Protecting Your Hybrid Workers

As the world attempts to work with pandemic developments in 2022, most businesses find themselves adopting a hybrid working model. Ever evolving restrictions and the balance between some employees and companies preferring to adopt full or part-time home working arrangements, means that many organisations have introduced flexible models where employees have a blended approach between their days working remotely and or in the office. Implementing this way of working can bring many benefits but from a cyber security perspective it does increase difficultly to keep visibility over networks and devices. 

The Risks Associated with Hybrid Working 

Employees and their devices constantly moving around means that IT and security teams have a harder time monitoring your infrastructure for possible security events and vulnerabilities. Malicious attackers are aware that they may be some confusion as to who is accessing your network and where, so they may use this opportunity to try and slip through the net and compromise your data. 

Organisations that don’t take the appropriate steps to protect their hybrid workers could open themselves to the following risks: 

• Unauthorised access – whether that’s from using default credentials on devices, falling victim to a phishing email or failing to update their applications to the latest supported versions cyber criminals gaining unauthorised access to any aspect of your organisation can have major implications.

• Mobile attacks – Hybrid working means that employees are increasingly using mobile phones, sometimes their own device, to collaborate with colleagues. This big increase in mobile communication for work opens a new door for attackers.

• Public Wi-Fi – Now the world is opening up again workers may choose to work in spaces such as Café’s and libraries, where they will connect their work devices to public Wi-Fi. Insecure public Wi-Fi could open up your users to a range of cyber-attacks, particularly man-in-the-middle attacks. Working in public spaces could also put your devices at risk. If your employee leaves their chosen work to station to grab a coffee, anyone could walk by and compromise your device.

• Poorly protected home networks – the average UK home is not going to have the same security controls in place as an organisation which will make it easier for an attacker to target.

• A disconnected workforce – a major risk that comes with hybrid working is that your user’s awareness of cyber security threats may reduce. In a comforting environment, without a “corporate hat” on are they less likely to adhere to all processes in the same manner?

• Compromised cloud services – remote and hybrid working has encouraged the majority of organisations to make the jump to the using cloud services. Whilst this is extremely useful for collaborative working, poorly set up cloud infrastructure could be a pathway for an attacker to your data. Default configurations, weak credentials and unencrypted data can cause data weak spots in your cyber security strategy.

How to Manage the Risks of Hybrid Working 

Assess the risks and create a mobile working policy: Assess the risks associated with all types of mobile working and remote access. The resulting mobile security policy should determine aspects such as the processes for authorising users to work off-site, device provisioning and support, the type of information or services that can be accessed or stored on devices and the minimum procedural security controls. The risks to the corporate network or systems from mobile devices should be assessed and consideration given to an increased level of monitoring on all remote connections and the systems being accessed.

Educate users and maintain awareness: All users should be trained on the use of their mobile device for the locations they will be working in. Users should be supported to look after their mobile device and operate securely by following clear procedures. This should include direction on:

- secure storage and management of user credentials

- incident reporting

- environmental awareness (the risks from being overlooked, etc.)

Apply the secure baseline build: Develop and apply a secure baseline build and configuration for all types of mobile devices used by the organisation. Consider integrating the security controls provided in the End User Device guidance into the baseline build for mobile devices.

Protect data at rest: Minimise the amount of information stored on a mobile device to only that which is needed to fulfil the business activity that is being delivered outside the normal office environment. If the device supports it, encrypt the data at rest.

Protect data in transit: If the user is working away from the office the connection back to the corporate network will probably use the Internet. All information exchanged should be appropriately encrypted. See Using IPsec to Protect Data and Using TLS to protect data.

Review the corporate incident management plans: Mobile working attracts significant risks and security incidents will occur even when users follow the security procedures. The incident management plans should be sufficiently flexible to deal with the range of security incidents that could occur, including the loss or compromise of a device. Ideally, technical processes should be in place to remotely disable a device that has been lost or at least deny it access to the corporate network.