By now, we’re all familiar with the fact that the world of work has undergone dramatic change over the past two years. The abrupt office closures and large-scale shift to remote work that took place in 2020 were followed by a period of re-evaluation and self-scrutiny. According to the Microsoft 2022 Work Trend Index, a study of more than 31,000 employees in 33 countries, an astonishing 43% of the global workforce is considering leaving their jobs in the coming year.
What do these employees want? According to a recent Gallup poll, a significant majority (61%) are looking for better work-life balance and a job that supports their personal well-being. For many—but not all—of them, this means flexibility, so that people can work whenever and wherever they’re most productive. A full 40% of U.S. employees say that they’d start looking for another job or quit immediately if ordered to return to the office full time. Still, more than half of employees would prefer to work on-site at least sometimes.
One constant that’s clear in the midst of all these changes: whether employees are fully remote, hybrid or mostly in-office, tomorrow’s ways of working will demand new cybersecurity strategies. Although the move to the cloud was already underway before the COVID-19 pandemic sped up its progress, today’s business IT ecosystems incorporate more Software-as-a-Service (SaaS) applications, more cloud resources and more endpoints outside the network perimeter than ever before, and there’s no going back.
At the same time, many organizations have made investments in and progress towards remote work enablement. For many security leaders, it feels as if the network perimeter has finally and fully dissolved within the last year or so. And end users’ expectations are different now: whether they want to work at the airport, on a plane or from a long-term vacation rental, people expect that they’ll be able to access business applications seamlessly anytime and anywhere.
We have four basic recommendations for stakeholders who want to increase their organizations’ cyber resilience as they strive to accommodate increasingly agile and flexible ways of working.
#1: Protect the endpoint.
Regardless of whether they’re connecting to the corporate network, home WiFi or a virtual private network (VPN) tunnel, your employees will still be using endpoint devices to access your company’s data and resources. Research from the Ponemon Institute reveals that as many as 68% of organizations have experienced an endpoint-based attack in which data assets or IT infrastructure was compromised within the past two years. Protecting this key entry point for malware- or ransomware-based attacks is of fundamental importance.
As recently as five years ago, endpoint protection meant buying and managing an assortment of point solutions. From antivirus software to endpoint agents for VPNs and other threat prevention solutions, best-of-breed entailed an array of disparate capabilities from just as many different vendors.
Today, the major endpoint protection platform vendors tout the comprehensiveness of their capabilities. Some, in fact, may have more capabilities than your organization needs.
Our advice? Start by developing a realistic budget. To figure out what’s standard in your industry, you might talk with peers in similar organizations that you know and trust. If you haven’t invested time in determining what you’re able to spend beforehand, you’re all too likely to be swayed by vendors’ claims that you need everything. At the same time, if your budget is so low that none of the vendors you talk to have solutions that are in line with it, it might be wise to shift it upwards.
In some cases, the most cost-effective way to gain the endpoint protection capabilities you need may be to upgrade the licensure tier for an enterprise software product that you’re already using.
#2: Control access.
We’ve said it before, but when it comes to managing privileges and user account access, we take our motto from the movie Spaceballs. It’s “Take only what you need to survive.”
Granting employees access to IT resources should be done proactively and intentionally. It’s possible to implement a state-of-the-art Identity Governance Administration (IGA) platform that will automate much of the work involved, but it’s cheaper—and in small to midsized businesses, entirely do-able—to perform regular access audits manually. What’s important is keeping track of who has access to what and ensuring that people don’t have access (or privileges) that they don’t explicitly need (or no longer need) for their job function.
It’s also important to maintain oversight of the SaaS solutions your organization is using. In today’s world of free software trials and company credit cards, it’s all too easy for employees to sign up for SaaS without your IT or security team knowing anything about it. This is a recipe for increased security risk.
#3: Monitor for threats (including endpoints and access).
Ongoing security monitoring is critical if you hope to be able to quickly identify and eliminate security threats. The underlying premise is simple: how would you know something had occurred if no one was looking for it?
This fundamental need hasn’t changed with cloud adoption or the shift to hybrid and remote work environments. What has changed is that it’s now more important to ensure that your security operations team (or expert Managed Detection and Response (MDR) provider, if you’re outsourcing) is including SaaS solutions and cloud resources in its monitoring strategy. If you haven’t already done so, it’s worthwhile asking whether your security provider can keep tabs on logs from the cloud and SaaS.
#4: Train, train, train.
Information security will never be solely a technology problem. If the shift to remote work has opened cybersecurity gaps in your organization, many of these are likely due to employees failing to follow company policies, or simply making mistakes.
We’re only human. No amount of security awareness training will eliminate all errors or prevent all incidents. But implementing a high-quality training plan that’s specifically targeted at remote or hybrid work use cases can significantly reduce the likelihood and frequency of events, and that’s exactly what you want.
As time passes, paradigms will continue to shift. Here at BTB, we’ll continue to share our insights to help you stay ahead of the curve. Check out some of our other recent blog articles to hear more of our perspective on the current state of cybersecurity—and the best ways to prepare for tomorrow. Or set up a free, no-obligation consultation with one of our security experts today.