While hybrid work models offer a variety of benefits to both employees and employers, they can be a potential nightmare for cybersecurity professionals. A company’s infosec team must now deal with a plethora of networked devices – routers, IoT devices like home security cameras and voice-enabled speakers, and personal smartphones and computers – that remote workers are using to get their work done, but which IT has no control over. According to The Netwrix 2021 Sysadmin Report, 68% of sysadmins say their organizations faced increased risk of cybersecurity attacks due to the shift to remote work.
“Remote work has had a huge impact in many ways around information security,” said Ben Rothke, information security manager at Tapad (@benrothke). For example, a basic security practice like patching is harder when everyone works from home, he said.
We asked Rothke and other members of the IDG Influencer Network, a community of IT professionals, industry analysts, and other experts, how the shift to remote/hybrid work is impacting cybersecurity practices. Their responses provide some insight into the complexity of the challenge and the steps organizations can take to reduce risk without hampering the productivity of remote workers.
A broader attack surface
The first thing that changed as the pandemic took hold were basic perceptions of information security: Where it’s applied, what it encompasses, and what needs protecting. As Joanna Young, an executive consultant and coach (@jcycio), said, “Cybersecurity needs to be a priority feature of technology solutions, not an add-on or afterthought.”
In other words, security must be baked in across the IT stack, from the network and data center to the endpoint devices that now live outside the confines of an office building.
“IT leaders and CIOs should adopt a security-driven networking approach when reimagining networking models, focusing on the convergence of networking and security in terms of a hybrid workforce,” said Elitsa Krumova, a tech influencer (@Eli_Krumova).
Endpoint devices create additional challenges, because not everyone is using employer-provided computers from their home office, and they are increasingly mixing work and personal activities on their own or corporate devices. “Device management becomes a concern as it becomes easier for corporate devices to feel more like personal devices for some employees,” said Will Kelly, an expert in technical marketing (@willkelly).
A study by Trend Micro found that 39% of workers use personal devices to access corporate data, and 36% don’t have basic password protection on all of their personal devices. In addition, more than half (52%) said they have IoT devices connected to their home network. This combination creates vulnerabilities that bad actors can exploit to tunnel into corporate networks and systems.
Cyber criminals are further exploiting collaboration platforms and other tools that have surged in use during the pandemic. As Atlas VPN has reported, malware disguised as videoconferencing apps spiked by 1,067% between March 2020 and early 2021.
“We have the illusion that bad actors are looking only for structured data,” said Frank Cutitta, CEO and founder of HealthTech Decisions Lab (@fcutitta). “But for industrial espionage, they are very happy to hack conversations and conference call platforms that provide more context than traditional data. This is the same with voice-enabled devices. Think about the number of times you say something innocuous to a family member and Alexa or Siri has an unsolicited reply!”
Don’t forget people and process
Business leaders should not think of cybersecurity purely as a technology issue – more focus needs to be placed on the people involved.
“A great deal more training and support must be given over to personal skills such as cyber hygiene and proactive vulnerability management,” said author and speaker Steven M. Prentice (@StevenPrentice).
Ease of use is more important than ever. Putting up security roadblocks for users can lead to big holes in your defense as they seek workarounds to get their work done. “Secured access must be frictionless when working remotely as to not impact user productivity,” said Jason James, CIO of Net Health (@itlinchpin). “Secured access should be seamless no matter where or when a user connects.”
And it is essential that ease of access applies to everyone, regardless of their abilities. For example, people with neurodiversity may have trouble navigating multifactor authentication. “I work in the disability inclusion and accessibility field, and cybersecurity is a huge issue for my community,” said Debra Ruh, CEO of Ruh Global IMPACT and executive chair of Billion Strong, an identity and empowerment organization (@debraruh). “When considering cybersecurity needs, blend accessibility into that conversation to assure access for all.”
Putting trust in Zero Trust security
To address this broader spectrum of challenges, many organizations are adopting a Zero Trust model for security. Zero Trust is built on the concept that an organization should not automatically authorize any person, application, or system regardless of whether they are inside or outside of its traditional security perimeter.
“Zero Trust is the future of cybersecurity in the future of work, because traditional endpoints and security strategies are becoming a relic of the pre-pandemic age and glory days of cubicle work,” said Kelly.
If there is one thing many of our experts agree on, it is that organizations need to put their trust in Zero Trust architecture.
“Cybersecurity can no longer rely on perimeter defenses, locking devices down, and employee training as their top strategies,” said Isaac Sacolick, president of StarCIO and a leader in digital transformation (@nyike). “They must look toward AI-enabled security platforms, zero trust architectures, multifactor authentication, and hardware-enabled security controls to secure a more open and technology-driven enterprise.”
Kayne McGladrey, a cybersecurity strategist at Ascent Solutions (@kaynemcgladrey), shares that perspective: “Organizations now need to continuously and unobtrusively verify the authentication and authorization credentials for both the end user and their device across all systems, both on-premises as well as cloud,” he said. “Making this seamless to an end user is key; users will find ways around onerous security practices if they are an impediment to their role. In practice, this means that Zero Trust models will become the norm in organizations with a primarily remote workforce.”
There is an old Russian proverb, “Doveryai no proveryai,” which means, “Trust, but verify.” Perhaps it is time for an updated version: “Zero Trust and verify.”