Embracing secure hybrid work with four foundational IT controls
Hybrid work has become the norm for many businesses. In fact, a 2021 survey conducted by HR consulting firm Mercer found that out of a group of 510 employers with flexible work programs in place, 70% plan to adopt a hybrid work model. While the new work-from-anywhere revolution provides more flexibility for workers, it also creates real security concerns for IT teams.
As organizations formalize work-from-anywhere strategies, it has become painfully evident that many time-honored security blueprints don’t function effectively anymore. With employees increasingly traveling from the office to their homes and everywhere in between, asset tags, badges, perimeter firewalls, and network segmentation are not doing enough to protect the decentralized workforce.
While these proven on-premises strategies won’t work in remote business environments, the good news is that the security risks haven’t changed all that much. To maintain a sound security posture, IT teams just need to adapt the tools, strategies, and security solutions they deploy. For any IT team struggling with this shift, these security challenges can be easily mapped back to four foundational controls:
1. Maintain an accurate inventory
The first step of protecting a hybrid work environment is creating and maintaining an accurate list of physical and software assets. An enterprise’s inventory process should be seamless to end-users no matter their location and should not require a constant connection to the corporate network.
The ideal inventory solution will integrate with the asset purchase process ensuring that assets are tracked automatically. Further the solution will need to report changes back to a central console frequently so that your team is working off accurate data.
Finally, the solution needs to quickly identify assets that are failing to report in so staff can take corrective actions. If your IT team is calling users to verify asset tags and tracking installed software via a spreadsheet, you are likely missing many assets and leaving them vulnerable to security threats. IT and security departments cannot protect assets they don’t know exist. Therefore, maintaining a comprehensive list of physical and software assets is imperative.
2. Verify the identity of the device user
Single sign-on (SSO) solutions that integrate with the operating system and leverage strong multifactor authentication should be required in any security posture. Password reuse and the continuous flood of data breaches that use compromised login credentials have made passwords the weakest link in any authentication chain. Many out-of-date security processes leave companies only as secure as the last password change.
In fact, a breach exposure report released this year showed that about 25.9 million Fortune 1000 business accounts and 543 million employee credentials were circulating on underground hacking forums. Stolen and reused passwords were largely to blame.
SSO solutions with enforced multi-factor can help eradicate this problem so IT teams understand who is trying to gain access to your organization’s devices, programs, and data at all times.
3. Manage secure endpoint configuration
End-users need to access data on devices when working, no matter their physical location. And in a remote world, any gap in data or device protection is a potential entry point for hackers. With an evaporating perimeter and limited reliance on network security solutions, IT teams need to emphasize endpoint protection.
To protect valuable information, enterprises need to ensure that all devices with access to company data are deployed using approved hardened configurations. Organizations such as Center for Internet Security (CIS) and the National Institute of Standards and Technology (NIST) maintain free technical guides for secure device configurations on popular operating systems. These resources are designed to be an a-la-carte menu of technical controls for any organization to implement for their needs.
Deploying a secure configuration once isn’t enough, if an organization’s configuration management solution isn’t continuously verifying and enforcing that configuration whenever the device is online, end-users are able to install software or make changes during their workday that will expose the data on those devices.
4. Support users changing needs
Business growth requires change – that’s a fact. But in the work-from-anywhere model, users can’t simply swing by a help desk to get support. IT and security teams cannot be the department of “No.” Your management systems still need to deploy software, install updates, modify system settings, and facilitate remote support whenever necessary. If you can’t help employees remotely, they will try to find a way around their issues, leading to serious security issues like shadow IT.
Ensuring employees are happy with their devices and running the latest software and corporate-approved settings will drive a consistent level of security throughout your organization.
Companies who embrace the new perimeter and standardize their efforts around robust yet manageable solutions to protect their assets (both human and digital) regardless of location will have the market advantage as competitors struggle to adapt to this new world of hybrid work.