and employees as to how much time should be spent in the office: executives say three days a week, employees say two days a week. Regardless, according to SHRM, the workforce will most likely return to the office, in some form, during the second quarter of 2021.
- Why should executives be concerned about hybrid work security? The COVID pandemic made an abrupt shift to the cloud and opening remote access with little notice. A year ago, many of our clients made rapid movements to remote access, shifts to online banking tools, and introduced mobile devices on an unforeseen scale. When this happens, institutions without a strong cybersecurity culture tend not to manage these risks well or leave them out of the plan altogether. So, now that we are seeing COVID restrictions lifting and remote work a part of the new normal, what accepted security risks are still unremedied?
- How should we begin to secure hybrid environments? A few short years ago, I remember sitting in a demonstration for a company’s first Security Information and Event Management (SIEM) tool. It was cutting edge because it had behavior-based rules and could tell you which office this employee was logging in from and whether that was expected to be based on past behavior. That rule would not be useful in a hybrid work environment because it would be difficult to predict from where the employee would be working. Also, we cannot inherently trust that this remote connection is secure. That’s why to secure a hybrid work force, there is movement towards a zero-trust approach, where there is no implicit trust based on location, there must be authentication to be considered trustworthy and access institution resources.
- What additional controls should we consider? Think ‘three m’s’: With the mobile devices so much more in the mix, we need to be more cautious about their security. Using a good mobile device management (MDM) solution with the ability to ensure the devices are properly patched, virus and malware-free, and monitored for suspicious activity is more important than ever. Moving to managed detection and response services (MDR) where there is enhanced visibility and logging of the endpoint device’s movements, plus behavior-based anti-virus are starting to become key discussion points as well. Finally, the most common control we hear being called for in threat reports, is multi-factor authentication (MFA), this is called for in supply chain and ransomware mitigations in addition to account takeovers. Get this not only on your network but cloud/SaaS sites as well.
- Don’t forget your most important control- people. We threw a lot of new things at employees in the past year. In these circumstances, confusion, fear, new routines, these are when they are most likely to be tricked into bypassing security best practices and then the unthinkable happens. So, please be sure that employees are getting educated on how to work securely from remote sites, including their homes, and how to secure their mobile devices.
If you are needing help with your hybrid work force security plans, please reach out to us at support@bedelsecurity.com.
Resources:
https://www.securitymagazine.com/articles/94952-security-implications-of-a-hybrid-workplace
Additional Resources
Remote Employee Access
https://www.bedelsecurity.com/blog/remote-employee-access
Remote Access Risk Assessment
https://www.bedelsecurity.com/lp-remoteriskassessment
Remote Work Security
https://www.bedelsecurity.com/blog/remote-work-security
Do you need a separate penetration test for remote access?
https://www.bedelsecurity.com/blog/do-you-need-a-separate-penetration-test-for-remote-access
Surviving the post-pandemic landscape: 12 Technologies That Every Community Financial Institution Should Be Thinking About
https://www.bedelsecurity.com/lp-surviving-the-post-pandemic-landscape