October 7, 2022
Work from home was adopted by organizations worldwide as a crisis measure to muddle through the immediate effects of the COVID-19 emergency. Today, we can confidently say it grew to be much more than this. As executives and workers discovered that a well-managed Zoom call can be as productive as a meeting in a board room (and more cost-efficient as well), remote and hybrid work became a system in and of itself, with human and technological interdependencies and nuances.
Now is an opportune moment for global enterprises to consider and shape their long-term hybrid policy, refining the way they operate, the goals, and the human, technology, and security aspects of the transition. In short, here are the main points to consider if you plan to transition your employees to remote work in the near future:
- A technology stack that you will need to purchase or develop yourself to keep your system running smoothly and your employees productive;
- The security policies, practices, and processes that must be implemented to secure your enterprise’s "crown jewels” - people, data, and financial assets;
- The rules and norms you will apply to preserve and enrich company culture, values, and team spirit.
When it comes to technology stack and cultural aspects, there is no one-size-fits-all solution: they can be shaped and changed without strict rules or restrictions. But when it comes to security policies and architectural improvements to help protect your organization from ever-evolving cyber threats, things get much more precise, keeping wiggle room to a minimum.
What are the Main Concerns?
As companies went remote, criminals have sought to take advantage of the chaos caused by the pandemic itself and the expanded attack surface with multiple entry points to corporate networks. Studies show that attackers can penetrate 93% of an organization's networks, with 82% of ransomware attacks on enterprises using lateral movement techniques. Simply put, attackers are looking for the easiest entry point into a company's network, which often becomes an IoT device in a remote worker's home. Once a single device is compromised, such as a smartphone, smart TV, or security camera, attackers can island-hop their way to corporate assets. Lateral attacks are particularly dangerous and difficult to intercept because they can often look like normal network traffic and not raise any suspicion until it's too late.
The fact that SOC staff has virtually zero visibility of employees’ remote networks and IoT devices connected to them, is forcing security teams to engineer an approach to enterprise security that goes beyond traditional endpoint protection tools.
Let's Get Down to Details
So what can the modern enterprise do to ensure a smooth transition to remote or hybrid work without sacrificing security. One thing is for sure, we're not talking about one magical API-integrated product that can solve all your problems. Protecting remote workers requires a holistic approach.
The good news is that there are some pretty straightforward steps that businesses and employees can take almost immediately to protect themselves from today's hacking schemes:
- Require the use and periodic renewal of unique and secure passwords;
- Implement MFA (Multi-Factor Authentication);
- Make sure corporate devices are fully patched and have all the latest software updates installed;
- Invest in an efficient and simplified security architecture that secures both endpoints and the network.
Simply using a VPN to provide a secure connection between remote workers and the corporate network is not enough (after all, a VPN is what made the Colonial Pipeline attack possible). To ensure a smooth transition from the office to the remote environment, corporate network security policies and controls should be extended to untrusted networks through the use of mobile hardware access points with edge computing capabilities. This is not to say that your defense-in-depth should evolve into a defense-ad-nauseam approach: it's not about the number of solutions you integrate to protect your remote workforce, but rather their quality and adaptability to your specific needs. No matter which solution you choose to secure your remote network perimeter, make sure it has all three:
- Private network segmentation,
- Prevention of connections via unknown devices,
- And connection inspection via IP, DNS, or deep packet inspection.
According to Verizon's 2022 Data Breach Investigation Report, 82% of breaches involved human element, while 18% of breaches came directly from employee error. For this reason, it is important to conduct an assessment of cyber hygiene skills and, if necessary, integrate employee training into the transition process. Whether they work in the office or remotely, all your employees need to know and have the necessary skills to manage:
- Multi-factor authentication;
- Latest software updates installation;
- Social engineering schemes recognition;
- Sensitive data protection.
Deciding whether to adopt a remote work policy, and if so, how to do it effectively, is complex and requires a strategic approach. With proper multi-dimensional planning in place, organizations can transition their employees to remote work smoothly and safely. Assess the benefits of this transition, along with the downsides and risks, to create your own optimal workplace of the future.