The same digital tools that make it easier to work remotely also present a cybersecurity risk. Reducing that risk requires investment in good cybersecurity protocols that adequately address cyber threats while accommodating the human needs of IT personnel and everyday staff.
It’s old news that hybrid working – staff splitting time between their home and the traditional office – is here to stay. Thanks to the coronavirus pandemic that started in 2020, 81% of enterprise organizations are moving to a hybrid work model and 31% say they have already completed the transition.
For workers, hybrid is the obvious choice. They get to save on travel expenses and work from the comfort of home (supported by powerful digital collaboration tools) while benefiting from face-to-face interaction in the office (enabled by workspace reservation and desk booking systems). Overall, hybrid work provides employees with flexibility and autonomy as well as the resources they need to thrive.
The challenge? Cybersecurity.
Cyber threats were always an evolving risk area that made the role of the Chief Information Security Officer (CISO) difficult. That job got even harder once hybrid work provided a broader attack surface for cyber criminals to exploit. More devices accessing company servers from more locations means even more vulnerabilities to monitor and manage on a daily basis.
Many cyber risks have grown more frequent since 2020, and 66% of security professionals have reported a spike in phishing – fake emails and websites designed to mimic authentic communications. From technical attacks probing for weak network security and vulnerable devices, to sophisticated social engineering attacks that exploit workers themselves, cybersecurity risk is on the rise.
Many of the technical solutions to address cyber-threats are known and familiar. At minimum, any hybrid workforce should have the following measures in place to implement what’s known as a Zero Trust (never trust, always verify) approach to cybersecurity. This security posture ensures that users and their devices have continuous and real-time validation of their privileges and attributes. Examples include:
It is also wise to implement a bring-your-own-device (BYOD) policy that governs how employees can access company resources from their personal phones and computers, if at all. Some IT teams even implement protocols that detect when a device has been jailbroken or otherwise compromised, and automatically deny access.
The weakest link in any cybersecurity chain is the workers themselves. In recent years, various social engineering attacks have emerged to dupe employees into accidentally compromising their employer. Phishing is one of the most common tactics, baiting users into clicking on a malicious link or downloading an infected attachment from a spam email or website – one that seems legitimate at first glance. A more sophisticated version of this tactic is spearphishing – electronic messages appearing to originate from a senior manager or executive that targets a specific employee who has high-level access. The messages attempt to convince the target to send data or money to bad actors, in the belief that they are carrying out valid instructions. By contrast, sometimes the risk is as simple as leaving a malware-infected USB key lying somewhere conspicuous in the hopes that an employee will find it and plug it in, unwittingly compromising their computer.
With hybrid work on the rise, and the consequent blurring of work-life boundaries, the devices used by employees to accomplish their daily tasks have also become interchangeable. IT staff report that more employees use their work computer for personal reasons, increasing the risk that lax personal browsing habits will expose their employer to cyber threats.
All of which has made the mandate of the cybersecurity function more challenging and stressful, at a time when it is garnering more attention from corporate boards. As many as 500,000 cybersecurity jobs in the US alone are vacant. On average, 75% of IT professionals feel burned out and 65% actively consider quitting. Too often, they cite pressure to skimp on security in the name of worker productivity as one of the leading stressors.
The key ingredient to creating a successful and cyber-secure hybrid workforce is culture. Rather than pit workers and managers against IT staff in a security vs. productivity tug-of-war, invest in training to build awareness of cyber threats among all employees to make them proactive security partners. Clarify what risks exist, what the consequences of a breach are, and why certain measures were put in place.
Training is especially important to help staff identify social engineering attacks before falling victim to them, and to make all employees responsible for their online behavior and conduct – both in the office and remotely.
To solidify this culture of collaborative cybersecurity, IT managers should work with staff to understand their ideal workflows and strike the best possible balance between safety and productivity.
Hybrid work isn’t just inevitable; it’s here to stay, and for good reason. It offers many advantages to companies and employees, not least of which is improved morale. However, the same digital tools that make it easier to work remotely also present a cybersecurity risk. Reducing that risk requires investment in good cybersecurity protocols that adequately address cyber threats while accommodating the human needs of IT personnel and everyday staff.
Companies that proactively make these investments are those best positioned to thrive in the future. They will benefit from a nimble, empowered workforce that lives cybersecurity best practices while enjoying the convenience and flexibility of hybrid work. Investing in a culture of cybersecurity creates the foundation for a safe and productive hybrid work environment that supports high performance and sets workers up for long-term success.
