By Jonathan Nguyen-Duy, Vice President, Global Field CISO Team at Fortinet
In 2020, remote work became the norm as organizations worldwide were forced to rapidly shift their operational models. However, even once the COVID-19 pandemic subsides and some employees move back into the office, many others will continue working from home into the future. Indeed, “work” is increasingly viewed as something we do as opposed to a place we commute to and from. With this in mind, security and IT teams must adjust their strategies to manage this new hybrid workforce at scale effectively. Below we highlight the factors that play into the security of these environments, including the cloud, general security infrastructures, and employee cybersecurity awareness.
A hybrid workforce is comprised of remote workers, employees who work on-site, and those who go back and forth between working from home and working on-site. This type of workforce has seen a massive increase in popularity recently due to the COVID-19 pandemic. But while this shift was unplanned in many cases, both employees and employers have seen benefits stem from this setup. Employees like the flexibility it provides, and employers see ways to increase efficiency and reduce on-site costs.
Even after the pandemic subsides, we can expect hybrid workforces to continue in popularity. A recent Gallup poll indicates that 59% of workers would like to continue working remotely in the future. Because of this, it’s more critical than ever to understand the associated security implications and know how to manage them.
With a hybrid workforce comes the need for employees to access work-based programs and applications from both inside and outside the company’s traditional network perimeter. However, multi-cloud adoption has expanded our notions of an enterprise perimeter. Some companies are finding that a cloud-based architecture, particularly a hybrid cloud approach, requires a new strategy.
The pandemic created an accelerated timeline for getting a work-from-home infrastructure in place. This led many companies to risk security gaps in favor of getting things up and running. But as businesses look to create a secure and stable hybrid work model moving forward, properly tackling security issues in a cloud environment is paramount. This starts with understanding how things have changed since the advent of the cloud. In this new paradigm, the traditional hub and spoke model in which all traffic goes through a central data center no longer reigns supreme. Indeed the focus on outcomes and experiences means that for digital transformation to work, network, security, and application performance must be an integrated, end-to-end solution. Accordingly, many organizations are now adopting application-aware, secure software-defined wide-area networks (SD-WAN) for optimized WAN performance and secure access server edge (SASE) for cloud-based integration.
As businesses make more long-term transitions to hybrid workforce models, their IT budgets will see significant shifts. Funds that were once designated for a network upgrade are now being harnessed for cloud adoption, collaboration and endpoint security. A more distributed and disaggregated enterprise means greater emphasis on Zero Trust least privilege principles to secure network access. Companies will also have to find the new balance between networking, security and the compute needs, especially as it relates to shared responsibilities across the infrastructure, platform and software.
Because the threat landscape is much broader with a hybrid workforce, companies are realizing their security needs are more complex than they were before. Implementing Zero Trust requires solutions like network access control, endpoint protection and SASE, for example, but it cannot end there – this is where something like the Fortinet Security Fabric comes into play. The Security Fabric makes it easy to cover the broader attack surface and manage security in a broad, integrated and automated fashion. It enables security-driven networking, zero trust access, dynamic cloud security, and AI-driven security operations along with seamless integration with an ecosystem of integrated third-party products. Having the right tools working together is critical for keeping an enterprise protected as its workforce shifts and evolves. That allows a focus on operating technology to manage risks rather than laboring to integrate and automate multiple products from different vendors – hoping it all works under the pressure of an actual incident. This consolidation is most clearly manifested in the evolution form point defense products, to platforms, to security fabrics.
One of the most significant cybersecurity vulnerabilities in many businesses ends up being the employees themselves. If this was true when we all worked on-site, it is even more the case in a hybrid work environment. Any time an organization shifts an employee’s workspace and network usage, they may be less adept at identifying phishing attacks, social engineering or other security threats they may encounter. For example, employees new to working remotely will likely have far more interactions with the company’s IT department initially. Because they are inundated with things to download and procedures to complete, a well-worded phishing attempt might blend in and slip through the cracks.
The key to combating the human factor in hybrid workforce cybersecurity is education. The more you can train and teach your employees what to look out for, the better. This can come in the form of phishing simulations or other programs designed to help create a cyber aware hybrid workforce, such as the training courses offered by Fortinet.
In summary, while a hybrid workforce has many security implications, there are also many tools out there designed to keep ever-evolving IT infrastructures safe and secure. These tools include the following:
Hybrid workforces are here to stay, and with the new IT infrastructures required to facilitate this shift come new security implications. Businesses and organizations can address potential cybersecurity risks with an approach integrating networking and security, as well as tools designed to manage a more complex threat landscape and cybersecurity training for users.