The ‘Hybrid Workplace’ is Rife with Security Problems

After a year-plus of upheaval and disrupted routines, a return to normalcy from the COVID-19 pandemic is closer than ever. Among the countless changes induced by the virus was the shift to working from home – a change that some companies are making permanent. Other businesses are envisioning a mix of old and new in so-called hybrid workplaces, where some employees will work from a company office as others work from home or other remote locations.

While workers may embrace the new normal of a hybrid workplace, certain employees may be less enthused than others. Chief among them: security teams. A hybrid model requires all-encompassing security solutions, on multiple fronts, to protect from cyberattacks. Below, we detail security problems posed by the hybrid model and possible solutions for addressing them.

Cyberattacks on the Rise

Modern cybersecurity concerns are well-documented, with no one – government, private business, and individuals – immune from the threat. Experts have called the state of readiness “dismal”, characterized by a severe lack of confidence from both employees and senior IT leaders. Successful cyberattacks are also costly. The average cost of a data breach in 2020 was $3.86 million, and Cybercrime Magazine estimates that cybercrime costs will “grow by 15 percent per year over the next five years, reaching $10.5 trillion USD annually by 2025, up from $3 trillion USD in 2015.”

The sudden shifts necessitated by the coronavirus meant ample opportunities for hackers. FBI officials acknowledged a 400% increase in complaints from pre-pandemic levels as businesses scrambled to get up and running using a new work model. Employees are also less vigilant about security issues at home: as a Security Magazine article from April notes, “household internet service, laptops and even IoT devices around the home are targets for criminals. Smart devices can be used to gain entry to the home network and once compromised, exploit corporate activity.”

Security professionals may have their work cut out for them, but there are solutions. Some are straightforward on paper: Jadee Hanson, the chief information security officer at Code42 Software, a cybersecurity firm, told the Wall Street Journal that idle devices would need to be updated with the latest patches, along with devices used to work from home that may be “vulnerable when they reconnect to the corporate network.”

Separating personal and work devices and their respective use cases – and potentially using a ‘quarantine network’ to keep devices away “from corporate systems until security staff can ensure the devices are free of malware and appropriately patched”, as proposed by VMware principal cybersecurity strategist Rick McElroy – may offer a temporary, safe fix as security officials and IT staff get up to speed.

But most important may be a technique that runs counter to traditional cybersecurity strategies: Zero Trust security architecture. Cybersecurity has historically focused on keeping people out of networks – a defense plan that means hackers, once they have breached a network, can have a field day. Zero Trust systems augment keeping people out with also limiting what they can do once they are in.

A fundamental difference is that Zero Trust “assumes there is no implicit trust granted to assets or user accounts based solely on physical or network location.” The system uses security checks that “constantly exchange information in the background to verify whether users can access certain systems or files, rather than assuming that because they passed through the gateway, they should be allowed free movement.”

As more and more companies have embraced cloud offerings, Zero Trust has become increasingly appealing. Combined with multifactor authentication measures, it creates additional layers of protection that are vital to protecting a hybrid workforce.

A New World of Work

As the nature of work and the office shifts, companies are being forced to reevaluate how they protect sensitive information. Cybersecurity is more crucial and complex than ever, with organizations devoting more time and resources towards defending themselves from outside threats. No solution is perfect, but a passive or outdated approach is more apt to be exploited than ever before – a cost that far outweighs the investments needed for robust modern security measures.

This article is authored by

Quandary Peak Research

Based in Los Angeles, Quandary Peak Research provides software litigation consulting and expert witness services. We rapidly analyze large code bases, design documents, performance and usage statistics, and other data to answer technical questions about the structure and behavior of software systems.