Understanding the 5 Ps of securing a hybrid workforce
As remote workers, we sure do not miss the commute to work, enjoy the extra sleep, and certainly love the freedom of taking a conference call in our pyjamas! There is an evident change in where we work and how we work, and today both employers and employees embrace remote work as a viable, long-term prospect.
If 2020 was about getting isolated workers to work together, 2021 will be about industrializing the hybrid workforce.
But to my mind, a question looms -- how can CISOs and employees work together to ensure the hybrid working experience is productive, engaged and yet secure?
The answer lies in the fundamental ‘5 Ps’ of security -- passwords, patching, phishing, people, and privileges -- which are even more crucial when it comes to securing data in a hybrid setup.
Here are some essential steps CISOs and employees can take to improve their defense posture:
Passwords -- the first line of defense
Weak or common passwords have consistently been the Achilles’ heel of many organizations’ security systems. Using a combination of password cracking techniques, hackers can gain access to systems, bypass security and may even be able to access confidential enterprise data. Passwords are often stolen in breaches, and if not changed, can be misused to gain access to other linked accounts.
Employees must use passwords that are unique, long and complex across accounts – using paraphrases and creating scrambled passwords which are near-impossible to guess. To remember them, they can use a password manager to help keep a track of passwords across all their accounts and enable two or multi-factor authentication (MFA) as an additional layer of security.
Patching -- closing loopholes
You’re familiar with the little pop-up windows, reminding you of software updates available on your device. These updates help patch security flaws, also known as software vulnerabilities, and are important to your digital safety. They usually include fixing security holes that have been detected or removing computer bugs. Updates not only patch security holes, but also boost programme performance, add new features, and improve existing ones.
Phishing -- cybercriminals’ go-to trap
Phishing attacks are one of the most prevalent threats we see today as cybercriminals deploy multiple tricks to hook you, either online, or over the phone. Our recent Threats Report showed that office malware surged by a whopping 199% from Q3 to Q4 of 2020. The foremost step to tackle this is to always be wary of suspicious emails/calls, even if you are talking to a company or bank, you do business with. If you doubt even the slightest detail, do not click, or proceed further. Simply hover over it to see if the URL address looks legitimate.
Using a comprehensive security software that can protect your device from potential phishing attacks also helps in securing not just the individual's data but also that of the organization.
People -- confronting the human factor
Owing to the hybrid setup, as employees are given access to company and customer data, accidental or sometimes malicious insider threats pose a significant risk to business as they have the potential to damage the company’s and customers’ private information, trust, and reputation. Socially engineered attacks pose higher risks to corporate data as recent times have led to potentially more non managed devices with multiple users within a family. These risks are magnified by remote work, as the lines between personal and professional use blur, leading to increased threat exposure for sensitive data.
Employees end up being attack vectors either because they accidentally slip up – or because they do not have the required training to spot cyberthreats, identify bad actors behind attacks, and understand their role in helping protect the companies they work for. Training is essential in boosting awareness and offering employees countermeasures to safeguard themselves against future cyberthreats.
Privileges -- the balancing act of managing access
As remote work requires employees to leave company networks’ safety and accountability, IT leaders need to provide greater access to data, opening yet another avenue for unintended, and sometimes malicious actors to snoop in. To ensure that sensitive information is protected, it is essential to have processes in place that allow only the right people have access to sensitive information – only when needed and restrict employees’ access to only the data they need to perform their tasks.
A Zero Trust approach i.e., treating every access attempt as if it were originating from an untrusted network is usually helpful. By not trusting anyone by default – this model offers superior security and granular control, ensuring that every access is fully authenticated, authorized, and encrypted before granting access.
As remote work emerges as a pivotal change in how we work, it is crucial to ensure that this shift is advantageous to organisations by empowering employees and allowing them the freedom to work from the comfort of their own homes. At the same time, our new hybrid work environment calls for a new approach to security since at the end of the day, transformation is seldom easy, and needs to be viewed more as a journey than a destination in a constantly evolving threat landscape.
Venkat Krishnapur
Venkat Krishnapur is vice president of engineering and managing director, McAfee India. The views in this article are his own.