Security in the hybrid working era:
Is your organisation prepared for new risks?

Until 2020, face-to-face interaction with employees made it easier for IT teams to solve problems and, indeed, the process typically relied on it. If employees worked outside the office, the infrastructure allowed workers to access internal systems via a VPN, and typically this was quick and secure. When the pandemic hit, working habits were totally transformed and with it, the IT landscape. Departments suddenly had to adjust to a range of new security challenges they hadn’t expected.

From a practical standpoint, access suddenly became a major challenge. While hybrid and remote working is not a new phenomenon, VPN access was intended for a small number of people working from home, not designed to cope with everyone working outside of the office. The sudden and sustained increase in users wanting to connect caused oversubscription and stressed the VPN headend.

Meanwhile, solving issues could no longer be done in-person, creating difficulties validating the identity of the person IT were communicating with. This led to a spike in social engineering attacks where cybercriminals impersonated the identity of legitimate sources. In fact, attacks like these were listed by Verizon as the number one most common malicious breach attack in their 2021 report.

Another issue was the higher likelihood of shadow IT among a remote workforce. If half of the workforce is at home, it becomes more difficult to prevent staff using their home devices and applications instead of those approved by their organisation, simply out of familiarity. Official BYOD (bring your own device) programmes in the office are formalised and require employees to follow specific terms of use. But it’s harder to maintain these practices with home workers who often perceive office policies as not applying to home environments.

These concerns are not going away. The sudden adoption of remote working has evolved into a permanent framework of hybrid working. It’s essential, therefore, for IT teams to adapt too, approaching each new working environment, separately and as a total to ensure a flexible, agile security response.

According to our recent research, 77% of IT decision makers say that employees stop following security procedures when offsite, even though organisations are already operating an official hybrid working policy. If IT teams are going to have full control over security, it’s crucial to set out very specific policies about working behaviour outside the office, from device safety to application downloads; from connecting to networks to how to safely dispose of print documents with shredders – this shouldn’t just be left up to the employee judgement.

As research shows that employees may misunderstand where the rules apply and why it’s important, the best way to deliver these is through mandatory webinars which emphasise the responsibility employees have while working anywhere. Whether they have training or not, workers are still vulnerable to deliberate malicious attacks and so your organisation might want to consider investing in proper education and security training to prevent employees falling victim to scams like phishing.

Co-working and shared spaces are on the rise as a flexible, lower cost alternative to owned space. However, it’s crucial to pay close attention to the security policies and T&Cs when identifying a co-working space, beyond just the cost and facilities perspective. Many organisations may believe co-working spaces are responsible for security on their premises, but the reality is that the venue may have mandated in the small print that they hold no responsibility.

Ask questions to ensure co-working spaces meet the same security levels and expectations for your company’s own policies: What’s their physical security like? Can anyone just walk in? What are the terms around data loss or breach? Who is considered responsible if they occur? In addition, what are the security policies with regards to printing? Can anyone access documents?

It’s important that employees understand the security threats associated with working on the go. Shared WiFi in coffee shops, for example, can be accessed by anyone, so it’s essential for employees to only access company documents through the VPN to maintain security. In addition, it can be easy for workers to physically expose information to others, by stepping away from their laptop to get a coffee, or simply sitting in front of someone on a train. If your workforce typically travel for business, IT decision makers should consider simple fixes at the least, such as privacy screens for devices.

Organisations should also understand that people aren’t perfect – losing a company phone or leaving a laptop on the train is certainly not uncommon. With that in mind, precautions are a good idea. Consider introducing Bitlocker before a user can access the operating system, encrypted hard disks and the capability to send a signal to mobile device and wipe it to prevent someone accessing company information.

Organisations across the globe have had to introduce remote and hybrid working quicker than they’d anticipated. As a result, IT teams have had to work incredibly hard simply to make sure that the business could keep running remotely. Now that the dust is settling, security should be a top focus. With so many new potential security threat sources in a distributed workspace, all organisations would benefit from reviewing security protocols and policies. In particular, with so much change impacting employees’ work life, it’s important to understand that they may not be aware of how that should impact security practices or understand how their own behaviour needs to change. With the knowledge in place, along with rigorous employee training, your organisation can get the most of hybrid working without putting your security at risk.