Cybersecurity Needs to Work Even When Employees Aren’t on Board

Goldman Sachs leadership didn’t get the response they expected from their return to the office (RTO) order. In fact, Fortune reported that only about half of the company’s employees showed up. With today’s tight labor market and many employers allowing remote work, employees have firm ground to stand on. How do you secure a workforce that won’t always comply with your demands?

Employee compliance with cybersecurity measures has always been a key component of digital defense. However, employees often either purposely don’t comply or make mistakes. The 2022 X-Force Threat Intelligence Index found that phishing was the most common way criminals gained access to a network. Of all the attacks remediated by X-Force in 2021, 40% involved phishing. Organizations need to focus on maintaining always-on security measures that work without depending on cyber awareness and security edicts. 

Zero Trust Protects Regardless of Compliance

Organizations are moving more and more toward the Zero Trust framework. This protects them with an always-on approach instead of focusing on employee compliance. According to the 2021 Cyber Resilient Organization study, 35% of respondents have adopted this approach. Of those, 65% agreed that zero trust security strengthens cyber resilience. In addition, 63% of those organizations reported that a zero trust approach is significant or moderate. Their top reason? The approach improved operational efficiency.

Zero trust isn’t a single technology or even a single process. Instead, the zero trust approach is a framework that organizations use to implement different techniques and tools.

Other approaches focus on securing the perimeter and preventing an attack from occurring. Employers expect their people to comply with the processes and cyber hygiene. With a noncompliant workforce, you can’t rely on those methods of securing a network.

With zero trust, there is a mindset shift in how to approach cybersecurity. Instead of defending a perimeter, zero trust focuses on controlling access of both users and devices. It takes the approach that a breach has already happened. The tools are always on and do not rely on employees. So, they’re effective for employees who often don’t comply with security measures. Passively not complying may not be as dramatic as a walkout, but it can cause serious damage when an employee accesses sensitive data on a personal device or connects a work device over a public network.

Why Zero Trust Works for Remote Workers

Here are three common elements of a zero trust approach that apply to remote workers:

  • Principle of least privilege: By giving employees the least amount of access that they need to do their jobs, you can reduce vulnerabilities both from outsiders and insiders. The principle of least privilege is most effective when applied to domain controllers and domain admin accounts, which reduces the risk of ransomware. Remote workers have more freedom and add endpoints. So, restricting connections and user exposure reduces the damage and risk of an attack.
  • Microsegmentation: This technique divides the network into very small segments, called microsegments. It only grants users access to the specific sections they need for business purposes. If a breach occurs or an attacker steals an employee’s credentials, the amount of damage is limited only to the small segments that are involved. If you want to move to zero trust, analyze your data flows and infrastructure to see workload segments.
  • Multi-factor authentication (MFA): MFA makes it harder for cyber criminals to disguise themselves as authorized users, regardless of whether employees access networks remotely or in-house. With MFA, users must use more than one piece of evidence to verify their identity. For example, a user may be required to enter a password and then enter a code sent to them by SMS text.

Zero Trust Protects Remote Workers

Goldman Sachs employees refusing to return to the office are just one example of workers pushing back on RTO orders. Many employees who worked remotely for the past two years want to keep working from home. A recent Pew Research Report found that 60% of workers with jobs that can be performed remotely would like to work from home all or most of the time, which is an increase from 54% in 2020.

In addition, many employees say the ability to work remotely can affect their decision to stay with their company. The ADP People at Work: A Global Workforce View reported that 64% of the global workforce said they have or would consider looking for a new job if their current job required working in the office full-time. Large companies face this problem, too. Employees at Apple recently made headlines for threatening to quit if the current hybrid plan of requiring employees to be in the office Tuesday through Thursday continues.

Having a large number of remote workers means there is no longer a perimeter to defend. Organizations are finding that zero trust provides more protection with a remote or hybrid workforce. Remote workers mean more endpoints and opportunities to infiltrate a company’s data, which expands the attack area. To address this, zero trust focuses on the access of devices and users instead of the perimeter. The framework can reduce vulnerabilities and more accurately ensure that only authorized users and devices access the network, apps and data.

Creating an Always-On Cybersecurity Process

As remote and hybrid work becomes a long-term change, organizations must permanently adjust their cybersecurity processes to match how people actually work. Companies that currently require full-time hours in the office, or even hybrid work schedules, should begin thinking of employing long-term security effects to keep from losing valued employees to companies that allow more flexible work arrangements.

By beginning the process of adopting zero trust now, organizations can be prepared for continued remote work and any additional workforce changes in the future. Zero trust allows organizations to lessen their dependency on compliance while also setting themselves up for security.

The post Cybersecurity Needs to Work Even When Employees Aren’t on Board appeared first on Security Intelligence.