2 min read

Hybrid Work Force Security

Stephanie Goetz : May 14, 2021

Risk VPN Remote Access
Hybrid Work Force Security

Hybrid-Work-Force-Security

There’s yet another debate growing post-COVID. It’s not vaccinations, masks, or whether it’s safe to eat at a restaurant, it’s when and how much workers will return to the office. In considering the impacts of this change, most executives are concerned about employee engagement, productivity, and culture, but should they also be concerned about security?

  1. What is a hybrid work model? The hybrid work model is a mix of working remotely and in the office in a typical work week. A recent PWC survey noted a disconnect among opinions of executives and employees as to how much time should be spent in the office: executives say three days a week, employees say two days a week. Regardless, according to SHRM, the workforce will most likely return to the office, in some form, during the second quarter of 2021.

  2. Why should executives be concerned about hybrid work security? The COVID pandemic made an abrupt shift to the cloud and opening remote access with little notice. A year ago, many of our clients made rapid movements to remote access, shifts to online banking tools, and introduced mobile devices on an unforeseen scale. When this happens, institutions without a strong cybersecurity culture tend not to manage these risks well or leave them out of the plan altogether. So, now that we are seeing COVID restrictions lifting and remote work a part of the new normal, what accepted security risks are still unremedied?

  3. How should we begin to secure hybrid environments? A few short years ago, I remember sitting in a demonstration for a company’s first Security Information and Event Management (SIEM) tool. It was cutting edge because it had behavior-based rules and could tell you which office this employee was logging in from and whether that was expected to be based on past behavior. That rule would not be useful in a hybrid work environment because it would be difficult to predict from where the employee would be working. Also, we cannot inherently trust that this remote connection is secure. That’s why to secure a hybrid work force, there is movement towards a zero-trust approach, where there is no implicit trust based on location, there must be authentication to be considered trustworthy and access institution resources.

  4. What additional controls should we consider? Think ‘three m’s’: With the mobile devices so much more in the mix, we need to be more cautious about their security. Using a good mobile device management (MDM) solution with the ability to ensure the devices are properly patched, virus and malware-free, and monitored for suspicious activity is more important than ever. Moving to managed detection and response services (MDR) where there is enhanced visibility and logging of the endpoint device’s movements, plus behavior-based anti-virus are starting to become key discussion points as well. Finally, the most common control we hear being called for in threat reports, is multi-factor authentication (MFA), this is called for in supply chain and ransomware mitigations in addition to account takeovers. Get this not only on your network but cloud/SaaS sites as well.

  5. Don’t forget your most important control- people. We threw a lot of new things at employees in the past year. In these circumstances, confusion, fear, new routines, these are when they are most likely to be tricked into bypassing security best practices and then the unthinkable happens. So, please be sure that employees are getting educated on how to work securely from remote sites, including their homes, and how to secure their mobile devices.

If you are needing help with your hybrid work force security plans, please reach out to us at support@bedelsecurity.com.

 

Resources:

https://www.shrm.org/hr-today/news/hr-news/pages/hybrid-work-model-likely-to-be-new-norm-in-2021.aspx

https://www.securitymagazine.com/articles/94952-security-implications-of-a-hybrid-workplace

 

Additional Resources

Remote Employee Access
https://www.bedelsecurity.com/blog/remote-employee-access

Remote Access Risk Assessment
https://www.bedelsecurity.com/lp-remoteriskassessment

Remote Work Security
https://www.bedelsecurity.com/blog/remote-work-security

Do you need a separate penetration test for remote access?
https://www.bedelsecurity.com/blog/do-you-need-a-separate-penetration-test-for-remote-access

Surviving the post-pandemic landscape: 12 Technologies That Every Community Financial Institution Should Be Thinking About
https://www.bedelsecurity.com/lp-surviving-the-post-pandemic-landscape
Remote Work Flexibility is Here to Stay

Remote Work Flexibility is Here to Stay

Vance Monical : May 13, 2022

It’s been a long and crazy two years since Covid showed up and changed the world. Yes, a lot of things are different now, but I’d like to take a few...

Risk Information Security Program Controls VPN Remote Access CISO Services vCISO Virtual CISO Outsourced CISO MFA Banks Credit Unions
Read More
What You Need to Know About TrickBot

What You Need to Know About TrickBot

Brian Petzold : Mar 15, 2019

Risk Threats Training
Read More
Extending Security Controls Beyond the Office

Extending Security Controls Beyond the Office

Vance Monical : Dec 3, 2021

Over the past several years, organizations have allocated considerable resources to protect their Information Technology environment. Historically,...

Threats Vulnerability and Patch Management CISO Information Security Program VPN Remote Access Cloud Access CISO Services Virtual CISO Outsourced CISO Banks
Read More