In today's reality of hybrid work, security is more challenging than ever. As the borders between work and personal life blur, security perimeters are harder to pin down. Employees also need to install different software and services, making the space much more susceptible to supply-chain attacks.
Now, flexibility, both physically and virtually, is the name of the game to ensure secure workspaces. Executives need to adopt a "what-if" mindset with a contingency plan for every possible scenario — be it an attack from an external party, a mistake from home or a stolen laptop. Be prepared to face it all.
Education and awareness will also be vital. Employees need to know that we're in this together and that individual actions, like accidentally installing harmful software, can potentially affect the entire organization. Empower employees to work together and take charge of their security across the board, from backing up everything onto the cloud, using two-factor authentication, as well as using VPNs and restricted connectivity to production.
Finally, companies need to invest in security. Now is the time to make sure you're using the best-of-breed endpoint security products because they will pay off in the long run. Companies also need to invest in specific units to cover supply attacks for infrastructure, IP and production environments, as each team has different risks and requirements.
Ensuring employees are protected no matter where they work is challenging, but it's crucial, and our processes are constantly evolving with this new reality.
The conversation is really shifting from cybersecurity to cyber-resilience. As digital-first becomes the norm, we can no longer take a purely defensive stance against cyber attacks and must prepare for how to maintain operations and deliver outcomes despite them.
This requires thinking about wider, broader business problems first. A simple checklist of five questions can help execs determine a more proactive approach and build resilience:
1. What matters to you the most? Every company is different and understanding what matters most will give you the right guardrails.
2. Where is it? Environment-wise, you don't have to secure everything the same.
3. How are we securing it? This is the basics of "batten down the hatches."
4. How vulnerable and at risk are we? This gives you the context around your security program to understand where you need to focus.
5. How resilient and ready are we? This helps assess how prepared you are for when it hits the fan, because it will at some point and your ability to bounce back is the most important.
Additionally, organizations can no longer just worry about securing their own systems, but must now consider how their larger ecosystem creates additional risk of exposure. Security leaders need to take a collaborative IT approach working with partners and integrators to leverage their collective strength to beef up the security of the entire network.
As employees continue to balance the flexible work environment and work from home, it's important to help them recognize that their home network is now part of the enterprise network. Actively educating employees that their home networks can be vulnerable and providing educational opportunities is an evolving part of our employee education and awareness program.
Software-as-a-service applications have never been more important than in today's digital world, where companies want to provide global, low-friction access to corporate tools. It's universally agreed that adding protections like multifactor authentication and identity management are a must, but for example, one area that could get overlooked is session cookie hijacking. A seamless remote user experience is often viewed as paramount to job satisfaction and re-authenticating every few hours is viewed as disruptive. That said, not regularly authenticating is a serious risk. We've had to take a close look at how we balance SaaS session timeouts while increasing our detection and alerting capabilities. For example, leveraging advanced threat and adversary awareness tools to proactively alert our security intelligence teams on the state of cookies helps keep us ahead of this evolving industry trend.
As this distributed workforce continues to operate in unique environments, it is increasingly challenging for IT to keep up with today's "work from anywhere" employee, who is sharing information around the globe, using both personal and company-issued devices. This is where an effective endpoint data protection strategy is critical. This begins with the deployment of a comprehensive mobile device management (MDM) strategy, which allows IT to manage and secure all employee mobile devices. IT teams will also need to reevaluate the way they approach networking security and data access, for remote and in-office employees.
Another critical element to an organization's comprehensive security strategy in this hybrid work environment is its people. Investing in employee education is one of the most effective ways to increase an organization's security, by arming teams with up-to-date training and education on any phishing or ransomware attacks that are circulating. Training and continuous learning help employees understand the role end users play in a company's overall security posture.
Let's start with low-hanging fruit on which executives should already be ahead: Maintain a strong data privacy and security program, no matter what kind of hybrid environment you have.
New data privacy and protection laws have not slowed down. Executives shouldn't assume they'll get a pass just because a business may be struggling if it processes significant amounts of personal data, especially sensitive personal data.
Also, continue to shore up data and system security for remote/off-prem workers as needed, which brings up any new employee monitoring, and the impact on privacy rights that can result. Conduct a privacy review.
COVID restrictions are evolving, and executives need contingency plans. Will proof of vaccines be required? If so, how will that be accomplished and health data properly managed? What about masking — will non-vaccinated employees or customers feel "outed" because they have to wear masks while those vaccinated may not? How fast can you change the processes and proper data management resulting from changing in-person requirements, and properly communicate them?
Employee morale is more important than ever. Executives need to understand the disparate ways that employees are impacted by, and are reacting to, the current environment and how and when they want or need to work. They need to raise the bar on diversity and EQ, listen to their employees and attend to risks of The Great Resignation now to maintain happy, healthy employees for greater returns in the short and long term.
In a hybrid work environment, it is critical to have a security-first approach embedded in everything across the enterprise. A security-first approach must include strong end-point security including data leakage protection, a strong multifactor authentication model, secure web gateway solutions, micro segmentation and zero-trust network access architecture to guard against threats. It is also critical to further strengthen security and privacy training of all employees. Furthermore, as safety protocols may require gathering employees' vaccine status, health checks such as temperature check at the entry, etc., the associated sensitive information must be handled with a strong privacy framework.
The concept of privacy is evolving toward a new normal as people — particularly millennials and Gen Z — are willing to share more personal information across social media, sensors, location-based services and beyond in favor of the contextual richness that highly personalized technology brings to life. We grant specific permissions for the use of our information — both personal and aggregate usage — when we agree, whether we have read them or not, with privacy policies.
This becomes a major challenge for organizations as employees use work-issued devices for personal use in remote and hybrid work environments. It's become impossible to seek permission of all vested parties, with primary data collectors spawning secondary and tertiary uses downstream. And with the sophistication of today's cybercriminals and rise in ransomware attacks regardless of industry, it's easy to see how these risks can spiral out of control.
As we seek an appropriate balance between personal and work device usage — and seek greater accountability for data collectors — one solution will be to embed access controls into data itself at the point of creation. With such self-aware and self-protecting data, organizations can ensure that it securely flows to the right people — and only the right people — at the right time and in the right location.
Kevin McAllister ( @k__mcallister) is a Research Editor at Protocol, leading the development of Braintrust. Prior to joining the team, he was a rankings data reporter at The Wall Street Journal, where he oversaw structured data projects for the Journal's strategy team.