As businesses use services like Cisco Webex and Microsoft Teams to collaborate, the tools will not necessarily be a security concern — but verifying the identity of users will be key, explains Carl Eberling, CIO at cybersecurity company Forcepoint.
“What companies must focus on is finding a way to ensure that the individuals connected to company assets are, in fact, company employees and customers,” Eberling says. “Protecting your organization and its data must bring identity, endpoint and payload — the trinity of security — together.”
Dan Kennedy, research director for information security and networking at 451 Research, says investments in zero-trust network access will bring “finer-grained access decisions and proxy-based security controls such as SASE,” or Secure Access Service Edge.
Security Posture Applies Individually in Hybrid Work
IT professionals often think of the term “security posture” as referring to an organization’s overall cybersecurity environment. In hybrid work environments, though, they should think on a micro level, Shier says. “Posture is very much something that applies on an individual machine or user basis,” Shier says. “We’re looking at the posture of that user and that machine.”
With that in mind, patches should be applied automatically to remote workers’ devices in a hybrid work environment. If a single laptop’s patches are out of date, the device should be quarantined.
“You’re basically saying the only thing you can access right now is the update server, and we’ll give you access to the rest of the network once those updates have been applied,” Shier says. “That’s how posture gets used as an indicator of security and as a way of protecting the organization.”
To strengthen their security posture as they invite employees back to workplaces, organizations should assess their systems for security gaps, track the location of critical assets and understand what their business requirements are, Shier advises. It’s often best to conduct a security assessment using a disinterested, expert third party.
“An assessment is just absolutely critical to the success of your deploying this hybrid model,” Shier says.
Hybrid Work Demands Employee Security Training
As people work from home, they will require training to avoid both phishing and social engineering-style attacks, Kennedy notes.
“When you consider that phishing is typically successful when it is topical and includes a call to action, many aspects of this period, from changing unemployment benefits to vaccine rollouts, lend themselves to effective phishing campaigns,” Kennedy says.
As many workers access company data through the cloud, security threats such as phishing have increased, according to Kennedy.
“In the early days of everyone starting to work from home, many remote access architectures were strained, and people started to realize that some percentage of employees didn’t need to be connected to the virtual private network all day to do their work,” Kennedy says. “Many resources that were once in data centers when VPNs became the preferred method of remote access years ago were now offered as a service on the cloud, so sending traffic back through the corporate network isn’t a necessary step.”
With the move back to the office, at least part of the time, companies will regain some control over security, according to Eberling.