How To Do It Right
A Security-First Culture for Your Hybrid Workers
When workers are remote they pose a greater risk to your organization’s data because home networks are less secure and employees do not as closely follow security protocols, per Ponemon Institute’s Data Exposure Report1
In a hybrid work environment, where employees work from wherever, it’s critical to prioritize security. And communicating security’s importance to your employees – and their adoption of good practices – is crucial. It was a lot easier to have everyone in the office connected directly to a server without relying on the convenience of the internet – but with hybrid privilege comes hybrid responsibility.
It’s a common adage that employees are the weak link in corporate cybersecurity. But I believe they are also the best defense, if they are given policies that are easy to follow and not too numerous and complex. Employee security training and best practices need to be user friendly and simple to be effective.
–Maarten Van Horenbeeck, Harvard Business Review2
Tools of the Hybrid Trade
In a hybrid work model, you will have employees spread over multiple locations, working together online. Some may use less secure home internet connections to do their work. Others may use personal devices.
Ensure your systems match the demands of a hybrid environment by choosing:
- A Software-as-a-Service application environment M365, as an example, gives you experience in securing its infrastructure with teams of security experts who constantly monitor for threats
- An encrypted Virtual Private Network (VPN) to connect to your resources
- Identity and access management tools give you controls over creating, managing and deleting user accounts, assigning and revoking permissions to resources, and creating and enforcing policies that govern access to resources
- Patch management addresses the vulnerabilities that come to light
- Backup and data recovery solutions
These measures will help secure your data from access by unauthorized devices or networks or help you recover from an attack on your data.
Talkin’ ‘Bout Policies ‘n’ Procedures
Nearly nine in ten employees who said they understood why their company’s hybrid work policy was in place also said it was effective. In contrast, just one in four workers who didn’t understand the “why” behind their company’s policy said it was effective. To increase buy-in, hybrid policies should be shared broadly and announced within the company … you owe your employees that clarity.3
Have documented policies and procedures and teach them to your workers. This will help everyone in the company know what’s expected. The policies should be clear and easy to understand.
Your staff may not know what steps are involved in resolving a security incident, for example, or even what’s the reasoning behind your security process. If they don’t understand, there will be no buy-in. For instance, if you don’t document and explain your organization’s Acceptable Use Policy for its VPN, your employees may use it for non-work purposes, which can expose your company to needless risk.
Keep the documented policies and procedures in an accessible, central location. And review them periodically for changes. This documentation will help employees know how to work securely no matter their location.
Provide Security Awareness Training
It’s been shown that employees that are consistently exposed to Security Awareness Training (SAT) are more likely to follow cybersecurity best practices which, in turn, helps keep your data and systems secure.
SAT will help employees understand the latest threats and how to protect themselves from them. Consider ongoing, interactive and engaging training that helps employees learn how to defend against email compromise, phishing, ransomware, brute-force password attacks and social engineering. After training, reinforce what they learned by conducting routine tests and simulations.
Communicate Clearly and Provide Support Channels
When communication and support channels are defined and accessible, your team can handle threats more effectively. Every staff member will know how to raise an alarm, whom to contact and what to do after reporting it. Most importantly good lines of communication help you detect threats early which allows you to minimize their impact.
Additionally, you should clearly define what tools can be used for communication and collaboration. For instance employees should be taught to not use personal apps (like Facebook) for organization-related correspondence and file transfer. Not only do these put company data in danger, they might also hurt your organization’s compliance and insurability.
The channels to communicate, collaborate and report a security incident should be easy for your staff to find and use.
Minimize Friction
Do what you can to make sure security measures don’t hamper employees’ productivity. Bryley’s MFA product, for instance, has a single sign-on feature – once you’re authenticated, it doesn’t make you jump through more hoops.
Bryley Partner HP’s CIO Joanna Burkey offered this about resistance from home workers: “if we can unite around why we’re doing what we’re doing, and we can have an open dialogue, iteratively and constantly with the user, then we can make it work. We must explain why we are doing something. When we engage rather than just deliver mandates that must be obeyed, we can get really good cooperation.”4
So pay attention if there is resistance to a process or software you’ve instituted and communicate the why behind it. Being remote it’s especially important to follow organizational policies and procedures. You don’t want employees deciding to shut off your organization’s virus-scanning tool thinking they can be more productive – a virus negates any perceived efficiency.
Securing Hybrid
Building a security-first culture in a hybrid environment takes time and effort, but it is worth it to help protect your company’s data and systems from unauthorized access. Though hybrid work has made security more challenging, Bryley can help you navigate the implementation and management of IT/cybersecurity and data security controls. Bryley has counseled on data protection since 1987. Please call 978.562.6077 or email ITExperts@Bryley.com or complete the form, below.
1 https://www.code42.com/resources/reports/2021-data-exposure
2 https://hbr.org/2017/11/the-key-to-better-cybersecurity-keep-employee-rules-simple
3 https://www.forbes.com/sites/quora/2023/08/04/this-is-what-companies-are-getting-wrong-about-hybrid-work/?sh=281fac241138
4 https://www.securityweek.com/cisos-faced-friction-resistance-remote-workers-over-security-controls/
President, Bryley Systems. Since 1987 Mr Livingstone has steered Bryley to continuous growth with over 250 clients throughout New England and the US. He has extensive knowledge of technology and business operations.