Post-Pandemic Hybrid Office Models Bring New Security Concerns

July 22, 2021
Michael Solomon

WRITTEN BY MICHAEL SOLOMON

Michael G. Solomon, PhD, CISSP, PMP, CISM, PenTest+, is a security, privacy, blockchain, and data science author, consultant, educator and speaker who specializes in leading organizations toward achieving and maintaining compliant and secure IT environments.
Hybrid Office Models Bring New Security Concerns

The coronavirus dramatically changed the business landscape in 2020. During the global shutdowns, there was no such thing as “business as usual.” Businesses of all sizes and across all domains had to figure out how to continue operations with at least some remote workers — and they had to do it virtually overnight.

As 2021 reaches its halfway point, many businesses are transitioning back toward more on-premises operations, but some analysts believe that a hybrid workforce will be the new normal. In a hybrid model, the workforce is made up of both on-premises and remote workers, with many of those workers splitting time between home and the office.

According to an Upwork study, the number of remote workers in the next five years is expected to be nearly double what it was before COVID-19. It turns out that many workers like working remotely. Despite the abrupt transition caused by global shutdowns, many employees prefer the freedom and flexibility that come with a remote work lifestyle. And TechRepublic reports that many businesses agree that remote workers can be productive and happy.

Many of the challenges that businesses encountered through 2020 while supporting a remote workforce were tolerable due to their expected short duration. However, as companies are exploring a mix of remote and on-premises work, the prospect of a long-term hybrid model offers new security challenges that businesses must face.

Hybrid workplaces are the new normal

According to a Tessian study, 75% of IT decision makers surveyed believe that a remote or hybrid workplace model is the future of business operations. The advantages of a hybrid workforce are hard to ignore.

With at least some of the workforce working from home, businesses can reduce overhead costs and perhaps even release high-rent office space. Any remaining traditional office space can be better utilized through sharing among workers who spend some days in the office and some days at home. Worker morale is also higher in many cases due to several benefits, including infrequent commutes, more flexibility to handle personal tasks, and less overall stress.

With all the advantages, one may wonder whether a completely remote model could be the answer for a happy workforce. Some companies thrive with everyone working entirely remotely, but in most cases, a hybrid model is more effective. Workers who only interact remotely miss out on the critical in-person interaction that is foundational to long-term relationships. While separation may be tolerable for a few months, ongoing remote work could lead to feelings of isolation and exclusion from important communication and decisions. Consequently, the more traditional companies that adopted remote practices last year as a matter of survival are now moving back toward more on-premises work.

However, the trend toward moving back to the office does not mark the end of remote work. In fact, the realization that remote work is possible opens new opportunities for even the most traditional companies. Initial surveys of strategic direction seem to indicate a desire to find a “happy medium” between remote and on-premises workers. The hybrid model appears to be that balance. A hybrid model provides many of the benefits that workers appreciate when working remotely, while also cultivating some in-person communication.

Long-term hybrid workplaces pose security challenges

Hybrid workplace models are not without challenges, though. Some chief information security officers (CISOs) express concern over the long-term security obstacles with a hybrid model. A recent Nasdaq article provided an overview of Proofpoint’s 2021 Voice of the CISO report, in which two-thirds of CISOs surveyed said they believe that their organizations are not prepared for a substantial cyberattack. The report also finds a growing concern over human-related vulnerabilities and the challenges remote work poses.

One of the reasons CISOs are concerned is due to the manner and speed with which businesses switched to a remote workforce. When the virus hit in early 2020, most companies were largely unprepared to support a majority-remote workforce. Many companies supported occasional remote access, but the scale was miniscule compared to supporting all of a business’s workers. The transition to remote was too fast, and it was not planned or organized; it just had to happen. The fact that so many businesses made that transition speaks to the skills and dedication of an untold number of IT professionals who rolled up their sleeves and got it done.

However, they accumulated substantial technical debt in doing so. When expediency mattered most, process and caution took a back seat. As a result, most businesses are not prepared for an ongoing remote or hybrid workforce model.

IT personnel and infrastructure that supports remote workers are nearing their limits. Both must be addressed to avoid interruptions of remote service support. The problem is not that personnel lack ability or that infrastructure is insufficient; the real problem is that as society moves away from the austere restrictions of a shutdown world, vulnerabilities introduced by remote workers continue to rise.

In the traditional pre-COVID world, many businesses depended on perimeter security controls to provide a material layer of protection. With most workers physically within a defined boundary, the few remote workers could be managed easily and vulnerabilities would be limited. However, as the majority of the workforce moved outside the physical safety boundary, the workload for security personnel and demands on security controls increased substantially. Ongoing support of many remote workers will require that businesses rethink their remote workforce policies and build a security structure to reduce its attack surface.

Businesses are seeing a rising number of cyberattacks, especially on remote workers. Remote workers are attractive targets for cybercriminals due to a range of factors. Remote workers may use their own hardware and software, which is all too often not hardened and unpatched with the latest security updates. Network connections and local networks are often softer than a business’s internal hardened networks. Further, isolated workers can be more susceptible to social engineering attacks than on-premises workers. When all communication is with remote participants, it can be easier for cybercriminals to appear authentic than when in a traditional office.

These concerns are not simply unfounded fears. According to Security magazine, cyberattacks on cloud services, virtual private network (VPN) exploitations and brute-force attacks were all on the rise last year. Humans have become more important than ever in protecting IT resources. To secure valuable data, securing remote workers must be a priority.

Securing a hybrid environment requires a new approach

Ensuring a secure environment in the face of a hybrid workforce will require changing focus. Instead of deploying most controls to protect humans, a more effective approach is to engage humans in the security process. The more a business involves its remote workforce in the process of security, the more secure that workforce will become. That mainly means a more aggressive security awareness program, stronger identification and authentication, and more granular endpoint security.

A great place to start is by sharpening your personnel security awareness and skills. Security training companies like KnowBe4 can provide effective security awareness training and assessment programs. Or you can start with your own efforts that use free resources.

Look at these resources to get started:

  • Social engineering cheat sheet: A resource from TechRepublic that includes definitions for and real examples of social engineering attacks, along with how to avoid them. This cheat sheet could be a first step in educating your personnel on the dangers that cybercriminals pose.
  • National Privacy Test: This test from NordVPN tests an individual’s security and privacy IQ. This test can help an organization determine how much security awareness their personnel really need.
  • Google phishing quiz: This resource from Google challenges individuals to recognize clever phishing attacks and helps personnel avoid becoming victims of this popular attack.

Looking beyond remote workers, businesses also will need to strengthen their infrastructure to provide ongoing security and functionality for a hybrid workforce. In-place controls may have worked so far, but the likelihood of threats against remote workers being realized increases with each passing day.

Some of the strategies that need review for a hybrid workplace include:

This is only a starting list. There are many more aspects of creating a secure environment for an ongoing hybrid workforce. But there is good news: The same CISO report in which concerns emerged contained evidence that most CISOs felt that their organizations acknowledge today’s security challenges and are committed to funding necessary security efforts.

A hybrid workforce may not be easy to protect, but doing so will make the overall organization more secure and effective.

Would you like to know more about implementing secure application development solution in your company? Get in touch with our Kiuwan team! We love to talk about security.