How to Strengthen Your Security and Compliance in a World of Hybrid Working

Co-authored by Vicky Withey, Head of Compliance, Andy Collins, Head of Security, and Martin Rothe, Security Operations Centre Team Leader. 

This blog post summarises our webinar on Security & Compliance Fundamentals of Hybrid Working, which you can watch here.  

While many organisations and their employees are shouting about the benefits of hybrid and remote working, there are risks too. These distributed models of working naturally bring some security and compliance challenges to businesses.  

The big problem is that most organisations have historically focused on their network perimeter as their main security boundary. As soon as everyone’s outside of that physical perimeter, IT teams have lost visibility of what employees and their devices are doing.  

With this in mind, here are our top tips on how you can improve your security posture in a world of hybrid and remote working: 

Review your business continuity plan 

If you, like many organisations, switched to remote working in an emergency state back in 2020, you probably implemented some quick fixes. So, now’s the time to review your business continuity plan and audit everything from your assets to controls for accessing systems. 

You’ll need to review your password policy and checks to ensure it is being complied with. Understanding what network controls and security monitoring you have in place is key to reducing risk of your business being exposed to a phishing or cyber attack. 

How are you managing workers moving around sites and working from home? Perhaps in a rush to implement remote working, you didn’t consider the right tools or how you would manage the security of endpoint devices. It’s never too late to remediate once you have completed an internal audit and risk assessment as many organisations will work with a hybrid model assessment.  

Shift focus to monitoring endpoints, SaaS and cloud platforms 

While your network perimeter remains important, you now need to place greater emphasis on endpoint, SaaS and cloud security.  

Review your incident response plan, and think about the events and alerts you could put in place to understand user behavior and identify threats. 

First, you’ll need to think about where your critical and sensitive information is. For many companies, data has been moving out of the office to Software as a Service (SaaS) platforms like SharePoint, Office 365, Salesforce and HubSpot.  

Look at what the options are in terms of taking logs from those platforms. It may be as simple as knowing when an employee has logged in and getting some logs of the data they’re using, so you can identify any anomalies. If somebody suddenly starts going through thousands of customer records in a day, it could be an indication they’re doing something other than their normal job! 

It’s worth making sure that only corporate devices can access resources. If your organisation supports Bring Your Own Device (BYOD), make sure you have some visibility over these devices which are connecting into your network, whether that’s through conditional access policies or VPN clients. This brings us on to our next point… 

Strike a balance between monitoring users and respecting privacy 

If your company supports Bring Your Own Device (BYOD), get visibility into users’ devices, but in a way that doesn’t infringe on user privacy.  

So, whether you’re bringing in new tools or using Virtual Desktop Infrastructure (VDI), know where your data is. Ensure you can remotely wipe data or at least check what’s there, while at the same time not gaining access to users’ personal data.

One simple thing we advise users to do is to create separate profiles on their endpoint devices to separate work and personal data. It’s a really easy way to keep the balance.  

Formalise BYOD practices in a corporate policy 

Whatever decisions you make to manage security around users’ personal devices, write them up into a corporate BYOD policy. This way, users understand what is expected of them and what security software may be deployed to their device to ensure the organisation’s data, systems and network, remain secure.  

Even if you don’t support Bring Your Own Device, updating your security and compliance policies for remote workers is a good idea. Full transparency is important, so employees understand their obligations when it comes to working for your company and protecting your organisation’s data.

Apply role-based user access 

It’s important from a control and compliance perspective that employees only get access to the systems they need for their roles, and they have the right level of access. This way, you reduce the risk of information and commercial data being breached in some way. 

Before applying role-based user access, it’s a good idea to do an audit. This means going around the business, understanding what people do in their day-to-day roles and the access to systems they require so that you can map level of access to individual need. 

You’ll probably find quite a few gaps where people have access to systems and data they shouldn’t! It’s all about gaining that big, 360-degree picture of your users and the systems they’re using within the workplace.  

Conduct due diligence on third-party suppliers 

When you’re using SaaS and cloud platforms, you must have someone in the business validating these systems and doing some due diligence on the suppliers. Ensure suppliers have good security practices and controls in place, such as: 

• Cyber Essentials or Cyber Essentials Plus certification
• ISO 27001. Watch out for suppliers who have de-scoped to gain the certification (i.e. they’re only achieving parts of the standard to the required level).
• PCI compliance. This is the highest level of security a supplier can have, especially in terms of the physical security of the data centers where they’re hosting and storing data. It’s a good indication of the quality of the business you’re working with.
• Business continuity. How long will it take the supplier to restore the system if it fails? Can they deliver an SLA to this effect? How will they communicate with you when dealing with an incident? At what point will they inform you that there has been a security incident? These are all important questions to ask of your supplier. 

Make security and compliance your priority 

Over the past year, we’ve seen many businesses focusing on getting their technology up and running to enable remote working. Under pressure to implement their business continuity plans, they’ve worried about security later rather than building it in from the start.  

We don’t yet know what the future of working will be, but it’s likely that a percentage of each organisation’s workforce will operate according to a remote/distributed model.  

If you’re likely to embrace hybrid working, and security was on the back burner during the unexpected events of 2020, now’s the time to bring it to the forefront and consider what you can do to protect your business, employees and customers.