Cybersecurity for hybrid working: A senior leader’s guide

Every company is already a couple of chapters into their own work from home story, and for many the plot has taken a turn toward hybrid. But no matter how flexible the arrangement, if your organisation gives employees the option to work from home, you need to ensure your company is not taking a flexible approach to cybersecurity too. 

It’s not only an issue for IT teams, but for anyone in leadership. After all, the most secure organisations have done more than purchase the right security software. They have also addressed gaps in employee awareness, set comprehensive policies in place, and have found ways to reinforce best practice company-wide. 

Employee awareness

Let’s be clear about this: If your staff don’t understand the risks, all your cybersecurity processes are redundant.

It’s tough to get everyone on the same page. As a HP Wolf Security report has it, over 50% of employees are more worried about deadlines than a data breach.  Because of these mismatched priorities, employees can perceive restrictions to be unnecessary obstacles to their own workflows, particularly when other aspects of hybrid working are often orientated around their preferences. 

It’s no surprise, perhaps, that 83% of IT teams believe home working to be a “ticking time bomb” for a network breach. And despite their best efforts, 69% of IT teams said they’re made to feel like the bad guys for imposing security restrictions. 

What are your employees’ general at-home technology habits like? Do they know about phishing, or other major cybersecurity concepts? Have you ever tried testing them? 

If you’re uncertain how to motivate your employees to follow best practice, the threat of ransomware might tip them over the edge. As we saw in the HSE phishing crisis, employees need to operate by a zero trust principle. They need to assume they will be targeted by hackers, and unless employees exercise caution, they could bring their entire organisation to a standstill. 

 

“The most important factor when it comes to cyber security across a hybrid working model is communication and a strong culture of security awareness. You can have the best policies in the world, but if those aren’t known and understood by every member of your workforce then they may as well not exist.

The most successful organisations are those in which every team member has a respect for cyber and information security, and understands where to go for help and how to report concerns. Whether those things are written in to policies is almost irrelevant.”

CTO – i3PT

Policy and procedure

Awareness alone won’t protect against every hybrid working security risk. You’ll also want to consider what policies you can put in place to set the standard, promote best practice and mitigate the damage should the worst happen.

Too many organisations rush into buying cybersecurity software, without really knowing what their vulnerabilities are. But simply getting comprehensive policies down on paper – from IT security to remote access and encryption – can help your organisation to assess where you are not yet compliant and where you need to take further steps. 

Role based access

One of the first security principles you should be aware of, and set processes in place for, is the principle of least privilege. Each employee in your organisation – and beyond, in the supply chain – should only have access to the data they need to do their role. This is known as RBAC, Role Based Access Control.

In a small organisation, you can afford to give each employee tailored permissions, while in a larger organisation you may organise it by management level and by department – giving finance access to one set of data, the engineering department another.

VPNs

You also need specific protocols around hybrid working. Employees should always be connected to the company VPN (Virtual Private Network) at all times. This creates a secure encrypted tunnel between their workstation and your workplace, and it shouldn’t be turned off for a second. 

On the other hand, free VPNs are an absolute no go, and this needs to be enshrined in your policy. These VPNs, often used to access international streaming services or other blocked content, are full of holes. Your employees might see it as a helpful hack to watch US Netflix, but for their ingenuity they might be hacked in return.

Hardware and software

But even a company VPN is little help as protection if your employees are accessing that VPN from a device full of malware. If an employee’s children are using the same laptop or phone to download from untrustworthy sources at weekends, there’s no telling what’s on it. While Apple’s App Store is relatively regulated, the Google Play Store is a wild west. 

In a hybrid world, the boundaries are blurring between employees’ personal and work lives, and it can be hard to know where they draw the line. 

Without the right support, too, digital poverty may force remote employees to go occasionally to public places to fulfil their job requirements, connecting to unknown routers or other insecure hardware.

A way to mitigate this is to put policies in place to ensure all your employees have the home infrastructure they need, including updated IoT-enabled devices, like printers, webcams, and routers. This isn’t one to overlook, particularly if you’re looking to get cybersecurity certification. Cyber Essentials, for instance, require employees’ routers to be relatively new, otherwise your company will be deemed too vulnerable for their standards. 

How to reinforce best practice

Communicating the gravitas of your policies to a remote team isn’t always simple. It requires more than a company-wide email or a team message – which employees can all too easily ignore. So how can you convince them to take it seriously?

One avenue is training. You could consider putting your company through Cyber Essentials, or ensuring your development teams are aware of OWASP. At a bare minimum, training should get many of your employees using two-factor authentication and updating their software regularly. But there will almost always be employees who don’t show, don’t listen or don’t implement what they’ve been taught.

Here penetration testing can be of great help, enabling you to:

  • Discover which employees are most at risk so that you can intervene.
  • Assess the unique vulnerabilities of your organisation, which will inform your policies and the actions you need to take as a company. 
  • Reinforce best practice by setting up monitoring to automatically notify employees when they act outside of company policy.

 

We’ve been trusted, neutral, and CREST-certified cybersecurity partners to a variety of companies over the years, and we can help your organisation too. To learn more, don’t hesitate to get in touch.