Why it’s time to evolve your cybersecurity strategy in the new era of hybrid work

(Image credit: Shutterstock)

It wasn’t that long ago that most of us used to work in an office. Fifteen months into the global Covid pandemic and it’s now certain that the future will not be a full return to the office or a continuation of the present remote working experience – it will be both. According to new data, the majority (77 percent) of UK employees would prefer hybrid working as the best way forward post Covid-19. 

This new workplace reality will feature a hybrid workforce containing a mix of employees who work remotely, and those who work from an office or other central location. If workers feel they will be more productive in one location versus another, they can choose to work from that environment – or opt to work in a combination of the two.

Security now needs to evolve beyond the enterprise perimeter and endpoint protection to encompass the securing of all forms of communication among users, devices, apps and web destinations.

It's time to address the home-office hybrid security challenge

The shift to permanent and highly flexible remote or hybrid work scenarios means organizations must build on important lessons learned in the months since the Covid crisis first hit. Today’s enterprises need to be able to support work from anywhere, all of the time, by everyone.

That means overhauling any temporary fixes initiated on the fly to enable remote working at scale a year or so ago. Last year’s rapid shift to distributed workforce models proved all too tempting an opportunity for cybercriminals to miss out on. Cyber incidents and data breaches soared in 2020 with credential theft and social attacks such as phishing and business email compromises proving to be the top causes of over 67 percent of all breaches.

If businesses want to get serious about reaping the benefits of new flexible working arrangements, they will need to think seriously about the hybrid workforce and the key networking and security requirements needed to enable and underpin it for the long term.

It’s time to reconsider the VPN 

Before the pandemic, when only around 10-15 percent of employees were remote, users and IT teams could tolerate the performance and productivity challenges associated with using VPNs to access internal apps and resources.

Hybrid work, however, means working seamlessly between the office and remote locations. A capability that is lacking in traditional access tools such as VPNs, which slow productivity and impact performance while creating security issues by giving workers access to everything on the network without any policy or data controls or threat protection built-in.

The reality is that the VPN is an access tool – not a security tool. Invented in the mid-1990s, VPNs weren’t designed for today’s cloud enterprise work environments. As a result, they don’t provide the contextual policy control, data controls or threat protection today’s mobile-savvy workers need when working across a myriad of apps, devices and locations. But that’s not the only security challenge that today’s organizations need to be mindful of.

The BYOD device

Unsurprisingly, the events of last year led to a massive surge in the number of unmanaged personal devices remotely connecting to work-related resources as people strived to stay productive in the face of stay-at-home government mandates. 

As a consequence, organizations found they were ill-equipped to deal with the uptick of security threats -such as malware and data theft – that were introduced by the workforce’s growing use of personal mobile devices for work-based tasks.

Recent research highlights just how many organizations are still not paying enough attention to securing unmanaged personal devices against malware and data theft. Nearly half (49 percent) of organizations admit to having no visibility of whether the BYOD devices their workers use have downloaded malware in the past 12 months. Meanwhile, 41 percent report relying on endpoint malware protection for BYOD – an approach that is not ideal for personal devices which are hard to control and manage – while over a quarter (30 percent) don’t protect against malware for BYOD in any form at all.

As enterprises prepare to make the transition to permanent remote work or hybrid work models, connecting more devices to corporate networks will serve only to further expand the attack surface available to cybercriminals. 

It’s difficult to argue against the fact that the use of personal devices has helped businesses to improve employee productivity and satisfaction, while also reducing costs, in what have been truly challenging times. But addressing the very real security issues associated with managing device access and mobile security continues to be a Cinderella dilemma that is not getting the attention it deserves.

Rethinking security for real-world work realities 

People being people, employees will often take shortcuts or engage in risky behaviors that create major internal security challenges and vulnerabilities in a bid to get things done fast. Whether that’s reusing passwords, using public WiFi, installing shadow software on devices, or unthinkingly clicking on a phishing link.

The BYOD trend alongside the growth in software applications, cloud services and storage accessible from nearly anywhere means that IT teams need to get to grips fast with new security approaches that make it easier to control files, data and information – including being able to remotely wipe company data from a BYOD device - without touching an employee’s personal data.

In other words, what’s needed is an adaptive and modular approach that delivers real-time visibility and control to protect data across all types of applications – web, private and on-premises apps. The good news is that today’s advanced cloud security solutions are ideally suited to BYOD scenarios. They also offer a way to achieve all this and deliver a truly frictionless user experience that doesn’t involve employees having to jump through multiple authentication processes in order to undertake their daily work tasks.

To truly secure the remote and hybrid workforce, organizations should be looking to take advantage of options like zero-trust network access (ZTNA) to manage access to their private or on-premises applications. They should also consider utilizing a multi-mode cloud access security broker (CASB) solution that will both deliver all types of cloud and web security on-device to protect user privacy – and eliminate the performance bottlenecks that create frustrations for users and hamper their productivity.

By deploying cloud-based scalable next-generation security solutions they’ll be able to gain the real-time visibility and control that’s needed to protect their data and users – without any need to resort to VPNs that can stand in the way of achieving a truly secure and efficient digital workplace for users. Wherever and however they may choose to work.

Anurag Kahol, Founder and CTO, Bitglass

Anurag Kahol is CTO at Bitglass. Anurag expedites technology direction and architecture. Anurag was director of engineering in Juniper Networks’ Security Business Unit before co-founding Bitglass.