In May of 2020, the Center for Disease Control and Prevention (CDC) issued its Interim Guidance for Businesses and Employers Responding to Coronavirus Disease 2019 (COVID-19), encouraging organizations to implement “policies and practices for social distancing” as a component of their transmission mitigation strategy. The CDC’s suggested best practice for altering workspaces to hybrid work environments included:
- Implement flexible worksites (e.g., teleworking)
- Utilize flexible work hours
- Increase physical space between employees
- Employ flexible meeting and travel options
Many organizations are now facing the new concept of hybrid work environments extending well into 2021, as we move forward in the midst of the COVID-19 pandemic. This option was already offered by some businesses previously – allowing employees a combination of in-office and work-from-home environments. However, for many organizations, the practice is entirely new.
One thing that no managers want to think about is the possibility of having to modify their employees’ work environments again due to another round of required lockdowns or closures. However, these adjustments are not unique to the COVID-19 pandemic. If company facilities or employee residences are located in regions where natural disasters (such as hurricanes, tornadoes, floods, blizzards, etc.) may occur, businesses should always be prepared to make rapid changes to employee work settings. As preparation and support of hybrid work environments for employees is being implemented, companies are smart to have a plan in place for a smooth transition to a 100% remote work environment if needed.
One of the main challenges of supporting a hybrid work environment is that it increases cybersecurity and privacy risks for businesses. Read further as we discuss some security issues that must be faced in this “new normal,” along with some suggested ways to mitigate the risks.
Losing devices in the shuffle
The movement of equipment between different locations increases the possibility of loss/theft of devices. If possible, provide employees with equipment for use in the office and separate equipment for use at home to reduce risk of loss/damage.
For some organizations, it is not financially feasible to provide two sets of equipment for employees. If employees will be moving their equipment between workspaces, follow these security guidelines:
- Be sure that all company-owned equipment is properly labeled.
- Restrict what equipment may be moved to home offices.
- Enable “find my device” functionality when possible on equipment that will be transported.
- Set up remote wiping of hard drives for all company-issued smartphones, tablets and laptops.
Improper data storage
Although storing data on a work laptop, smartphone or tablet when working remotely may make working in a hybrid work environment easier and more streamlined, it also makes data theft and loss more likely. Data protection is vital in the fight against malicious attacks. Whenever possible, avoid the downloading and storing of company data, especially confidential information, on employee devices.
If an employee must store company data on a device, implement these safety measures:
- Enable multi-factor authentication (MFA) and end-to-end encryption.
- Employees should avoid automatic logins via a web browser and instead use a password manager.
- All passwords used on the device must be strong passwords/passphrases.
- Employees should never use public wi-fi on the device.
- Employees should not access non-work related sites or applications (especially social media) on the device.
The vulnerability of home networks
Unless a company runs a dedicated line to employees’ homes or provides configured hot spots, company data will share the same network as the employee’s personal data from emails, social media and streaming services. The provision and requirement of a Virtual Private Network (VPN) by your employees during working hours is best practice.
Increased opportunities for attackers
Security and privacy incidents/breaches/compromises are a more prominent risk in a hybrid work environment. Home networks usually do not have the same level of “hardening” that in-office networks do.
Attackers can exploit vulnerabilities of in-home network devices (routers, gateways, etc.) to launch an attack. Be sure to consider:
- Employee’s home network names can make them easier to find. (e.g., “The Taylor Family”).
- These devices may still have the factory-default configurations such as the original passwords, encryption not be turned on, and multi-factor authentication not enabled.
- These devices may not be on a regular patching schedule.
- Smart speakers/devices can also be used to capture information or as a pathway to an attack, as these devices are in a constant “listening” mode and can be hacked.
- Apps and services on personal devices may have vulnerabilities that can be exploited to access work data stored on the device in files, logs, etc. (e.g., “bloatware” on laptops and tablets that is not used but never removed may have unpatched vulnerabilities).
- Incidents that can occur in an in-office environment can also happen when telecommuting, including malware attacks, inappropriate access to sensitive information, data loss, dangerous websites being accessed and accidental sharing of company data.
- Attacks may be launched from personal accounts to infect home networks and access work data.
- Even if employees practice good cyber hygiene during work hours, they and their family members’ activities outside of work time may put your organization’s data at risk. A malware attack can be launched through a child’s remote learning platform or through the employee’s personal email that may infect the work computer with a malicious bot and link it to a botnet, for example.
- Attacks can begin in a home network and spread back into a company’s network. For example, a bot that has infiltrated a home network can spread itself to a company network through various channels and be used to launch a DDoS attack.
Updating agreements, policies and protocols appropriately
All service-level agreements (SLAs) and data processing agreements (DPAs) need to be reviewed and updated to reflect any changes to services or data protection that are put in place in support of hybrid work environments.
Businesses also need to review and update their information security policies to reflect a hybrid work environment. Specific attention should be paid to policies in which changes occur due to adding a work-from-home component, such as acceptable use, physical security, business continuity and disaster recovery, and remote access.
Reporting possible incidents or concerning behaviors in an in-office space is often as simple as completing a form and forwarding it to the proper authorities or popping your head into someone’s office. Those same options may not be available when employees are working from home. Incident reporting protocols must be updated to reflect the hybrid work environment. The protocols should be simple, straightforward and offer multiple channels for reporting possible incidents. This is critical, as employees may need to report people in their hierarchy chain, such as a supervisor. Be sure to circulate the update of the plan with employees.
Preventative employee education
Security and compliance are more difficult in a distributed working environment, as we have seen. As updates occur to documentation, systems, permissions and hardware to meet these challenges, do not forget to refresh the organization’s security awareness training and compliance programs. The best means of ensuring that your staff is ready to face the challenges that come with a hybrid work environment is to build and maintain a training program that enables positive employee behavior changes. For employees, there must be an emphasis placed on:
- The importance of being vigilant in home work spaces and recognizing threats that may not look the same as they did in the office
- Training employees to have a “see something, say something” attitude. If an activity or action does not look or feel right, they should ASK.
Offering a work-at-home option for employees introduces additional points of security risk for your human firewall, especially in relation to phishing and ransomware. Check out our Avoiding Phishing During COVID-19 Work at Home blog post for issues that can lead to points of cybersecurity weakness in your organization’s work-from-home culture, as well as suggested mitigation strategies.