It might feel like conversations around the implications of remote or hybrid working have been going on forever. From the pandemic to the ‘return to the office’, and now - where hybrid seems to be here to stay. A recent survey found that three-quarters of organisations (78%) now allow hybrid working.
Although it feels like this has been the status quo for some time, some leaders had been holding their breath waiting to see just how permanent this shift would be. Now that most businesses have accepted that hybrid is here to stay, IT teams need to plan for the long haul. What do security and data protection look like in a hybrid world, and how much further do businesses need to go to properly protect themselves from the risks?
Why businesses are still adapting to hybrid working
When the pandemic began, we talked about the risks of remote working - unsecured public domains, new portable devices, and workers' digital hygiene in a new remote-first setting. When people returned to the office, we talked about the risks such as re-introducing unsecured devices to the office network. But even now, the adjustment is ongoing.
Digital transformation has happened fast over the last couple of years, both for the workforce and businesses as a whole - whether it be moving to the cloud or moving to hybrid work. While this is ultimately a good thing, now that the dust has settled the wise thing to do is to take stock of these transitions and make sure there aren’t any gaps or vulnerabilities that need to be addressed.
On top of this, while all this change has been going on, CIOs have often had to prioritise. So, while security teams might have a growing list of activities needed to modernise their security, they are often left taking a few small steps at a time due to limited capacity and resources. This means that while many businesses have undergone digital transformation in the face of remote working, the ‘security transformation’ to follow this is still ongoing.
According to the 2022 Veeam Data Protection Trends Report, 89% of global organisations have a “protection gap” between how much data they can afford to lose and how often data is backed up/protected. Therefore, many businesses don’t just need to “keep up” with expanding threats, but rather are scrambling to close the protection gap created by rapid digital transformation combined with growing cyber threats.
How to protect against threats
Many of the risks of hybrid working are related to securely accessing the company networks. Obviously, open networks like home WI-FI are less secure, which is why most companies use a virtual private network (VPN). But hackers know this, and VPNs aren’t impervious if they aren’t end-to-end encrypted, so more advanced measures like virtual desktop infrastructure (VDI) can be needed to further mitigate risks.
Of course, employee diligence and digital hygiene will always be a factor. It's important not to ignore cyber education, particularly around the nuances of hybrid work - VPNs, device integrity, and more. But perhaps what's not talked about as much is upscaling security education in line with the growing sophistication of security threats.
If despite best efforts, passwords are stolen through phishing attacks or any other means, rigorous authentication requirements can make all the difference. A security breach on a single laptop can quickly evolve into a break in the network, but multi-factor authentication (MFA) can mitigate this risk and is relatively easy to implement.
In today’s hybrid and high-threat environment, authentication is the bedrock of security. A dispersed workforce and cloud migration have led to an ever-increasing attack surface, and this means that now is the time to adopt a zero-trust strategy. A zero-trust architecture takes the security principles that used to just exist on the perimeter of a business’s IT system and applies them throughout. Systems in a zero-trust environment never trust, always verify, and are built on the principle of least privilege.
The last line of defence
If, or perhaps when, all else fails, the key differentiator or “last line of defence” for businesses is their backup and recovery systems. As the digital threat scape of organisations endlessly expands, and cyber threats like ransomware become more severe, having the ability to recover is becoming vitally important. Three in four organisations (76%) have reported suffering at least one attack in the last year alone, with malicious links and compromised credentials being the two leading causes.
Having a robust backup solution in place is vital for recovering from cyber attacks, data breaches and outages. What comes first however is knowing exactly what data needs to be protected and recovered. Being unable to define the “mission critical” data, what is most sensitive or what needs to be recovered first to return from downtime, can quickly make backup and disaster recovery expensive and time-consuming.
For a hybrid workplace in particular there are unique backup considerations, as laptops and devices which can contain locally-stored critical data need to be protected in the case of loss corruption or disaster. Being able to centrally back up remote laptops alongside systems like windows and Microsoft 365 will be crucial for businesses going forward into the hybrid working future.
All backups are not created equal, however, ransomware attacks in particular are actively targeting backup systems as part of attacks. The Veeam 2022 Ransomware Report found that backup repositories were targeted in 94% of attacks and 68% of these were successful. To stop this from happening, multiple copies of data can reduce risk, but more importantly keeping data repositories that are offsite, offline or immutable means you will always have something to fall back on in case of disaster.