OTX Partners

View Original

Securing the Hybrid Workforce

Mark Jennings

By now, we have all heard that many major corporations are instituting policies allowing workers to continue to work remotely even after the pandemic is declared over. Facebook is allowing employees, whose jobs are conducive to 100% remote work, to work from remotely on a permanent basis. Those that require, at least, some in-office participation will be allowed to work remote as much as 50% of the time. Twitter has done the same. Apple has announced a three day in-office work week. Google and Microsoft are tracking with Apple's policy.

 Regardless, the era of the hybrid office is here. Businesses at all levels are grappling with this issue.

 Organizations pivoted a year ago to enable workers to stay home and remain productive. MSPs rose to the challenge of setting up and supporting the new environment. We, as a community, have enabled our clients to survive and perhaps flourish in some cases over the past year. However, most of us most viewed this as a temporary situation. Things would certainly return to business as usual once Covid-19 was behind us. We now know that is not true.

 Now is the time for MSPs to be having discussions with their clients regarding their return to work policies. In many cases you will find that, no matter the size of the organization, they are taking a similar approach as major corporations.

 So what does this mean for network security and data protection? According to 2021 Remote Workforce Security Report by Cybersecurity Insiders, despite having spent the last year managing a large remote workforce, 79% of organization interviewed are still feeling worried and unprepared when it comes to securing off-premises users.

 So here are a few tips for MSPs as we help our clients navigate the re-opening:

 

  • Don't assume that the infrastructure and protections you put in place in 2020 to support remote work is a permanent solution. Now that you know a portion of the workforce will be working from home networks on a permanent basis, review the systems and processes in place to ensure the home network does not pose a risk. Make sure that there is adequate protection in place to prevent the propagation of viruses or ransomware across the VPN

  • Implement a Zero-Trust model for remote access. Employees and remote traffic are granted the very least amount of privileges to get the work done.

  • Ensure that home IoT devices (Echo, Google home, Nest, etc.) are blocked from access to the network

  • If they have not already done so, make sure EVERYONE is using Multi-factor Authentication.

  • Employ strong mobile device management to keep non-corporate applications off the devices (or at least cordon them off).

  • Double down on whatever cybersecurity education you have being promoting. With the dramatic increase in ransomware attacks it is more import than ever.

  • The concept of the "road warrior", the employee with a significant travel schedule, has existed for a long time. The risks imposed by these individuals have always been understood as they tend to connect to public networks (hotels, airports, clients, etc.) to get their work done. They then return to the office and potentially expose the network to cyberthreats. As such, most organizations made sure these employees were well protected and educated on proper use of the computer. Now, with a large portion of the workforce operating the same mode, we need to make sure the same attention is paid to all employees.

 Finally, most MSP contracts have traditionally excluded home networks from support. Over the past year many MSPs have, understandably, been somewhat lenient on this policy. Again, we all thought this was a temporary situation and, being good partners with our clients, let it slide. Now, with many employees working BOTH from home and in the office, the potential for increased support exists. With the "new norm", MSPs are going to have to formalize their policy on supporting and security home networks on a permanent basis. Do we offer support for home networks and increase our fixed fee accordingly? Add a rider for home network support? Or simply go back to excluding home network support?

 Regardless, we need to be clear with our clients as to what is included in their contract and charge accordingly. Failure to get ahead of this can lead to a "hole in the boat."

 As we emerge from the other side of the pandemic all MSPs will have to work with their client base to determine the proper strategy. There is no right or wrong answer here as we are all in uncharted waters here. Take heart in the fact that it is a level playing field as nobody has yet created the best mouse trap.