How to implement a secure hybrid workforce

Woman working on laptop in kitchen - hybrid working and security
(Image credit: Getty Images)

Hybrid working is set to become standard practice for most organizations as we slowly begin to emerge from the coronavirus pandemic. According to a May 2021 McKinsey survey, 90% of organizations intend to shift to a hybrid-working model, a combination of onsite and remote working.

About the author

Alan Calder is Founder & Executive Chairman of IT Governance.

To make hybrid work a success, though, organizations must regularly evaluate their cybersecurity and compliance processes. According to a UKG study, 87% of UK employers accelerated their digital transformation project during the pandemic, and 76% said they had used one new technology or app during the crisis.

If an organization has adopted a hybrid working model, or is at least thinking about it, it must acknowledge the challenges that remote working brings. A new approach to work requires careful consideration – and one of an organization's biggest concerns should be its security and compliance postures.

Address technical vulnerabilities

A hybrid working model creates new security risks for organizations, and one of the main reasons is because data is frequently transferred between remote and office-based employees. This is likely to occur over a cloud server, which may offer additional protection for an organization, but isn’t impermeable to cyber attacks. There have been several phishing campaigns throughout the pandemic in which scammers have replicated automated notifications of file shares to capture people’s login credentials.

The cloud service provider itself may also be vulnerable to attacks – as we saw with the ransomware attack on Kaseya. However, there are steps businesses can take to protect their compliance posture in the face of a third-party breach – these typically relate to contractual agreements with the supplier regarding their commitment to cyber security. With the right protocols in place, an organization can avoid liability in the event of a data breach, but it’s important to remember that it’s all but impossible to completely eradicate the risk of a security incident occurring.

In a fully office-based set-up, all employees’ computers run through the same network. Remote employees will each connect to systems using individual networks. This means an organization will have dozens, hundreds, potentially even thousands, of additional endpoints – all of which are vulnerable to an attack. Ultimately, organizations are responsible for implementing appropriate technical controls to prevent data breaches, which means all employees must be issued with work devices.

This is the only way an organization can ensure that the appropriate tools, such as antivirus software, are deployed. It also enables IT teams to monitor the traffic of that device without infringing the employee’s privacy – something that wouldn’t be possible if they were using their personal device.

Avoid elevating employee privileges

It can be tempting to elevate a remote working employee’s privileges so they can quickly address the issues themselves, as opposed to waiting for the IT department to resolve the technicalities. However, this creates significant vulnerabilities and must be avoided wherever possible.

The issue with elevating privileges is that employees may be given the ability to not only resolve a specific issue, but to perform actions that should only be possible for those with admin rights. These admin rights must be assigned on a need-to-know basis, because it’s vital to ensure as few employees as possible have the power to make major changes. Otherwise, there is a risk of a disgruntled employee may act maliciously to compromise systems or steal sensitive data.

Organizations should alternatively use a remote desktop service. This hands control to a member of an organization's incident response or IT team. Although it will still cause delays when fixing IT issues, it’s a much safer option and mitigates the risk of a breach occurring.

Protect employees’ privacy

Organizations with a hybrid work model immediately creates a divide between employees that are in the office versus those who are working remotely. One of the biggest challenges can be the methods by which an organization monitors remote working activities.

Organizations may take a softer approach with office-based employees, as it’s easy to see how they spend their days. For remote employees, an organization either has to trust that they’re getting on with work or install software to keep track of them.

The way an organization monitors employees will differ depending on their industry and their employees’ locations. Monitoring software comes with obvious privacy issues, but the GDPR (General Data Protection Regulation) doesn’t prohibit its use. If an organization has a lawful reason to monitor employees and is able to document that reason, the organization is perfectly justified to keep an eye on their activities.

However, the challenge is being able to monitor remote employees whilst they work without compromising their privacy – organizations need to ensure that they can separate the monitoring of business and personal activities. This means organizations should ensure that the monitoring is as unobtrusive as possible, that employees are aware of the monitoring, that there is clear documentation in place to prove the monitoring is lawfully applicable, and that these practices are regularly reviewed.

If an organization is not confident that it can monitor remote employees without jeopardizing their privacy, employees will need to work permanently from the office.

Create a new incident response plan

Before the pandemic, an organization's incident response plan most likely assumed that most, if not all, employees would be working on the premises. This is no longer the case in a hybrid work model, and the incident response plan must be updated to account for it.

The most significant challenge an organization may need to deal with is how reliant on technology it is to contact remote staff. If the IT infrastructure is attacked and comprised during a disruption, organizations will need to find an alternative way of contacting remote staff. To add to this complexity, an updated incident response plan for a hybrid work environment isn’t just a case of deciding what remote workers should do in the event of an incident. The plan may differ dramatically depending on the day, the week, and whether particular members of staff are hotdesking on that day, which will likely result in a much more complex plan.

The success of an incident response plan also hinges on how well employees execute it. This includes not only the people responsible for creating and executing the plan, but everyone in the organization. This means it’s crucial for organizations to ensure all employees are aware of the plan, explain why it’s in place, and provide the necessary training that allows them to follow it.

Look at alternative solutions

Organizations that are yet to fully consider the security practicalities of mixing onsite and remote working, or those that are struggling to address all of its various challenges, should also consider deploying Cybersecurity-as-a-Service or Privacy-as-a-Service solutions.

These solutions are usually a cost-effective way to avoid recruiting additional and expensive overheads, and means a remote team of consultants, legal experts and incident responders can become a 24x7x365 extension of an organization's in-house IT department. These solutions are particularly beneficial for SMEs that may not be able to afford a comprehensive IT department or commit the time to implementing a secure hybrid workforce. They ensure organizations of all sizes are, and continue to remain, cyber secure and compliant – in the office, at home, wherever in the world they work.

Alan Calder

Alan Calder is an acknowledged international cyber security guru and a leading author on information security and IT governance issues. Alan founded IT Governance in 2002. Since then, the company has grown to become a global provider of comprehensive solutions and a recognised authority on ISO 27001 certification and GDPR compliance. He has written more than 20 books on cyber security , most recently revising Nine Steps to Success: An ISO 27001 Implementation Overview as well as tackling the GDPR with EU General Data Protection Regulation (GDPR) – An Implementation and Compliance Guide and EU GDPR: A Pocket Guide. Alan’s work draws on his experience leading the world’s first successful implementation of BS 7799 (now ISO 27001), and is also the basis for the UK Open University’s postgraduate course on information security.

He is an an acknowledged international cyber security expert and a leading author on information security and IT governance issues.