During the earliest days of the COVID-19 pandemic emergency, remote work was the primary topic of conversation. Shutdowns were mandated across the country and the world, meaning employees had to work from home whenever possible.
Over the past 18 months since that time, some things have changed, but the pandemic remains an issue.
Now, more so than a focus on exclusively remote work, employers are looking at ways to make long-term changes that will allow them to adapt to the world as it exists currently versus what existed in February 2020.
The hybrid work model checks many of the boxes for employers and employees but isn’t without its own challenges. For example, companies continue to struggle with identity and access management in a hybrid model and other issues related to cybersecurity.
Below are considerations and critical points to keep in mind as far as security and hybrid work.
What Is a Hybrid Workplace?
A hybrid workplace involves remote work, but it also includes working from a centralized location at least sometimes. There are elements of the traditional physical workplace environment, paired with the more modern framework of remote work.
The duality in a hybrid workplace is uniquely poised to meet business challenges because it supports remote and onsite employees.
The idea of a hybrid work environment wasn’t new when COVID-19 hit, but the pandemic did solidify it as something that’s not just a trend and is likely here to stay.
Companies initially introduced a patchwork of policies and procedures in the early days of the pandemic. Now, they’re looking toward permanent solutions that promote productivity for both remote and in-office workers. There’s a focus on how to create cohesiveness among distributed teams and maintain corporate culture.
There are also logistical challenges that are being addressed in a more long-term way.
For example, how do you maintain a high level of cybersecurity when you have dispersed teams working both on and offsite? Employees need access to certain things to do their jobs, but in giving them that access, are you creating a serious risk in terms of a possible breach?
A hybrid model encompasses digital environments and workspaces in addition to the physical.
The goal of a successful hybrid workplace model is to offer support for each employee and style, even in the face of inconsistencies. Despite the discrepancies, you want seamless uninterrupted work. For example, you want your employees to be able to work from home in the same way they work at the office, with all the necessary resources.
When done well, there are numerous benefits for employers including a more supported, productive workforce and better safety during otherwise disruptive times, such as when illnesses are going around.
To do it well, you have to meet challenges head-on and address them proactively.
We address some of these issues and possible solutions below, especially regarding cybersecurity and access management, since these are among the most pressing topics at this moment.
Identity Governance and Administration (IGA)
Above, we talked about the fact that in order for everything to be seamless across your office and remote work environments, employees need appropriate access. They are, however, using that access outside of your network perimeter and the centralized control and visibility afforded to you by your onsite IT team.
Employers will have to find a model that will reduce friction for employees as they’re working but at the same time address the very real risks that come with remote work.
For example, password reuse, the use of unsecured Wi-Fi, and devices that aren’t updated and secure are all risks companies face in a hybrid model.
One part of a more comprehensive solution is to improve visibility into the system with what’s called identity governance and administration tools (IGA) and identity and access management (IAM).
These solutions are increasingly viable options for even smaller organizations, whereas in the past they were likely only in reach for large enterprises.
With this technology employees can work remotely, and there’s easy scaling without sacrificing on security or compliance.
Benefits these IAM solutions with IGA features might bring include:
- Password management and single sign-on tools to protect against weak passwords that lead to unauthorized access.
- Automated workflows for things like onboarding and offboarding employees and how to deal with access.
- Access request management can be streamlined by the creation of user groups with particular criteria.
- Entitle management to allow users to submit needed access requests.
- Data logging and analysis so you have a centralized view of access issues and privileges.
Along with access management, endpoint security is a growing area of focus in hybrid workplaces. Endpoints or end-user devices include tablets, desktops, laptops, and Internet of Things devices.
One has to wonder just how secure these devices are in a work-from-home scenario.
For example, what are the potential effects of an unsecured wireless access point? Another risk is when remote employees download corporate data through an upload on the public cloud or via an unsecured home network. Hackers can easily steal that data if there aren’t stringent cybersecurity protections in place.
Malware and phishing also remain some of the most successful types of cyberattacks, and these can then be the gateway into ransomware. Ransomware attacks went up dramatically during COVID-19.
To improve endpoint security and mitigate some of the risks, consider the following:
- You’re going to need endpoint visibility. You might consider only allowing approved devices to connect to your network, which could make you rethink your BYOD policies. When you have endpoint detection, you can be more proactive because you have a better idea of what you’re working with. Your endpoints are your perimeter, and they need to be audited for complete visibility.
- Get rid of unnecessary data.
- Address patch management. As a business with a hybrid work model, you need to make sure you have a plan to deal with issues related to patches and operating systems. When you have a patch management program that’s strategic and practical, you’ll reduce potential outages.
- If you use VPNs, realize they’re only one part of what should be a complete hybrid work cybersecurity strategy. In the past, if a company used VPNs, that was considered the ultimate in security. Now that the traditional perimeter no longer exists because of remote and hybrid work, you’re going to need more than a VPN. A VPN may still have a role in your security plan, but not as a standalone strategy.
- Some employers are switching to virtual desktops and moving away from standalone desktops and laptops. A virtual desktop infrastructure is within a virtual machine on a central server. They then access over a network using an endpoint device, like a tablet. Using a virtual desktop infrastructure happens on a secure host server, reducing risks for endpoint devices.
Zero-Trust and the Hybrid Workplace
Finally, if you’re a hybrid workplace or you have employees who work remotely at all, it might be time to invest in a Zero-Trust architecture. Zero-Trust is the best way to protect data while still providing access.
An end-to-end security strategy, Zero-Trust architecture lets you control all access. No one who wants to access your network or data is trusted by default. Instead, verification is needed for every identity before they get access to any resources. This includes whether they’re inside or outside a network.
Verification should ideally include multi-factor authentication.
To start using a Zero-Trust approach, you have to begin by auditing and defining your critical resources. You’ll have to get a whole perspective of your assets, services, applications, and data that are most critical.
You’ll need to begin to get a clear view of the flow of data across your entire network because you’ll need context to drive your decisions as far as how to protect it. Data flows include things happening on-premises in a hybrid situation, as well as cloud-hosted services and devices.
Another critical element of Zero-Trust is learning how to limit access to data on an individual basis. There’s a per-request approach, so every entity, including all users and devices, must be authorized before receiving access.
Least-privilege access control is critical here if you aren’t already using it. With a least-privilege access control model, each user has the lowest level of access rights necessary to do their job and remain productive.
Implementing Zero-Trust will require building micro-perimeters and micro-segments. Your large network perimeter is no longer relevant as far as cybersecurity in a hybrid environment because your employees are already working outside of it.
Overall, while there are advantages to a hybrid workspace, it’s time to get serious about how you approach it, how you create policies to guide it, and how you secure your resources. The patchwork approach of 2020 is gone now, and it’s time to begin thinking that a hybrid workplace is likely to be permanent. To fully take advantage, cybersecurity has to be at the top of your priority list.