Hybrid work is a trend, but… But what about security?
You know when you have a nightmare that takes so long it seems to have lasted three nights in a row? That's pretty much what we're going through with the new coronavirus pandemic (SARS-CoV2) — the spread started off mild and, in a blink of an eye, the entire world was fighting an enemy we could barely see. The crisis has radically changed several aspects of our lives, especially the way we work: working from home has become mandatory to ensure social isolation.
Fortunately, a light can now be seen at the end of the tunnel. A large portion of the global population is now fully immunized against the disease, and despite the fact that new variants of the virus emerge from time to time, everything indicates that we are about to wake up from this nightmare. It is naive, however, to think that everything will go back to normal. From a professional perspective, companies will tend to adopt the format that has become known as hybrid work, allowing their teams to work from home or at the office.
This strategy is advantageous for both companies and collaborators — the former can save a huge amount of money by building a much smaller physical infrastructure (and consequently pay lower rent and carry out less maintenance), while the latter have the freedom to decide which location they feel most comfortable to work in. Although many people have enjoyed working from home, many others complain about remote work, preferring the good ol’ office to concentrate better.
Returning to the tangible world
Okay, hybrid work is undoubtedly an interesting trend for all parties involved. But what does this mean for information security? Few executives have actually stopped to think how this new format may indeed create some unprecedented threats that need to be addressed before the plan is put into practice. After all, since we are combining two different ways of working, we are also combining two environments that pose different risks — and, along with this, new dangerous scenarios are created.
First of all, it is crucial that all employees be reminded of the peculiarities of the physical work environment (including the old ones). The clean desk policy — for example, avoid leaving post-its and sensitive documents in plain sight in your workspace — becomes even more important at the office. Small actions such as leaving your laptop open and unlocked when going to the bathroom or talking about sensitive company information in the elevator are just a few examples of habits that should be avoided.
Fortunately, in the office, teams are back (even if temporarily) in a controlled perimeter... Unless, of course, your company decides to go for coworking, which is increasingly common. In these cases, it's good to keep an eye out for eavesdroppers when working in shared spaces, avoid public or unknown Wi-Fi networks, and always use endpoint protection solutions, firewalls, and VPNs. You never know when a malicious actor will be there trying to intercept your communications!
At-rest and in-transit risks
It may sound silly, but the smallest details have to be checked. When employees move from one place to another, this unfortunately increases the chance of a piece of equipment being stolen. Are these gadgets properly protected in case they fall into the wrong hands? Do they have strong authentication methods that cannot be easily decoded by a common criminal? Are the most critical data stored on the device encrypted, making it impossible or at least difficult to read?
And, of course, risks in the home environment are a concern as well. It is necessary to ensure that employees configure their personal router correctly, do not share their professional machine with anyone (not even members of their own family), be more careful with scams over the phone (vishing), and ensure that their home network is free of vulnerabilities — and remember, a vulnerability could even be that IoT device you bought from a dubious website!