Security

How to Secure Hybrid and Remote Work Environments

As employees spend more time in the office, zero trust, device management and worker training become more important for organizations.

Brian T. Horowitz

Brian T. Horowitz is a writer and editor covering enterprise IT, innovation and the intersection of technology and healthcare.

As organizations shift away from all-remote work environments toward hybrid structures that accommodate a mix of remote and onsite employees, they will need to secure the growing number of endpoints connecting their networks.

In remote work environments, the lines separating what’s inside and outside the network blurred. John Shier, senior security adviser for Sophos, says the focus is now around the identity of individual users, regardless of where they are located. Securing both endpoints and onsite systems will be critical.

Why Zero Trust Is Vital for Secure Hybrid Work Environments

A zero-trust model is the heart of an effective hybrid work security strategy, according to Shier. In zero trust’s “always verify” approach, IT departments authenticate individual users before granting access to networks. “The nice thing about zero trust is that it builds security around the user in a way that should be transparent to them,” Shier says. “The first thing you want to do is verify the identity of the user in a strong way. That means at least some sort of multifactor authentication to prevent any accidents from a phished or leaked password.”

In a zero-trust approach, a network can check automatically for abnormal behavior, such as a Windows user logging into an account one day on a different type of machine, or a connection coming from an unexpected location, Shier says.

Click the banner below to explore the different technologies that power hybrid work.

As businesses use services like Cisco Webex and Microsoft Teams to collaborate, the tools will not necessarily be a security concern — but verifying the identity of users will be key, explains Carl Eberling, CIO at cybersecurity company Forcepoint.

“What companies must focus on is finding a way to ensure that the individuals connected to company assets are, in fact, company employees and customers,” Eberling says. “Protecting your organization and its data must bring identity, endpoint and payload — the trinity of security — together.”

Dan Kennedy, research director for information security and networking at 451 Research, says investments in zero-trust network access will bring “finer-grained access decisions and proxy-based security controls such as SASE,” or Secure Access Service Edge.

Security Posture Applies Individually in Hybrid Work

IT professionals often think of the term “security posture” as referring to an organization’s overall cybersecurity environment. In hybrid work environments, though, they should think on a micro level, Shier says. “Posture is very much something that applies on an individual machine or user basis,” Shier says. “We’re looking at the posture of that user and that machine.”

With that in mind, patches should be applied automatically to remote workers’ devices in a hybrid work environment. If a single laptop’s patches are out of date, the device should be quarantined.

“You’re basically saying the only thing you can access right now is the update server, and we’ll give you access to the rest of the network once those updates have been applied,” Shier says. “That’s how posture gets used as an indicator of security and as a way of protecting the organization.”

WATCH: Learn how hybrid work environments can be protected through intrinsic security principles.

To strengthen their security posture as they invite employees back to workplaces, organizations should assess their systems for security gaps, track the location of critical assets and understand what their business requirements are, Shier advises. It’s often best to conduct a security assessment using a disinterested, expert third party.

“An assessment is just absolutely critical to the success of your deploying this hybrid model,” Shier says.

Hybrid Work Demands Employee Security Training

As people work from home, they will require training to avoid both phishing and social engineering-style attacks, Kennedy notes.

“When you consider that phishing is typically successful when it is topical and includes a call to action, many aspects of this period, from changing unemployment benefits to vaccine rollouts, lend themselves to effective phishing campaigns,” Kennedy says.

As many workers access company data through the cloud, security threats such as phishing have increased, according to Kennedy.

“In the early days of everyone starting to work from home, many remote access architectures were strained, and people started to realize that some percentage of employees didn’t need to be connected to the virtual private network all day to do their work,” Kennedy says. “Many resources that were once in data centers when VPNs became the preferred method of remote access years ago were now offered as a service on the cloud, so sending traffic back through the corporate network isn’t a necessary step.”

With the move back to the office, at least part of the time, companies will regain some control over security, according to Eberling.

“Today’s hybrid workforce means businesses need to think about the full picture — from where the employees’ devices are to how they will collaborate when some employees are in the office to the tools that they are using,” Eberling says. “The biggest challenge of the past year was moving an entire workforce fully remote. The move back into physical offices — or rather, to a more hybrid model — actually gives security teams and businesses more control.”

As remote workers access company data in the cloud, organizations should consider cloud access security brokers (CASBs), Eberling advises. These tools can help companies manage problems such as nonemployees listening into videoconferencing calls or employees taking screenshots of sensitive company data, he says.

“Five years ago, most IT leaders would say this wasn’t needed,” Eberling says. “However, with a remote workforce, companies need to lay out additional policies and be crystal clear to employees on what those policies are.”

BYOD Issues Will Evolve in Hybrid Workplaces

Employees have used their own devices for work since long before the COVID-19 pandemic. Now, in a hybrid work environment, companies should treat all devices as if they are mobile, whether they are on-premises or not, Eberling says. They will need to register all devices and navigate around privacy concerns regarding platforms such as mobile device management.

“The reality is that businesses generally aren’t concerned if employees want to watch the World Cup on their device, unless it’s eating up bandwidth,” Eberling says. “The concern is being able to implement policies that protect, monitor and restrict devices when needed when connected to company information stores. This is still a mental model that people are attempting to grapple with, which will take time and education to evolve.”