Building a hybrid work environment without adding risk

When offices were emptied out and everyone asked to work from home when the pandemic first hit, few businesses thought it more than a temporary disruption. But now, nearly two years later and with the end of the pandemic in sight, it seems the world is not quite ready to go back to the office full-time. In fact, 76% of knowledge workers surveyed in a recent study by the Future Forum claimed that they wanted continued flexibility with regards to where they work, while 93% wanted to choose their working hours.

Unfortunately, there remains a significant misalignment between the desires of employers and those of employees. Many employers would prefer that their workforces return full time to the office. There are several reasons for this beyond the obvious (and misplaced) fear that people are less productive when working from home. Of the legitimate fears, validated by the surge of cyberattacks during the pandemic, are concerns around information security.

Working remotely might be convenient, and studies have consistently shown that the hybrid workplace leads to higher morale and productivity, as well as the reduced financial burden of maintaining large office spaces.

While the notion of the security perimeter has been breaking down ever since the rise of cloud computing, the sudden and unprecedented adoption of remote work accelerated its demise an order of magnitude faster. As such, traditional security measures, such as office networks protected by internal firewalls and physical access controls, are no longer valid. If employees can access work apps and data from anywhere, then so, potentially, can intruders.

The information security challenges of remote work were made very clear in the early days of the pandemic. For example, questions were raised in March 2020 when the UK government started using Zoom to hold cabinet video conferences. Security experts were quick to warn of a lack of security measures, such as meeting IDs being visible on-screen, analytics data being sent to Facebook, and a lack of end-to-end encryption. Such a lack of security can potentially result in intruders eavesdropping on sensitive communications – hardly an ideal scenario in sectors like government, law, or finance. Although Zoom, like Teams and other platforms have improved security, there is room for improvement, especially for sectors that routinely handle highly sensitive data.

This is why good cyber hygiene starts with the zero trust approach, whereby no attempt to access workplace apps or data is inherently trusted just because it purports to be from a legitimate device or user. Instead, every access attempt must be verified, typically via multi factor authentication (MFA), while all data is encrypted in transit. These measures, which are core components of our Microsoft Teams solution, mitigate third-party risks, such as social engineering scams and eavesdropping.

Chances are there are countless people and devices connected to your business network at this very moment. Simply trusting all of them based on the fact they are already connected is a big mistake, since it allows for the lateral movement of threat actors through your broader computing environment. This is why zero trust security must be applied, along with role-based access controls and the principle of least privilege, on an application level. After all, physically defined perimeters are no longer relevant when you have employees connecting from devices in the office, at home, or even from an unsecured wireless hotspot at the nearest park or café.