The “normal” workplace has changed and the hybrid work environment is here to stay. A 2021 Microsoft survey showed that 73% of employees want flexible remote work options, while 67% want more in-person time with their teams. Employees are looking for the flexibility to work remotely and be in person as needed, the definition of the hybrid workplace. If you are like many business leaders around the country, a hybrid work model seems like the most fitting solution to adapt to the changing times and to help attract and retain hard to find employees. The potential cost savings on office space paired with the flexibility your team members are craving seem like valid perks, but what about the bad habits your team may have picked up during remote working? Are your team members posing serious security risks to your organization?
According to Tessian’s Back to Work Security Behaviors report, over a third (36%) of employees picked up bad cybersecurity behaviors while working from home and found cybersecurity “workarounds.” Nearly a third of employees (30%) also believe they can get away with riskier security behaviors when working remotely, with two in five (39%) admitting the cybersecurity behaviors they practice while working from home are different to the behaviors practiced in the office.
3 Tech Tips for a Secure Hybrid Work Environment
So how do you keep your team secure while adapting to the changing times? Here are 3 tips for a secure hybrid work environment.
The hybrid work model brings access and control questions. At any point, you could simultaneously have employees working from your office, their home, or any remote spot with an internet connection. They are not constrained by a location, which is great for morale but complicates IT access. From an administrative perspective, it’s key to use a combination of training and access controls.
The first line of defense involves strengthening password requirements and mandating credential changes frequently. We recommend requiring passwords to be changed every 60 days. We also recommend requiring the use of a password management tool and implementing multifactor authentication to access every application, all corporate data and every communication system. These measures make it harder for hackers to leverage stolen credentials, which often result in phishing schemes or ransomware problems.
Access controls should also be given based on roles. Do not give “all-access” by default, but instead review job roles and assign based on necessary access. Should the digital marketing agency or marketing manager have access to the company’s financial records? Does the administrative team need to review proprietary development information? Matching access to roles reduces exposure points, especially for remote workers that might go outside of approved methods to pull corporate content.
Stop Shadow IT
As an organization, you have invested heavily in tools and technology to increase efficiency within your organization. However, in a quick move to remote work, many employees may have developed their own ‘workaround’ methods to remain efficient. Using WhatsApp to chat with employees, or starting their own Google Docs account to collaborate with vendors – sound familiar? These programs are likely falling outside of the IT team’s approved list of programs and actions. They are engaging in “shadow IT”, the use of unauthorized software and hardware tools that can expose network vulnerability.
With a remote workforce, there’s much less IT visibility into an employee’s actions. The worker might use a secure corporate connection to access files, but then talk to a fellow employee through Instagram instead of the approved chat tool. Organizations need policies and controls in place that monitor and restrict certain activities. Making the approved list of software and hardware tools accessible to everyone is key followed by education on the risks associated with “shadow IT”.
Your quarterly training plan needs to include simulated phishing attempts and education on how to spot malicious email attacks. The hybrid work environment model also needs to include training around BYOD (Bring Your Own Devices) policies. Can your employees set up their personal laptops at home and remote into your network? How do personal cell phones interact with the company network and email? Does everyone need corporate-provided devices? Training should also cover the usage of thumb drives, what to do if a device is lost or stolen, the dangers of unsecured Wi-Fi, and other similar topics.
The pandemic accelerated the hybrid work model and along with it, security concerns. As organizations continue to adapt and transition, it is critical to fortify remote employee security. Consult your IT team today to see what initiatives you have in place to combat the risks a hybrid working model can present.