There is little doubt that the COVID-19 pandemic was a unique experiment in the viability of remote work for many businesses.
As the pandemic subsides you’re going to be faced with a critical business decision: Should your team work on-premises, continue working remotely, or adopt a hybrid workforce model?
No matter what you choose, cybersecurity is going to be paramount.
In this article I will overview the security risks of allowing employees to work remotely and provide you with tips for protecting a hybrid workforce so you can keep data safe when employees work from home.
Web filtering, device control, and user activity monitoring solutions
A hybrid workforce is neither fully remote or fully in-office. In a hybrid workforce employees alternate between working from home and working on-premises.
This model is thought to be the “best of both worlds” when it comes to maximizing the benefits of remote work with the benefits of working collaboratively in-person.
Providing employees with the flexibility to work from home part-time allows them to maintain a greater work/life balance and focus deeply on independent work while still affording them the opportunity to come into the office to work on tasks that benefit from in-person interaction.
Quite simply, the demand for remote work is here to stay.
In fact, a Gartner survey from June 2020 revealed that a majority (82%) of company leaders planned to continue allowing their employees to work remotely at least some of the time.
This revelation is further cemented by the fact that major firms such as JPMorgan Chase & Co. are looking to downsize the office space that they’re leasing as a direct response to changes in their workforce.
In a recent open letter to shareholders, Jamie Dimon, the CEO and Chairman of JPMorgan Chase & Co., announced that the firm will have some employees working under a hybrid model and a select few working full-time from home.
Naturally, there will be no shortage of companies maintaining physical offices. But the pandemic has made it blatantly obvious that working from home is far more viable than we originally thought. Seeing major organizations consider the viability of WFH arrangements going forward is a clear indicator that the future of work is going to be different going forward.
Is working remotely the future of work?
While there are fully-remote companies such as Buffer, this style of working is not the norm. Many companies with remote-compatible roles still want employees to work in the office as they feel that there are tangible benefits of maintaining an on-premises crew.
That’s where a hybrid work-from-home (WFH) model comes into play.
A hybrid WFH model allows employers and employees alike to reap the benefits of remote work while mitigating the cons of remote working such as loneliness, difficulties collaborating, and reduced visibility into employee workflows.
To get the most out of a hybrid-remote model, it’s important to understand where the “sweet spot” lies.
While the ideal amount of in-office time will vary depending on the needs of the company, employee preferences, etc, the best practice is to allow employees to work from home between 1 to 3 days a week.
This cadence has been found to be the optimal balance between time for focused independent work and time for in-person tasks such as highly collaborative work.
Many employees prefer this range, too
According to a survey in a report by Tessian only 11% of the working professionals want to work solely from the office after the pandemic subsides. Based on their findings the average employee would prefer working remotely at least two days a week.
There are significant security challenges when supporting a hybrid workforce. If your company is going to transition to a hybrid WFH model you need to be aware of the cybersecurity risks of working from home so you can keep sensitive data secure.
According to the Tessian report, the top WFH security concerns of IT leaders are:
As you can see, the risks associated with portability and location independence are top-of-mind for IT leaders that need to manage the security of a remote workforce. Personal devices are of particular concern as IT has less control over employee security measures.
But these aren’t the only vulnerabilities introduced by remote workers.
Supporting a hybrid workforce often requires organizations to adopt more cloud services, have employees transfer files across different networks, and provide external access to their internal resources.
If you’re going to support having employees work from home, you need to be prepared. This next section will break down the top cybersecurity challenges of a hybrid workforce so you can plan ahead.
It’s no secret that employees and managers alike struggle with visibility when employees work remotely.
The difficulties caused by a lack of visibility extend beyond employee performance management; it affects cybersecurity, too. This reduced visibility provides insider threats with ample opportunity to engage in activities that put sensitive data at risk.
What are insider threats, exactly?
Insider threats typically fall into one of two major categories: negligent and malicious.
Negligent insiders are employees that:
The 2020 Ponemon Institute Cost of Insider Threats report found that negligent insiders make up approximately 62% of insider security incidents.
While malicious insider threats are notably less common than negligent insider threats, an effective hybrid workforce cybersecurity strategy needs to mitigate the risks associated with them nonetheless.
Malicious insiders are employees that:
Under the right circumstances even the most trustworthy and competent employees can become insider threats.
To put things into perspective, consider this: According to a Deloitte survey, the volatility of job security during COVID-19 had 26% of employees strongly considering keeping copies of valuable company data.
In the event that they lose their jobs they could use this data for personal gain such as gaining favor with a competitor or selling it to interested parties.
Without critical security controls in place, employees are free to transfer sensitive data such as intellectual property and personal information to an external storage device – all from the comfort and privacy of their own homes.
These aren’t theoretical risks, either. According to the Tessian report, 27% of businesses experienced an increase in security breaches caused by insider threats between March and July 2020 compared to the five months before the pandemic. A staggering 43% of those security incidents were caused by malicious insiders.
When transitioning to a hybrid workforce model your cybersecurity strategy needs to account for the reduced visibility of those working outside of your organization’s security perimeter. Implementing remote employee monitoring tools provides you with valuable knowledge of employee activities so you can keep an eye out for high-risk behaviors.
Physical security is a serious concern when employees work off-site.
When threat actors have physical access to devices there is a far greater risk of compromise. This is precisely why on-premises access control measures are implemented in the first place.
So why is physical security such a concern when employees work from home?
Simply put, a dedicated office building is far more secure than your average home office, coffee shop, or hotel room.
Devices in a remote environment are at a far greater risk of unauthorized access from family members, roommates, and thieves than those that are strictly on-premises.
Besides that, employees that frequently travel for work need to use mobile endpoints such as laptops and cell phones. These devices are far easier to misplace or have stolen than a full-sized desktop in a secure building.
There’s also the issue of sensitive data being stored on portable storage hardware.
Portable storage devices such as hard drives, USB flash drives, and SD cards are easily lost or stolen. If employees are permitted to transfer sensitive data to these devices there is a significant risk of data leakage, such as in 2013 when the medical information of 16,000 LifeLabs patients went missing following the loss of a hard drive.
Public WiFi hotspots present a significant security risk for mobile workers. This is precisely why 53% of IT pros in the Tessian report list “employees working while connected to public WiFi” as their top security concern.
The greatest risks in this scenario stem from the ease with which an attacker can conduct a Man-in-the-Middle (MitM) attack. Depending on the form of attack used a threat actor could analyze a remote worker’s network packets or steal credentials with a spoofed landing page.
These risks aren’t unfounded, either.
58% of employees in the Tessian report admit to considering public WiFi a potential option when working remotely.
Contrast this with the fact that 81% of businesses in the 2018 iPass Mobile Security Report experienced a recent WiFi-related security incident, with 62% of those incidents occurring in cafés and coffee shops.
So, how can you mitigate this security risk?
The best way to curtail the allure of public WiFi hotspots is to provide remote workers with convenient portable internet access. This can be accomplished by providing your employees with a generous mobile data plan or a dedicated mobile router.
If your employees absolutely need to use public WiFi, have them use an enterprise-grade virtual private network (VPN) to reduce the chance that their network traffic is intercepted by a nearby threat. They must also be cautious when entering any credentials as the landing page they are on may not be legitimate.
Managing the flow of data is difficult enough for businesses that operate exclusively on-premises. The hybrid workforce model further complicates this by challenging the concept of a “secure inner perimeter” as the go-to method for keeping data safe.
In a traditional environment any external source attempting to interact with internal resources would be immediately suspicious. The geoblocking features of the on-premises firewall would simply restrict access when anything from outside the network attempts to connect.
This way of thinking is simply unreliable in a hybrid workforce.
Since employees need to have secure access to company applications and data from outside the company’s network, businesses can no longer rely on simply hardening their inner perimeter to maintain security.
While a hybrid workforce certainly challenges our reliance on a secure internal perimeter, it doesn’t completely negate it. The security of the network you operate from is still an important risk factor to consider.
When employees work from home they operate from a network that is simply nowhere near as secure as a robustly protected corporate network.
The most common vulnerabilities of home networks include:
The most practical way for employees to secure their home networks will be to have them place IoT devices on a separate network, use a unique and secure password for their home routers, turn off remote access, and update their router’s firmware.
When allowing employees to work from home the best practice is to provide them with company-owned devices.
The reason for this is straightforward – when you own the device, you have far greater control over how it is used, monitored, and secured.
Personal devices have a greater risk of malware infections due to higher-risk web browsing, the downloading of unvetted applications, and other activities that would not normally take place on a work-only device.
Top that off with the fact that an off-site personal device is unlikely to get the same level of maintenance as a company-owned device; then you can see why BYOD makes IT pros weary.
Unfortunately, many companies were pressured to allow their employees to use personal devices during COVID-19.
A June 2020 survey conducted by IBM Security and Morning Consult found that 53% of employees were using their personal devices for business use while they worked from home during the pandemic.
Some of those employees also needed to access personally identifiable information (PII) from their personal devices. Despite the increased risks, a shocking 52% said that their employer did not provide tools to keep their devices secure.
82% of IT leaders surveyed in the Tessian report believe that their company is at greater risk of phishing attacks when employees are working away from the office.
This is certainly true in the best of times, let alone during a global pandemic.
During the early onset of COVID-19, the FBI’s Internet Crime Complaint Center disclosed that they received a 300% increase in reported cybercrimes.
Threat actors are keen to take advantage of any sort of increased stress and uncertainty to trick employees into providing them with sensitive information, paying fraudulent invoices, and other related schemes.
The reduced visibility of a hybrid workforce makes verifying the legitimacy of requests even more difficult.
Employees need to be increasingly vigilant in spotting and reporting any sort of suspicious requests they receive, especially if an incoming email or phone call tries to make them urgently disclose sensitive information or transfer funds to an unrecognized account.
With the cybersecurity risks of a hybrid workforce in mind, this next section will provide you with guidance for improving security when employees work remotely.
Note: As with most things technology-related, the cybersecurity needs of a hybrid workforce are constantly evolving. While these best practices will serve as a critical starting point they may not account for every vulnerability you may face when managing off-site employees.
When employees take devices off-site it’s critical that the monitoring of devices and users is increased.
Monitoring employee computer activity provides security teams with the opportunity to detect potential indicators of compromise before an attack can escalate.
Employee monitoring can also identify employees that are engaging in high-risk behavior. With evidence of misuse readily available, these behaviors can be readily corrected to reduce the likelihood of a data breach or other security incident.
Common things to monitor include:
Company policies are critical tools for communicating expectations to your employees. This tip is certainly not exclusive to a hybrid workforce, either; all employees need to be provided with clear guidance.
Despite the critical role that company policies have for keeping data secure, more than half of the employees surveyed in the IBM Security report stated that they were not provided with security policies that addressed how to work from home safely.
When securing a hybrid workforce it is paramount that employees are given extensive training and policies. The exact policies that are implemented will depend on the nature of their roles, the types of data they interact with, and the internal resources they’ll be able to access when they work remotely.
Examples of company policies
To make a hybrid workforce viable any employee that works from home needs to be adequately trained in their security responsibilities.
When it comes to protecting sensitive data, IT security awareness training is simply non-negotiable. When equipped with the right training employees are a valuable asset for protecting against data breaches.
Security training is not a one-and-done deal, either.
When transitioning to a hybrid workforce model you need to ensure that all of your employees are aware of the risks of remote work. They need to be trained on the requirements for managing sensitive data and regularly reminded of the company’s security policies.
Why is IT security awareness training so important?
Knowledgeable employees not only make far less security mistakes, they help identify suspicious activity so it can be properly tracked and investigated before it leads to serious consequences.
From a data loss prevention perspective, security training reduces the potential that insiders will put sensitive data at risk by breaking secure data handling protocols. It equips them with the knowledge of why these protocols are necessary so that they can better understand their purpose.
For example, negligent insiders may think that sending company files to personal email accounts so they can be printed at home is appropriate. Correcting these thoughts and behaviors early on is a simple yet effective way to curtail significant security risks.
Who should get security training?
Security awareness training needs to be prioritized for any employee that interacts with corporate systems.
Despite the potential consequences of misinformed employees, a mere 20% of employees in the Tessian study actually took part in the training offered by their employers during the pandemic.
Worse yet, nearly half (45%) of respondents said that their employer did not provide them with security training that was focused on protecting the security of devices while working from home.
When planning your transition to a hybrid workforce you need to make sure that your employees are equipped with the knowledge they need to keep data safe.
Wherever possible you should provide your hybrid employees with company-owned devices that are exclusively used for work.
The reason for this is straightforward – when you own the device, you have far greater control over how it is used, monitored, and secured.
Providing employees with a work-only device helps to ensure that they are used safely and appropriately. It also allows you to monitor the employee’s activity without causing undue workplace privacy issues.
If you absolutely need to support BYOD:
When your employees work remotely they still need to access the same internal services, applications, and information that they would use while in the office.
Since you cannot always be entirely certain that a remote access attempt is legitimate, you need to implement robust authentication security controls.
Authentication security enhancements
Risk-based authentication helps balance productivity and security by mandating additional forms of authentication when a given access attempt is deemed high-risk. The types of risk factors include logins from abnormal locations, the device that is making the request, logins during off-hours periods, and requests to access sensitive files.
Naturally, allowing employees to work off-site makes geolocation-based conditional access difficult as their location will naturally fluctuate between on-premises and remote locations. This issue is further compounded when off-site employees travel for work or are otherwise location-independent.
The most common form of secure remote access is an enterprise-grade virtual private network (VPN). These tools form an encrypted tunnel that off-site employees can use to remotely access company resources.
As a further enhancement some VPN software clients can scan remote endpoints to verify that they meet the minimum security requirements for connecting to the network.
These features are particularly valuable when off-site employees are working remotely the majority of the time as they may not be connected to the corporate network when security updates are deployed.
Managing the security of a hybrid workforce is a unique challenge. The need to provide external access to internal resources combined with reduced visibility can prove daunting for businesses. By following these best practices and learning about the potential vulnerabilities of a hybrid workforce you can better protect sensitive information and company resources.
Want to improve the productivity and security of your hybrid workforce? Get started with a free trial of CurrentWare’s remote employee monitoring and endpoint security software solutions.