How do we protect the hybrid workplace?

• We are heading towards an era of hybrid working, split between the workplace and employees’ remote work stations 
• As cyber threats continue to evolve and grow, McAfee outlines three steps the newly-hybrid organization can take to ensure it’s secure

With lockdowns coming back into force in UK and other countries in Europe, uncertainty still abounds in 2020. But it’s safe to say that many organizations won’t be returning to the rigidity of the physical office for good, even when – or if – the dust begins to finally settle and social distancing becomes less necessary.

Instead, having experienced the viability of remote working first-hand – and the benefits of a wider talent pool, reduced need for physical office space, and employee productivity – the world of desk-based work seems to be on course towards an era of hybrid work, where time is split between a shared workplace and the employee’s own remote working situation.

Businesses are increasingly reliant on cloud services for collaboration and digital resilience, and while the adoption of technology has been a boon in changing the way we work, data is now more spread out than before.

But this easy access to data has also led to an influx of threats. While cybersecurity may have seemed like another budget to cut as the pandemic hit, it is instead more important than ever. Businesses have moved to adapt, but the rapid adoption of IT solutions has also resulted in technology stacks that feel more akin to patchwork quilts – with multiple, fragmented cloud-native applications that are difficult to secure.

Businesses have learned at a rapid pace since the pandemic began, reworking security and device policies, and quickly adapting to the new work practices.

The threat landscape is becoming much more dynamic – a recent McAfee Labs COVID-19 threat report noted that threats targeting cloud services increased by 630%, with attackers using the credentials harvested from phishing campaigns to exploit the anonymous, decentralized nature of cloud applications.

Today, malicious players have shifted their focus away from targeting IT infrastructure – which is usually heavily defended. These malicious players have revised their strategies, which now revolve around exploiting openings of employees – through methods such as phishing.

Here are three things businesses need to do in order to ensure that they are resilient against threats targeting a scattered workforce, and a changing threat landscape:

# 1 | Proactively search for possible avenues of attacks, and address them before they cause harm

As hybrid work looks to stay consistent in the long run, and employees work from different locations, data will move between a greater number of devices. This includes office servers, company devices, and even personal IoT devices such as routers, or even public hotspots, which present a security risk, as malicious players have a larger surface area to attack.

There are also possible backchannels where data may end up, such as the use of shadow IT – solutions or devices that are not approved by companies and are difficult for IT teams to track and manage, let alone ensure the security of.

While cybersecurity policies for devices and data management may seem like a static set of rules, they are not the end-all. As remote work moves from a stopgap measure to becoming the future of work, IT teams must continuously revisit these policies to ensure that their company can stay safe.

Additionally, an often-overlooked angle that can compromise organizations is personal data protection. In order to speed up user experience during the rapid transformation to WFH, organizations are starting to implement hybrid networks that allow users to access cloud SaaS applications directly, without having to connect to corporate VPNs.

However, many organizations are neglecting to address data protection for the cloud SaaS applications that they are rapidly deploying, creating potential future issues with personal data protection legislation, and other liabilities that may arise from lax management of their workforce’s personal data.

# 2 | Adopt a zero-trust approach to hybrid work environments 

Traditional cybersecurity follows the concept of a moat for defense. While any attempts to access data from outside the moat need to be verified, all users inside the moat are assumed to be trusted. However, as cloud technology becomes more and more commonly used, it is difficult for businesses to keep data secure, as it is spread out over multiple areas, and no longer in a single one.

Zero trust security instead assumes the possibilities of attackers inside and outside the moat, and is thus, any attempt to access data needs to be authenticated. By reducing the amount of data each employee can access and keeping information on a need-to-know basis, the likelihood of phishing attacks being successful is lowered.

Likewise, segmenting networks into microsegments, which require separate authentication to access will also ensure that threats are contained within one segment, and will not be able to gain access to data, or affect other segments of the network.

# 3 | Utilize technology to help in the fight against threats

 Today, while IT teams work hard to manage business IT infrastructure, they also need to contend with an ever-growing number of threats. The most dangerous threats are not the ones that have been previously detected, and instead are those which are yet to be discovered. As technology becomes integral to business, prevention is quickly becoming more important than a cure – and the same applies to cybersecurity.

Businesses should remove barriers, whether with organization or resources, that hinder them from taking advantage of the latest advancements in fighting cyber threats; these advancements include technology such as predictive AI and big data, which are capable of analyzing threats by making use of global pools of information to help identify exploits and defend against zero-day attacks.

As IT teams find themselves responsible for an increasing number of endpoints to manage, automation can prevent IT burnout, and prevent attacks from malicious players in a hybrid work environment.

The journey into the future of work begins with a single step

Despite remote work being a common topic for the past few months, as an economy, we are only just at the beginning of a new era of work.

Similar to how digital transformation projects were enacted in the past, businesses need to consistently take stock, and see if their solutions fulfill their needs sufficiently. The cybersecurity landscape is constantly shifting, and businesses must likewise shift with it by exploring different options while maintaining their vigilance – only then, will we be ready for the next step towards the future of work.

This article was contributed by Jonathan Tan, managing director, Asia, McAfee.