To keep up with the demands of hybrid and remote work, many organizations have shifted their work models to support the needs of their business stakeholders while keeping the security of their environment in check.
At this year’s Boston Cyber Security Summit, Dana Simberkoff, AvePoint’s Chief Risk, Privacy, and Information Security Officer, joined a panel of security experts in the industry to talk about how organizations can secure their hybrid and remote workforce.
Couldn’t join? Here are all the important points Dana and the panel members discussed in the session.
The Risks Imposed by Remote Work
Starting the discussion with the challenges of hybrid working, Dana shared one of the key challenges for security teams: the blending of home and office environments. The challenge is organizations’ data is accessed on different devices (company-issued and personal) – and security teams can lose control over potential attack surfaces cybercriminals could use to launch a cyberattack.
Without a risk management strategy, it’s easy to lose your data. Watch how easy it can happen in this webinar: Watch Us Lose Microsoft 365 Data | AvePoint
The panel pointed out this challenge prompts a greater need to strategize and intensify security practices, especially concerning access policies. This means focusing on authentication, monitoring user behaviors, looking into geolocation features, and recognizing the context of access to your resources.
The discussion then moved to practical tips on how other organizations can protect their hybrid work environments. These included:
1. Stop users from falling victim to phishing schemes and ransomware attacks by leveraging technology and educating people.
There will always be two things to consider when protecting your cloud environment: technology and people. As Dana mentioned, “You need to acknowledge that there will always be that one person who clicks.”
Various technology solutions are available to help organizations strengthen their security posture. The panel listed some of the most crucial defenses every organization should look into:
- Endpoint security
- Access control
- Password management
Aside from these three, Dana pointed out the need to back up data and systems both as a defense and as part of organizations’ disaster recovery strategy. Of course, it’s equally important that any solutions you purchase are trustworthy and secure.
Still, the panel experts noted that because attacks are caused by people, it’s also critical to acknowledge that it takes people to prevent these disruptions.
Recognizing the value of social engineering in the data protection equation will help security teams better understand how attackers manipulate people and technology to make their attacks successful.
Therefore, technology must be coupled with awareness training. Organizations should help users understand technology has its limitations and that every employee has a role in solidifying your security posture.
2. Build good cyber hygiene against insider risks.
The top concern of users is getting their job done. They will do everything, even bypass security policies, to reduce the friction in doing their jobs.
The security team’s job is to make it easier for people to do the right thing. This way, you’ll be able to help your company streamline its processes by enabling productivity securely.
To do this, you may need to sit down with your users, understand their pain points, and remedy the gaps you see. It’s crucial to keep people honest by not creating opportunities for them not to be.
Dana believes to make this happen, you need to create a culture where security and privacy are everybody’s jobs. To achieve this, you need to be mindful of implementing technology that doesn’t add fatigue to what people are already experiencing in their jobs.
3. Determine your most important data and organize your infrastructure accordingly.
To have a solid risk management strategy, you should have a clear understanding of your data tiers. It’s a good habit to keep a well-maintained inventory of your data to both combat sprawl and be able to sort through which data tiers are more important to protect than others.
You can do that by:
- Understanding your organization and your mission. By knowing yourself and who your enemy is, you can better understand your threat posture and which types of attacks you’re most susceptible to. Knowing your mission lets you know what data to prioritize securing.
- For Dana, it’s crucial to practice, practice, practice. Do tabletop exercises to ensure your technology works the way you want it to, and so your people know the right processes to follow for certain types of scenarios. Have your cyber incident response team ready, prepared, and resilient.
- Learn how to manage people—including your vendors—and how people act in risk scenarios.
Finally, the panel experts ended the discussion with these last pieces of advice:
- Look at the situation from an access perspective. Implement authentication to keep bad actors out and remove places that attackers may be able to enter from. Keep your security policies easy for your users to follow by removing the friction that hinders them from doing their jobs smoothly.
- Always take the human aspect into account. Give your users “the why” by using an emotional connection to make them understand your processes on a much more personal level. You can even incentivize them to take the right action. Create a security-minded culture by understanding pain points and building relationships with your users.
- Even though you’re seeking perfection in your security posture, the reality is that you can’t stop all the threats. Your role as a security team is to try to find out which losses are reasonable for your organization and strategize around that.
- Stop saying “no” and be comfortable with saying “yes” with caveats. Your users will do things even when you say no, so try to compromise.
Dana ended by reminding viewers, “Protect what you treasure and improve what you measure. There is no perfect security, but metrics will be key. Don’t only look out for big explosions of ransomware attacks but pay attention to small things as well to separate signal from the noise.”
At the end of the day, a solid security strategy, like building a good Ransomware Readiness Checklist, will help your organization be better prepared for worst-case remote work scenarios.