IT Security Best Practices for Remote and Hybrid Workforces
The pandemic transformed our lives, especially the way we work. Traditionally, employers believed that office workers needed to be physically present at their workplace to be most productive. With the world under lockdown, the concept of remote work became a necessity. While some companies had the technology, security systems and processes in place to manage this shift, many were caught unprepared and forced to rush in processes and systems to support remote workers, sometimes prioritizing speed of deployment over security.
After having worked remotely, many workers do not want to return to a fulltime office setting. According to a McKinsey survey, 63% of workers worldwide prefer flexible or remote working conditions, and more than 30% are willing to quit their current job if required to go back to an office fulltime. With a clear employee preference toward remote or hybrid work, employers have no choice but to offer flexible working models or face large-scale employee attrition.
Fortunately, hybrid work models also have an upside for employers. In addition to contributing to improved employee satisfaction and retention, employers are seeing reduced costs associated with decreased demand for office space and bandwidth. As such the business case for hybrid work models has never been stronger.
Embracing hybrid work models requires a thoughtful approach. Remote workers can expose your infrastructure and data to vulnerabilities which previously may have been a lesser concern. The good news is a combination of technology, policies and training can mitigate these risks.
Here are eight security best practices for remote and hybrid workforces:
1. Shared Responsibility Model:
Hybrid workers need to understand that cloud security is a shared responsibility. This framework clearly defines users’ and administrators’ responsibilities and obligations when it comes to maintaining cloud security and supports them to fulfill their responsibilities.
Robust encryption of data in transit, in use, and at rest is essential. Tools like Software Defined Wide Area Networks (SD-WAN) can be deployed to create a dynamic, multipoint VPN using IP security, to create encrypted tunnels for data transmission between remote users and corporate infrastructure, through the Internet. As a rule, all data should be encrypted before it is transmitted. For data at rest, all modern devices which store, or cache data can encrypt data.
3. Robust Passwords.
Enforce the adoption of password best practices. This should include minimum standards on length, types of characters, and use of symbols. The generally accepted standard for strong passwords is to include at least 12 characters that must include uppercase and lowercase letters, numbers, and special characters.
4. Multi-Factor Authentication (MFA):
Multi-factor authentication provides an additional layer of data security beyond a username and password. MFA can take several forms such as a PIN sent to a trusted device, a security key which the workers retain in their possession, personal history questions, or biometrics such as voice, or fingerprints.
5. Zero Trust.
Traditional security models operate on the principle that once a user is authenticated, either by being in a secure corporate perimeter or by VPN, they are granted access to all resources authorized with their account. A Zero Trust posture assumes every user is a potential threat and includes authentication of devices and their integrity before granting access to each resource or zone within a corporate IT environment.
6. Data Categorization.
This involves categorizing enterprise data based on its sensitivity and implementing a hierarchy of controls based on that sensitivity. This should not only include access controls, but consideration of how sensitive data is transmitted and stored. Servers, data centers, network attached storage and user devices can all cache data transferred through them. As such data categorization should include appropriate data destruction processes to ensure sensitive data is not on systems that lack adequate security policies and controls.
Cloud Security Posture tools automate many aspects of security monitoring and incidence response. Security patches and updates should be automated across all enterprise infrastructure, systems, and user devices to the fullest extent possible. Critical security updates should not be delayed because of the lack of availability of IT resources, or by workers who prioritize their own work over updating the security apps on their devices.
8. Training, Policies, and Procedures. Remote workers face a wide range of security threats which are much less of a concern when they are within a secure corporate office. In addition to reinforcing IT security best practices, organizations need to consider situational issues such as securing devices and documents, preventing eavesdropping on conversations and computer screens, and other risks.
Trigyn offers a full range of enterprise security services to help clients protect their sensitive data. For more information about Trigyn’s enterprise security services, contact us.