While hybrid work models offer employees an increased level of flexibility, autonomy and freedom, the trend also gives malicious actors more opportunities to carry out cyberattacks. Three out of four businesses blame the recent surge in cyberattacks on vulnerabilities in their remote/hybrid work environment.
In this hybrid environment, organizations must reassess their security configurations, re-train employees on best practices, and reinstate a higher level of cybersecurity hygiene. These fundamentals ensure your employees get the most out of hybrid work environments without putting your network, your data and your organization at risk.
Hybrid Vulnerabilities
Cybersecurity complaints to the FBI nearly quadrupled during the pandemic as high-profile attacks wreaked havoc on everything from critical infrastructure to healthcare to big tech. Attacks have only gained steam as a large segment of the workforce moves ahead with hybrid work models. Eight in 10 remote-capable employees (those offered the option to work away from the office) currently work fully remotely or on hybrid schedules. The expansion of hybrid models opens more entry points for cybercriminals who can exploit out-of-office technology vulnerabilities, whether they are weak passwords, unsecured personal networks or employees using personal devices to access sensitive company data.
But the most vulnerable part of your organization is not technology—it is people. In fact, human error accounts for 95% of all cybersecurity attacks—and remote employees are perfect targets for nefarious hackers looking to capitalize on unsuspecting victims.
In the office, employees can simply check with the person across the desk if an email looks suspicious. Likewise, security teams can set up in-office restrictions for which devices and users can access specific company information or websites. But at home, beyond the safety of on-site IT infrastructure and staff, employees are more likely to click on unsafe links, download unknown information, or fall victim to social engineering attacks (such as business email compromise schemes or phishing).
For instance, phishing attacks—in which a fraudster sends an email or message designed to trick a person into divulging sensitive personal or company information— more than doubled during the pandemic. Some attackers go so far as to scrape public information from the internet to craft highly personalized and deceiving messages to targets. Left to their own devices, remote employees are highly vulnerable to these evolving cyberthreats.
Cybersecurity Hygiene in Practice
Cybersecurity is an organization-wide effort, and clear, consistent cybersecurity measures are vital for employees working across various locations. As you review your current cybersecurity practices, consider the following tips to keep your employees, partners and organization safe in the hybrid environment.
1. Practice good cybersecurity hygiene, always.
Hybrid work has necessitated innovative office arrangements, better technology tools and new policies to ensure a level playing field for all employees whether they travel to the office or not. But one thing has not changed: the importance of basic cybersecurity hygiene as one of the most effective practices your organization can take to fend off potential attacks before they happen.
A good place to start is the Center for Internet Security (CIS), which sets security benchmarks for all operating systems. The following measures should be standard throughout your organization:
- Keep inventory of devices and installed software
- Routinely patch and update defenses
- Devise real passwords
- Back up data and regularly test backups
- Use multi-factor authentication
Despite the proven effectiveness of these defenses, organizations often neglect these routine security measures that can stop a preventable threat from turning into a damaging attack. A Microsoft study found less than 20% of businesses use strong authentication across their organization.
2. Set security parameters for work devices.
Flexibility is great when employees can choose where they want to work from. But the same level of flexibility should not extend to what employees can do on and with their work devices.
When your teams are allowed to customize their devices and reconfigure settings, they are more likely to take risky actions, like turning off the organization’s firewall, downloading unknown software, or leaving their computer unlocked and unattended in a public space.
You should have firm security parameters in place for all work devices and software programs that can only be modified by your IT department, not individual users. Your employees should also be clear on these company-wide standards and aware of the importance of this initiative to your business. While such guidelines may be a nuisance for employees at first, they ensure security protocols are upheld across your organization, sparing your security team from headaches in the long run.
3. Educate employees on cyberthreats, then test them.
While individual employees may be your biggest security weak spot, they are also your biggest asset. Because your employees are most at risk of being targeted by cybercriminals, they are equally positioned to ward off and alert you to possible attacks if they have the training and resources to minimize digital risks, recognize threats and respond appropriately.
Educate your staff about the dangers of social engineering attacks with frequent training sessions, up-to-date content and periodic tests that simulate phishing campaigns and other attacks. Cybersecurity tests should not be a “gotcha moment” where employees are thrown under the bus for making a mistake but rather a learning experience that underscores the many ways bad actors can trick people and carry out an attack.
Individual employees will not turn into cybersecurity experts overnight. However, the more knowledge and tools employees have at their disposal to take safer actions and practice better digital hygiene on their devices the better, whether they are in the office, at home, or elsewhere. Even if your team just starts with more regularly updating their device software, it is a step in the right direction.
4. Implement security functions at all layers.
One compromised computer or hacked email account should not spell disaster for your entire organization. By bolstering your cybersecurity efforts at every layer of the business, you ensure bad actors struggle to penetrate your company, even if they gain entry into one part of it.
From application-level protection to the configuration of your network servers, your cyber defenses should stack on one another to continually assess and verify every device and user on your network.
One such method is to implement a zero trust model in which an organization assumes that network security is always at risk and that a breach has already happened, requiring every access attempt to be verified every time. Likewise, behavioral biometric verification technology can also help spot malicious actors or automated bots looking to gain entry into your network. By analyzing users' behavior online—how they type, the way they move the mouse, or where they log in from—behavioral biometric verification can detect and identify suspicious behaviors, allowing you to trigger additional security steps as needed.
As our work environment has grown more flexible, it has become more important than ever for organizations to adopt and implement strong, uniform cybersecurity measures. By adhering to basic cybersecurity hygiene and deploying multiple security layers, you can build defenses dependable enough to ensure employees are secure wherever they work and resilient enough to fend off attackers before they can compromise your organization.