There's a pretty good chance that wherever you're reading this article, it's not from your desk in a traditional office.
You might instead be reading it while you're working from home or from a coffee shop or another space, or maybe on your phone as you wait between meetings. You may be reading this from your company office, but even if that's the case, it's unlikely that you'll be there every day of the week.
This shift towards remote working has brought benefits to employees, who no longer need to spend hours of their day stuck in traffic or navigating crowded public transport systems. People can spend the time saved by not commuting to the office and back taking care of other daily tasks, providing more time for relaxation, and spending time with loved ones in the evenings, although in many cases the reality is that people end up working longer, too.
The benefits of remote and hybrid working have very much been accepted by employees -- according to Forrester, 68% of people who work remotely say they want to work from home more often.
However, while the rise of hybrid working has brought benefits, it's also created problems -- and one of those is that it's harder than ever to keep employees and networks safe from cyber attacks.
Managing worker security remotely is complicated
That's because while once employees would be working from a corporate PC in a physical office space and running on the office network, now employees can work from anywhere on pretty much any device, so protecting corporate systems and data is a much more complicated challenge.
"It's added an additional layer of complexity from a security perspective," says Kelly Rozumalski, senior vice president and national cyber defense business lead at Booz Allen, the global management consultancy firm.
"Cyber professionals are still dealing with the transition towards remote working," she explains. "Now, they have to secure a larger attack surface, because there are so many more technologies out there because Covid forced everyone towards digital transformation so quickly, and that expanded the attack surface."
That need for a sudden transformation of working practices during the pandemic understandably meant that cybersecurity took a back seat, and in some cases, it still hasn't caught up. Employees might be using their personal laptops to work from home, or even if they're using a corporate issued device, they're still using it from their home network -- and this is a potential cybersecurity risk for organizations.
That's because unless there's an effective cybersecurity strategy in place, it's difficult to ensure that the devices are fully updated with the latest security patches to fix cybersecurity vulnerabilities -- especially if it's a personal device. Even the basics of knowing whether a device has been updated or even what has been installed on it can be challenging.
And that's just for starters.
"The challenges are exponential and the attack surface has exploded," says Bharat Mistry, technical director at Trend Micro, a cybersecurity company.
"While before it would have been a corporate machine on a corporate premises that you would have physical hands-and-eyes control over, almost every day. Now it's the opposite model, where many of these assets are outside the corporate domain," he adds.
The new risks add up
Employees want to get things done, they want to do their jobs and be productive. But going through the official corporate channels for software -- if they're available -- can be a long and laborious process. That could result in employees downloading software onto their devices, whether that's a music service to listen to something while they work, or a cloud storage application to help store and transfer files.
But if this download process isn't managed properly, it can lead to problems because cyber criminals can trick users into downloading cracked or fake versions of popular applications, bundling malware inside. If this is downloaded and run on a corporate device, that can cause a problem across the network.
It might not even be the employees themselves who end up downloading illegitimate software; many children have access to their parent or guardian's laptops to help with schoolwork, watch videos or play games.
If a device isn't monitored or locked with a secure password, children could inadvertently download malicious software onto the machine, providing an attacker with access to corporate files, usernames and passwords for cloud applications, and more.
And then, of course, there are phishing emails. Cyber attackers know that more employees are working remotely and they're reliant on emails for a lot of everyday communication, so they'll spoof emails from the IT team, human resources, finance, or other office departments which suggests there's a problem and you need to log in to your account.
Even if a device is well protected by the policies of the information security team, there are still additional cyber risks associated with working from home.
The problem of insecure personal hardware
Businesses will have specialist routers set up to manage the network, but this is unlikely to be the case for employees working from home. They're most likely to just be using the home router given to them by their internet service provider when they started their contract.
"The router is the first point of presence to the internet and it's a device that we have all we all have in our homes that's directly connected to the internet," says Bogdan Botezatu, director of threat research and reporting at Bitdefender, a cybersecurity company.
The danger is that these devices are often old and rarely updated -- a potential source of vulnerability. It's unlikely that malicious hackers would target your home router to specifically go after you or your company, but by compromising as many routers as possible and watching what traffic they send and receive, they could find the most valuable targets and exploit their access to gain a stronger foothold to go after sensitive data.
Botezatu outlines a scenario where attackers exploiting weaknesses in routers could redirect you to a fake version of a site like your corporate email. "They have all sorts of powers after they have hacked your router," he warns.
All of this creates a conundrum for enterprise information security teams. On the one hand, they're tasked with ensuring that the devices employees are using for work are secure and properly supported.
But on the other hand, while they could issue updates and patches to corporate devices, they don't and probably shouldn't have any remit over the user's personal home devices -- that could be viewed as overreaching and an invasion of privacy.
Better remote work security education is needed
However, with the correct information and guidance, employees could be made aware of the potential cybersecurity risks that come with working remotely and how to improve the security posture of their home network in a way which will aid their personal online security, while also aiding the security of the organization too.
"When I first started working from home you'd have the risk assessment of your workspace, by your HR department. We don't do that risk assessment from a cyber perspective," says Trend Micro's Mistry.
"There are employee awareness programs, but they're still set in corporate environment. We need to put it in a home context and show the dangers of in the home environment. Then people will learn very quickly," he adds.
Encouraging people to ensure their home equipment is up to date with the latest cybersecurity patches and updates is just one piece of the puzzle. There are also other useful tools which can help secure remote workers, like ensuring that all corporate devices are equipped with robust anti-virus software and cybersecurity applications.
Passwords are still the key target of many cyberattacks. And sometimes hackers don't even need to send out phishing emails. They can use a brute force attack to guess simple passwords for remote applications or try to use other passwords connected to an individual which have been leaked in earlier data breaches of another personal or professional account.
Remote workers need better security tools too
Because of this, people should be instructed to use unique, complex passwords for any account that's associated with work. Organizations can help to encourage this by providing all employees with a password manager for their corporate accounts, meaning they don't even necessarily remember their passwords themselves.
Organizations should also provide all employees with multi-factor authentication (MFA) -- also known as two-factor authentication (2FA) -- so that even if an attacker does get hold of a legitimate password, there's an added layer of protection to help prevent them from accessing the account. It's a stringent defense -- Microsoft says that MFA blocks 99.9% of attempted account hacks.
Ultimately, securing the hybrid workforce is about ensuring that only the correct individual can access the accounts and services to which they need access. That can be done by leveraging the correct controls and access tools, cybersecurity best practices, and teaching people about the potential threats which are out there and how to spot and report them.
"This idea of zero-trust and making sure that the right person has the right access to the right thing at the right time. That is something that's starting to be increasingly adopted," says Booz Allen's Rozumalski.
"But we can't forget that something as simple as teaching your remote workers basic cyber hygiene that could prevent potential phishing scams that could impact your entire network. So, we need to make sure that we continue to focus on those basic cyber hygiene, best practices," she says.