Cyber security has always been a pain point for businesses. But as hybrid and fully remote working models are now the norm, and your people are physically removed from the security infrastructure of the office, how do you make sure that your assets are as secure as possible?
Navigating the risks of remote working
When planning the security of your businesses’ data, assets and reputation it’s important to be aware of what cyber security threats you’re dealing with when it comes to remote working. Your employees working from home can present a number of new cyber security risks that wouldn’t be present in the physical workplace. Have the right people in your organisation taken the time to assess these new risks and implement or modify the controls necessary to manage them?
Accessing company data through unsecure networks
While your businesses’ physical network may be secure, when staff connect to their company account through home or public Wi-Fi, the safety of these networks can’t be guaranteed. This means sending data over these networks, such as sharing files, or even sending documents to a wireless printer, presents a higher risk of data being breached.
The challenges of BYOD culture
Employees may connect to their company accounts through personal devices in what’s known as ‘bring your own device (BYOD)’ culture. E.g., they may need to check emails or update documents on the go through their phone. But doing so can leave sensitive company data exposed. Especially if they use a shared device such as a home computer to do so. Personal devices will not have the same security features and software built in as company-owned devices.
Using company devices at home
Conversely, employees may also use their company devices for personal matters. This could cause privacy risks if they access sensitive personal data. And depending which sites they visit, this could also expose data stored on the device.
Many of us are guilty of it but leaving your desk without locking your device screen is a risky practice. Not only in terms of privacy but in the unlikely, but not impossible, event that someone unauthorised has accessed your businesses premises they could potentially leverage access to that device. The risk increases when working from home or in a public space. Although users may be lulled into a false sense of security being in their own home, by leaving unattended devices unlocked, they can still risk someone being able to access its files and data.
Phishing attacks and email scams
Phishing scams are likely to happen regardless of where your employees are based. But cyber criminals are taking advantage of the global move to remote working and have used the pandemic to develop new tactics. As businesses move away from in-person meetings, and the majority of our work-based communication takes place online, there is more opportunity than ever for employees to fall victim to sophisticated phishing attacks via email scams, e.g., emails that may look like they are from our employers giving work from home directives.
Passwords are the weakest link in cyber security, whether workers are office based or remote. Common attacks include keylogging, where spyware logs users’ keyboard stokes, and password spraying, which is when hackers attempt to use a large number of common passwords across a small number of accounts.
Users also often repeat their passwords across multiple accounts, both professional and personal, meaning if one account is breached, all are likely to be compromised. Employees could also inadvertently disclose their password to someone else.
What should your cyber security strategy look like?
A strong cyber security strategy involves businesses understanding and consistently reviewing their security objectives, implementing controls to ensure devices and sensitive data are protected, and operating in accordance with their own polices as well as any external compliance or regulatory requirements. Your businesses’ devices, networks and practices should ideally be secure-by-design to offer the best possible protection from the ever-evolving tactics of cyber criminals.
Security Policies and Standards
All businesses should have robust policies and standards in place when it comes to cyber security. These policies and standards are particularly important when your employees have no physical workplace and are accountable for their own data and devices. The clearer and more defined they are, the easier they can be understood and applied, no matter where your people work.
Businesses should dedicate time to creating policies and standards to ensure they are well defined. You can also use resources such as the National Cyber Security Centre (NCSC) to help shape them.
Moving from a traditional security model to a distributed security model
Traditionally, your company’s cyber security model may have been based on perimeter security technologies. I.e., defence systems around your network such as firewalls designed to stop attacks from the outside, or physical security measures in your building, or a corporate network that co-located users were able to access company information and services on easily and securely.
Today, most companies are dependent on the internet to operate, but this presents risk. If each component of your business relies on the internet, then each component should have its own individual perimeter.
Cloud services will most certainly include cyber security solutions. But businesses still have their own responsibilities when it comes to protecting themselves. It’s essential that they know exactly what these are and what their providers are delivering as part of their agreement.
Zero trust is a security concept which has gained a lot of recognition in recent years. Zero trust centres on the automatic distrust of anything outside of a business’s perimeters and employs granular security controls by verifying all connection requests to company systems.
Businesses automatically tend to place trust in components such as their internal network, their domain, and their end users. The zero trust concept posits that these components aren’t inherently safe and that businesses need to implement extra layers of security. It also recognises the importance of technology modernisation, which can allow administrators greater control in securing company accounts.
Endpoint security, protecting end-user devices such as laptops and phones, is essential in any cyber security strategy that involves hybrid working. It is especially important for businesses operating a BYOD model.
When businesses can’t rely on the security of home or public Wi-Fi networks, endpoint security can add an extra level of defence. Data is encrypted at the endpoint to protect businesses from data leaks. Administrators can also restrict users from running unauthorised applications.
Endpoint security is also crucial for antivirus and malware protection on end-user devices. Endpoint antivirus protection differs from traditional antivirus software in that it looks at a businesses’ network as a whole, whereas traditional antivirus software only targets the endpoint device.
Secure hybrid working with the help of the cloud
While going remote through cloud-based systems does present new cyber security threats, there also many advantages that come with cloud migration.
- Data security protocols: Most cloud computing systems will automatically have cyber security protocols in place to protect users from risks. This means businesses won’t have to implement security measures for each individual employee.
- 24/7 support: Most cloud service providers will offer a 24/7 help desk to customers through a security operations centre (SOC), meaning they always have access to support when they need it.
- Flexible security options: Cloud solutions can be scaled up or down to suit the needs of your business, meaning you can easily adjust your security measures.
- Resilience: organisations will be able to rely on cloud Business Continuity and Disaster Recovery processes, reducing the uncertainty and effort required for services managed on premise.
- Regulation: Top cloud computing services will be well-regulated to comply with security laws (for example, GDPR), as well as standards set by external bodies such as ISO.
Microsoft technologies to boost cyber security
Microsoft offers a host of technologies to aid in businesses’ cyber security efforts – a number of which are already available to companies with a Microsoft 365 license.
Intune is a cloud-based mobile device management and mobile application management) service for devices and apps. Intune lets admins control how their company’s devices, such as laptops, mobile phones, and tablets, are used by allowing them to configure policies for applications.
Intune is particularly useful in organisations operating a BYOD model as it ensures employees’ personal devices don’t endanger your company’s sensitive data, and also protects the user’s personal data.
Azure Active Directory
Microsoft Azure Active Directory (AD) is a cloud-based identity and access management solution. Azure AD helps employees to access their company accounts from anywhere using the cloud.
Admins can use Azure AD to grant employees with conditional access policies for apps and services. Azure AD also syncs with Windows Active Directory, its on-premise predecessor.
Microsoft Endpoint Manager
Microsoft Endpoint Manager combines endpoint security and device management in a unified platform. It connects services such as Intune, Configuration Manager and Desktop Analytics. Businesses using Microsoft 365 already have access to Endpoint Manager, so there’s no need for a separate license.
Microsoft Endpoint Configuration Manager
Microsoft’s Configuration Manager is an on-premises service for managing servers, computers, and laptops that use your company network. Configuration Manager can also be used to deploy apps, OS, and software updates.
Businesses should consider adopting multi-factor authentication (MFA) into their security strategy – where a password alone is not enough to log into accounts. Microsoft Authenticator is an MFA app that helps users safely sign into Microsoft 365 services. Authenticator can be used by generating a one-time code, or by allowing users to sign in with a PIN, fingerprint, or face recognition. This is instead of requesting passwords when signing in on a mobile device.
Want to learn more about securing your business online?
Cyber security threats are ever-increasing in the world of hybrid working. Join our Head of Cyber, Madeleine Overton-Thicket, and Head of Penetration, Sasha Raljic, for a phishing simulation. Register here to claim a spot at our on-demand Digital Revolution 2.0 event.