Unless you’ve been living on the moon, you will have noticed that increasingly more employees are working remotely as a consequence of the ongoing pandemic. And, while many of those employees will likely return to the office in the wake of the crisis, a large number of them will probably continue as they are.
According to Microsoft’s 2021 Work Trend Index, “over 70 percent of workers want flexible remote work options to continue”, and “66 percent of business decision-makers are considering redesigning physical spaces to better accommodate hybrid work environments”.
Learn all about ransomware and the buying and selling of stolen data in our executive's guide to malware
This is all very well and good, however, this shift towards a hybrid workplace comes with a plethora of security challenges, which few companies are fully prepared for.
To start with, traditional perimeter security solutions, such as firewalls and intrusion prevention systems have become far less relevant than what they once were. After all, your employees may be accessing the company network from an unsecured location – perhaps via a public Wi-Fi hotspot, which is susceptible to ‘eavesdropping attacks’. And, when employees are connecting to your network using their personal devices, it’s entirely possible that their device has already been infected with some kind of malware.
To make matters worse, there are still many companies that don’t yet have a formalized remote access policy in place. In order to ensure that your company is able to protect your critical systems and assets in a hybrid working environment, there are 5 key areas that need to be considered.
1. Security Awareness Training
Many employees are simply unaware of the security best practices that are required to support a remote working environment. As such, security awareness training should be a top priority. You must start off by developing a clear set of policies that cover a wide range of areas, including password hygiene, social engineering, and remote access procedures, to name a few.
All employees must be made aware of their responsibilities when it comes to protecting client confidentiality and complying with the relevant data privacy laws. Naturally, your security awareness training program should reflect those policies, and training will need to be ongoing in order to create a culture of security.
The use of encryption to prevent data loss is a very effective, yet often overlooked area of data security. All sensitive data should be encrypted, both at rest and in transit. While most popular cloud service providers offer their own client-side encryption tools, a more secure option would be to encrypt the data with your own keys before uploading the data to the cloud.
Alternatively, you can use a third-party encryption service to manage the keys for you, thus preventing the cloud provider’s employees from gaining access to the keys, and thus your critical assets.
3. Remote Wiping and Device Management Software
Remote wiping software enables administrators to remotely delete and destroy data on a device or system. For example, if a mobile device containing sensitive data is lost or stolen, the administrator must do what they can to ensure that the data doesn’t fall into the hands of an adversary, or anyone for that matter. Of course, the software would need to be installed on a company-issued device as opposed to an employee’s personal device, as that would be considered an infringement on their privacy. A mobile device management (MDM) solution will provide remote wiping functionality, as well as a number of other features, such as:
- Device inventory and tracking;
- Remote software installation and updates;
- Application whitelisting/blacklisting;
- Password enforcement;
- Data encryption.
4. Securing Data in the Cloud
Cloud service providers have significantly improved their security standards in recent years, and, as a result, increasingly more businesses are feeling comfortable storing their sensitive data in a cloud repository. Most popular cloud providers also provide end-users with a wealth of features to help them secure their sensitive data. However, it should be noted that despite these improvements, protecting sensitive data in the cloud is still ultimately the responsibility of the end-user. You must ensure that all unstructured data is accounted for and monitored for suspicious activity. Given that cloud-based accounts are essentially exposed to the public internet, you must have a strong password policy in place, or better yet, use multi-factor authentication to prevent unauthorized access. As mentioned previously, all sensitive data stored in the cloud should be encrypted, both at rest and in transit.
5. Least Privilege Access and Zero-Trust
The ‘principle of least privilege’ (PoLP) is an access methodology whereby users are granted the minimum level of access rights necessary to perform their role. In some cases, an employee may need access to sensitive data for a limited period of time, and thus a formal procedure for granting/revoking temporary access is required. Larger companies may also want to consider adopting a Zero-trust security model, which is based on the premise that no user or device should be trusted. This means they will be required to authenticate each time they need to access critical systems or data – not just when they sign in to their account. PoLP and Zero-trust apply to any users, applications, services, and devices that need access to critical network resources.
Keeping sensitive data secure in a hybrid workplace requires a multi-pronged approach. As a general rule of thumb, you should only allow company-issued devices to connect to your network, and those devices should not be used by anyone other than the designated members of staff. All patches/updates should be installed in a timely manner, and employees must be prevented from installing unapproved software on their devices. However, the most important thing to remember when it comes to protecting sensitive data is that visibility is key!
You must ensure that you know exactly what data you store, where it is located and who has access to it. The administrator must have access to an immutable and easy-to-read log of events concerning your critical assets. They should receive real-time alerts any time-sensitive data is accessed, shared, moved, modified, or removed.