The shift to remote work created a new model for cybersecurity. Here are tactics companies can use to protect their work-from-home employees.
- The pandemic upended how companies think about and utilize cybersecurity.
- Multifactor authentication and secure remote access are essential for work-from-home employees.
While the pandemic opened up new ways for cyberattackers to use fear and misdirection to take advantage of vulnerable networks, great strides were made from a cybersecurity perspective to improve remote access and protect cloud data and devices.
So what is today's new normal? Companies are changing their defensive tactics to better protect both their networks and employees, said Garrett Bekker, principal analyst for information security at 451 Research.
As companies are in the process of reopening their offices — where some employees will once again work behind corporate firewalls and other enhanced security hardware and software — many users will stay remote-first for the near future. That said, there are a number of options today to protect the integrity and security of remote employees.
Cybersecurity tactics for remote employees
The model of zero-trust cybersecurity, while still in its infancy, plays a vital role in reducing corporate risk. The concept essentially "trusts" no one in the company; every user, device, and application are constantly authenticated via texts, pings, or even biometrics — even if they were just authenticated minutes ago. Zero trust is becoming a default model for companies to always verify the users on their networks.
As companies continue to embrace zero trust — replacing traditional, vulnerable technologies such as virtual private networks with more enhanced options such as zero trust network access that offer secure remote access — they will better protect remote users and enhance their network capabilities.
"Our survey data show an increase in demand for multifactor authentication and traditional virtual private networks, as well as newer zero trust network access that provide secure remote access without a VPN," Bekker said. "MFA is really key to ensure that people are who they claim to be and help eliminate phishing and attacks using compromised credentials."
Multifactor authentication ensures that the person logging in to a corporate asset, be it the corporate network or cloud resources, is indeed the authorized user. It's important companies ensure that their users are verified and that their laptop, mobile device, or other technology have been pre-authorized and confirmed. If a user has their credentials compromised, this tactic can prove crucial to protecting a company's data.
Regardless of the size of the organization, Bekker also said companies should keep employees' personal email and computing devices off the company's network and cloud services.
"It's best to have remote employees use their business email for work and keep personal email separate," he said. To prepare workers for cybersecurity success, a company should require all remote employees to use a corporate-issued laptop with a corporate email and requisite security settings preinstalled.
Another tactic companies are using for their remote and hybrid employees is the expanded use of cloud-based office suites such as Microsoft 365 or Google Workspace. These applications can employ multifactor authentication, along with other enterprise-class security controls, to verify users and devices. Through the advancement of cybersecurity technologies, the current identification methods available to corporate security surpass basic usernames and passwords.
While small and midsize firms have the biggest challenges, because less money is devoted to resources like highly experienced technical staff and automated security systems, these companies still have options available to protect themselves, Bekker said.
Bekker added that these organizations should consider a service-based offering that is SaaS-based and requires less staffing, maintenance, on-premise hardware, or software to install.