The cybersecurity challenges of remote and hybrid work

By Deepa Kuppuswamy

Before the pandemic, when cybersecurity teams worked with secure systems in controlled physical places like an office, threats were relatively easier to identify, isolate and repair. Now, organizations working with a distributed workforce are facing significant challenges dealing with cybersecurity as hybrid and remote work has introduced more potential avenues for attack.

IBM's Cost of a Data Breach Report 2021 points out: "Data breach costs increased significantly year-over-year from $3.86 million in 2020 to $4.24 million in 2021. Organizations where more than 60% of employees were working remotely, had an average cost of a data breach that was higher than the overall average cost of a breach."

There are three primary areas of concern for the cybersecurity teams:


1) Under-protected home networks: Our home networks are connected with numerous under-protected devices, not to mention weak security controls and irregular patching updates. Hackers can easily exploit home networks to pivot into work computers and enter organization networks.

2) Accessing business from personal devices: In remote and hybrid environment, work and personal tasks tend to mingle on a device: business machines are often used for personal projects (be it even functional tasks like checking personal email or making online transactions), and work is done over home internet service providers. Organizations end up having less visibility and control over their business data, and delineating where the data is stored becomes more difficult. Installing unapproved software and vulnerable browser extensions, browsing malicious sites for personal tasks, etc. expose corporate devices to data breaches.

3) Irregular patch cycles: Missed patching cycles and absence of real-time visibility (crucial for threat detection) is a significant challenge for security teams. With bandwidth restrictions and network disruptions in remote areas, there can be scenarios where the endpoints do not connect to the enterprise patch management system for long periods. Vulnerability scans can be missed when devices are not remotely accessible during the scan schedule. The channels used for establishing secured remote connections—VPNs and other remote access platforms— might have security vulnerabilities that could be exploited by hackers if not properly patched.

How businesses can address security concerns

With hybrid work taking off, security teams need to contend with situations where an employee logs in from multiple locations during a given week, while working from the office on other days.

The perimeter based network security is dead; wrapping protection around identity and devices has become critical. Adopting a Zero Trust security model is no longer optional, it’s the new business imperative. Build end-point protection platforms capable of securely configuring, patching, and managing operating systems and applications remotely.

Strict end point management and control for corporate devices elevates awareness about what is happening to the device at all times, regardless of where the employee is. It is also good to perform additional screening checks on employee devices when they return to the office; ensure security controls are on and necessary patches are applied.

Other basic but time-tested ways to optimise security and protection include:

• Enabling VPN access over encrypted channels (SSL/IPSec) while using the device for work.
• Strengthening the security policy by increasing the required complexity of employees' primary passwords. Additionally, looking at factors like "idle time" and "concurrent logins" to monitor whether official devices are being used appropriately.
• Ensuring multi-factor authentication using apps that deliver location-agnostic security and offer an array of secondary authentication options like push notification, QR code scanning, TOTP, touch ID, etc.

Empowering remote workers to be more secure with the right training

It's important to construct a robust security architecture. Equally critical is educating, empowering and encouraging the right security behaviour among employees.

When new employees are on-boarded—mostly remotely these days—it is important to induct them into the security culture of the organization. They should be educated about the increased risk of phishing, potential ransomware attacks, insecure usage of collaboration and conferencing tools, and vulnerable home networks.

The security teams should clearly communicate with and train the new employees about the protocols. Choosing the right collaborative tools to relay important announcements and encouraging employees to flag any security concerns they may encounter are also good measures.

A few other tips that organizations can follow are: establish a clear communication policy that helps employees understand why downloading or using consumer/free VPN is a bad choice; provide contextual learning by highlighting the security pitfalls and what can go wrong when a less secure option is chosen; organize simulated security exercises, quizzes and gamified security challenges periodically to keep them conscious of security.

Making the future more cyber-secure

The benefits of a remote or hybrid workforce are plentiful, which can further be maximised by instituting robust security controls. As technology evolves, the threat landscape will get more sophisticated but so will the resilience of security initiatives. Building a sustainable security culture with the right tools and making security a part of the organization's DNA is the clear way ahead.

The author is Director of Security, Zoho Corporation