The hybrid work model evolving from pandemic-driven work-from-home initiatives offers a number of potential benefits for organizations and employees: greater flexibility, increased worker health and safety, and reduced overhead costs — to name just a few.
But the model also presents some significant security risks, and companies need to manage these to ensure success with this new work environment.
Why the castle-and-moat approach no longer works
Organizations face technical as well as cultural risks, and the two sometimes intertwine. Prior to the massive shift to remote work as a result of the COVID-19 pandemic, many if not most organizations took a castle-and-moat approach to cyber security. Corporate firewalls protected enterprise networks, ensuring the safety of on-premises devices, systems, and data.
With so many people now working remotely at least part of the time, this approach no longer works as well as it did. Many IT resources now operate outside the moat — or firewall — and are vulnerable to cyber threats of all kinds.
The trend toward working from outside the enterprise perimeter has been underway for years, but the work-from-home mandates gave it an enormous boost. Today, many workers prefer the freedom to work remotely and management in many cases is agreeable to the idea, so this has become somewhat of a cultural issue for organizations.
The risks of remote work
Working from anywhere is now a real prospect for many more people than it ever was. People who in 2020 were told to work remotely have now learned to make it work, and don’t see a need to go back to working five days a week in the corporate office. Many see the shift as having enhanced their quality of life and reduced expenses such as commuting.
The shift has led to new ways of doing things. For example, many team members collaborate now by using online videoconferencing and collaboration platforms rather than gathering in a meeting room. More are accessing business applications via the cloud and using their own mobile devices to do so.
In general, during the pandemic there has to some degree been a loosening of the shackles or relaxing of the rules in terms of what people can and cannot do to complete their work. Often, people working remotely deal with high-risk data such as personally identifiable information about customers, or intellectual property.
This is not to say every organization supports this approach or is happy with it. In fact, many are concerned about people working in a somewhat uncontrolled environment and want them to come back to the office. They’re not accustomed to letting employees use their own personal devices to access enterprise networks and data.
Remote work darkens the shadow IT phenomenon
While the shadow IT phenomenon has existed for years, working remotely has given employees even greater opportunities to go their own way with regard to hardware and software deployments. While enabling business lines and users to adopt tools on their own based on their needs can be beneficial, it also raises security risks. Furthermore, it can end up costing organizations more because of a lack of coordination and standardization.
Organizations are concerned about these trends for good reason, because the security threats are greater than ever. The situation becomes even more dire for organizations holding onto the old ways of providing security, such as the castle-and-moat approach, and pretending that the world is still on-premises centric.
One of the shortcomings of this type of approach is that it does not provide the visibility into what remote users are doing, what data they can access, what endpoint devices they are using, and the level of security on their devices.
The hybrid workplace revolution is here
With the hybrid work model, companies could face a situation where devices that haven’t been managed very well throughout the pandemic are now coming into corporate offices and then going to the employee’s home again.
If organizations don’t have the ability to manage the security on those devices regardless of where they are, they are opening themselves up to a large attack surface and massive risk. They need endpoint security tools that are cloud aware, remote work aware, and that don’t require them to make a choice between productivity and security.
It’s often difficult to build a business case for some of these risk-mitigating technologies or management technologies, because finance managers will want to know what the return on investment (ROI) will be in tangible business terms.
The reality is that the ROI comes in reducing the risk of ransomware and other costly attacks, and reducing the risk of noncompliance with data privacy regulations. These can be hard to quantify from an economic standpoint because they are very much what-if scenarios. It can be even more challenging to make a business case when implementing multiple, diverse tools.
One-platform approach for hybrid work
Perhaps the best option for many organizations is to deploy a single platform for managing and securing IT infrastructure in this new environment. Such a platform would offer real-time visibility and control of data and workloads. It would also help eliminate the need for having multiple point solutions that do not work well together, while at the same time providing integration with existing platforms.
By having a single platform, a company can see into lots of different work environments—hybrid, remote, and in-office—for workloads that are in the cloud or in the data center.
Another benefit of this approach is that it reduces the opportunity for gaps to appear, which can happen with point solutions. Gaps show up all the time when there is one system managing one part of the environment, and others managing other parts.
Gaps also appear when different teams look at different data or different tools. When teams work off the same set of data and there’s only one place to find that data, the process is far simpler and more effective.
Organizations can use the platform to push out new user profiles, new software, new hardening, new configurations, etc., helping to ensure that everyone has access to these updates.
In addition to deploying a technology solution, organizations also need to consider the process and policy changes they need to make to support the new work environment. It’s not just a matter of creating new policies, but making sure they are being followed. A single security platform can help with this as well.
Managing the risks of the emerging hybrid workplace is clearly a major challenge for many organizations. But with the right combination of solutions, policies and practices, they can effectively mitigate the risks and thrive in this new environment.