Cyber security advice for boards in the era of hybrid working

As Covid-19 restrictions ease and offices reopen, many businesses are showing a preference towards maintaining some degree of flexible working. Commonly referred to as ‘hybrid working’, the new model sees a return to the office, but with the option of remote working where it suits both employees and managers. While this arrangement promises many benefits, such as increased employee wellbeing, improved productivity and better collaboration, businesses should be careful to factor in cyber security risks when laying out a hybrid working policy.

We provide three key considerations for directors when discussing new models of working:

1. Assess your risks, and plan around them

   According to CERT’s 2021 quarterly report, phishing attacks went up 28% in Q4. Employee inboxes are still very much the genesis for most cyber-attacks, and understanding just how prevalent this type of activity has become is key to managing the risk it presents. In a hybrid setting, it’s important to look at tools and practices that will protect your workers, wherever work takes place. Directors should be asking their security teams make the time to identify what the greatest threats to the organisations are, and how to plan around these, and how to manage an incident if, and when, it occurs.

2. Focus in on identity management

   When people are logging into the network from outside the safety of the office, you need to make sure every user is legitimate and has access only to the data and systems they need. Layering identity controls such as MFA and implementing strategies such as Zero Trust need to become the new baseline for accessing your business systems. Interestingly, many cloud based platforms such as Microsoft’s 365 come with identity management tools built in – but an alarming number of businesses haven’t turned these on.

3. Formalise your hybrid cyber security culture

   With remote working, your employees truly become your first line of defence. Directors should be asking if cyber security teams are delivering regular training and communication that takes into account working remotely. Policies should also be adjusted to take into consideration that as covid restrictions lift, remote work won’t be limited to the home. With business travel opening up for example, new factors such as logging onto public wifi, working off mobile devices on the go, and how to manage physical security and situational awareness when in a public space are key. We’ve all been in a situation where we’ve been able to see the computer screen of the person working in the seat in front of us on an airplane – just one example of why staff need to be vigilant when working in public.