The remote working model has meant more organisations have had to adapt to a hybrid workforce and creating a culture of security while building an updated cybersecurity strategy is critical. Alain Sanchez, EMEA CISO and Senior Evangelist at Fortinet, discusses some key ways to build out a robust cybersecurity plan for a hybrid workforce.
Every new year brings new possibilities. Businesses take the time to evaluate strategies for staying successful, new ways to meet customer expectations and most importantly, opportunities to enhance their security.
It’s easy to define 2020 as ‘The year the IT landscape changed’, but that only tells half the story. The shift to largely remote business environments meant adding new applications to the IT stack, securing new endpoints and shifting legacy technologies to the cloud when possible. Often, this meant delaying new product lines or services. This year, however, looks to be ‘The year of IT security maturity’. Now that companies are returning to a new normal, they can refocus their cybersecurity strategies to align with new business objectives and hybrid workforce models.
Challenges of the hybrid workforce
Organisations with employees who mostly worked in corporate offices tended to rely on firewalls to protect against cyberthreats. But amid the widespread shift to remote work, many organisations invested in VPNs to mitigate the same risks. In these cases, security teams dealt with a nearly ‘all or nothing’ approach. A hybrid workforce impacts this approach in three significant ways:
- The evolution of identity management: Identity has long been considered the perimeter that will protect corporate data from unauthorised users, whether they be cybercriminals or former employees. But considering the influx of new devices and Software-as-a-Service-based (SaaS) applications being accessed by users daily, this philosophy is no longer enough to protect critical information. As business models shift and workforces become more hybrid, security teams will need to implement strategies that can keep up.
- Constantly changing connectivity needs: While SaaS applications help workers connect with resources and collaborate, they can also slow down corporate networks. With a hybrid workforce, optimising connectivity becomes even more difficult. When dealing with a mostly on-premises workforce, organisations can easily determine their bandwidth usage and plan accordingly. But with a hybrid workforce, these connectivity needs are continually changing as workers shift between in-office and remote environments. With this in mind, organisations must deploy solutions that optimise resources as effectively as possible while still ensuring security.
- Managing the human element: Regardless of whether organisations operate on an in-office, remote, or hybrid business model, their employees will always be the first and last lines of defence. According to Interpol, approximately two-thirds of member countries reported a significant increase in COVID-19 phishing scams. And with news of vaccines, many cybercriminals may look to double-down on these scams in 2021. With a hybrid workforce, organisations can no longer rely solely on corporate network security. Instead, they must find a way to prepare employees to play an active role in keeping data secure.
Developing a cybersecurity strategy for 2021
Most organisations are now fairly well-versed in the needs of a remote workforce. But with some employees moving back to office environments, even while others work from home, these same companies will need to focus on maturing their cybersecurity protections accordingly. Where 2020 was a rebuilding year, 2021 is a growth year.
Start with your people as the foundation for your security strategy
The hybrid work model brings together traditional controls and remote work security protections in new ways. First, organisations must consider the different types of users they will need to keep secure.
- General users: These individuals require secure connections to cloud resources so they can collaborate with their peers.
- Power users: These individuals require a secure wireless connection to access sensitive networks and data without placing the company at risk.
- Super users: These individuals require a secure network connection and enhanced identity verification since malicious actors often strive to use their elevated privileges as part of a credential theft attack.
Building out a robust cybersecurity plan for a hybrid workforce starts by identifying user types and establishing controls that protect the systems, networks, software and data they need for their jobs.
As part of a hybrid workplace cybersecurity strategy, organisations should also think about ways to better enforce authorisation and authentication policies. For example, Multi-Factor Authentication makes it more difficult for a cybercriminal to compromise user accounts and passwords in a credential theft attack.
Upgrade your connectivity as part of a strategic cybersecurity plan
With employees accessing cloud resources from traditional or home offices, corporate networks must be flexible and fast. A slow network reduces productivity and frustrates employees. To mitigate potential issues, organisations must deploy a solution that provides high-performance bandwidth and better secures the IT stack. SD-WAN offers the answer to both of these problems in the following ways:
- Prioritise business-critical traffic: Facilitating critical applications through SD-WAN offers reliable, high-performance connections that boost employee productivity.
- Secure connections: Secure SD-WAN builds security directly into the connection with firewalls and VPN functions, but they can also include additional features such as encryption, IPS, AV and sandboxing.
- Centralise orchestration: With an SD-WAN solution on their side, security teams can consolidate essential functions into a single location to save time and respond more rapidly to business demands.
The hybrid workforce relies on cloud resources that, in turn, depend on connectivity. As part of maturing their cybersecurity posture, organisations must think about going beyond traditional network controls. This involves thinking about their networks as the ‘new’ office where employees collaborate, no matter where they are physically located. An SD-WAN solution helps apply the same types of security to these virtual offices as what security guards do for physical office locations.
Create a culture of security by training your employees to be constantly vigilant
Employees are an organisation’s most significant security asset. With the right training, these individuals can more effectively spot social engineering attacks, thereby reducing the likelihood of a ransomware attack. Creating a culture of security starts with awareness and builds on the knowledge of end-users so they can apply the information to new situations. A practical solution meets employees where they are in their security journey, then reinforces their skills.
- Know the basics: All employees must understand key attack vectors so that they can recognise them in the real world.
- Communicate effectively: Organisations must continuously communicate with their employees and keep them updated so that security remains top of mind.
- Measure progress: Organisations must track employee progress as part of creating a culture of security.
Creating a culture of security is a commitment, however, cybercriminals won’t stop looking to exploit human nature after the pandemic. Employee awareness may be the single most important investment organisations make as they mature their cybersecurity posture in 2021. While companies can’t always control what their employees do, they can give them the tools they need to make secure decisions.
Facing new challenges head-on
Companies that embrace change are the ones most likely to remain financially stable. Creating a culture of security and establishing a new, updated cybersecurity strategy is critical for organisations with hybrid workforce models. This means implementing the tools needed to help advance business and security objectives, from Multi-Factor Authentication to SD-WAN. In turn, these solutions will also enable businesses to be more productive.
The workforce will likely never look the same as it did before COVID-19, but by building cybersecurity into their business goals, organisations can better keep pace with the ever-changing ‘new normal’.