This is the first in a series of four posts on how to secure your hybrid workforce. For a complete overview of the topics discussed in this series, download The new perimeter: Access management in a hybrid world.
What is hybrid work?
To secure your company, it used to be enough to secure the workplace and its entry points – because work was happening at work. There was a clearly defined perimeter to defend against attackers.
In hybrid work environments, work happens everywhere: in the office and at home, at coffee shops and coworking spaces, on laptops and phones and tablets. And to get that work done, we use a lot of apps.
Hybrid work – which was a thing well before the pandemic, but was massively accelerated by it – is the new normal we’re all adjusting to. Even now, office attendance is 30% lower than it was pre-pandemic. There’s no going back.
Suddenly secure networking, VPNs, endpoint protection, and employer-provided devices (basically the entirety of our old cybersecurity toolset) are no longer enough. How do you secure access in a hybrid world where remote work is more common than ever?
How do you protect a perimeter that’s constantly shifting and often spans the globe?
How do you secure a hybrid workforce?
This is the question every CISO, every IT and security team, and indeed every business is grappling with. And while the discussion of how to protect your company against the next big data breach or cyberattack could fill a library on its own, the question of where to start is surprisingly simple.
Let’s break down four key considerations to securing your hybrid workforce: identity, bring-your-own-device (BYOD) and shadow IT, the security vs. productivity tradeoff, and security costs.
For a deeper dive into these four considerations, download The New Perimeter: Access management in a hybrid world.
The new perimeter
70% of data breaches in 2023 still involved an identity element. Protecting your company starts with validating the identity of every single sign-in attempt. Frankly, many companies don’t do this particularly well right now, so herein lies the greatest opportunity – the lowest-hanging fruit – to strengthen your security posture.
Identity requires arguably the biggest mindset shift in a hybrid world. Instead of securing the entry point for a given access attempt, hybrid work requires that we secure the source of the attempt: the identity of the person or entity trying to gain access to business resources.
In other words, instead of asking “should this person have access to this resource,” a focus on identity means asking “Is this person who they say they are?”
For example, single sign-on (SSO) providers were built for a pre-hybrid world. A predefined list of company-approved apps are secured behind SSO, so that no one can sign in to those services unless they first sign in to their SSO provider. It’s a stronger credential that users are signing in with – but SSO alone can’t prove that someone is who they say they are.
It’s time to embrace BYOD and shadow IT
SSO also leaves gaps in coverage, because only the apps and services that IT knows about can be approved, and thus put behind SSO.
But on average, 30% of applications used by employees are not managed by the company, according to Gartner. In fact, they’re a complete blind spot: IT doesn’t even know workers are using these apps to get things done. That’s shadow IT.
When someone in Finance spins up a Google Spreadsheet instead of the company-approved Excel, or someone in Design uses Sketch instead of the company-approved Figma, that’s shadow IT. By definition, IT can’t see that sign-in, so they can’t secure it.
All those sign-in attempts can originate anywhere, on any device – and IT only provides secure access to a sliver of them.
Workers aren’t trying to skirt security protocols, of course. They’re just trying to get things done, and sometimes the approved tools are limiting.
Productivity and security can work together
85% of employees have knowingly broken cybersecurity rules in order to get work done (Harvard Business Review). Historically, strong security comes at the cost of diminished productivity. This is a false tradeoff.
This is because it used to be IT’s job to stop certain unvetted activities from happening. Today, IT needs to be a business enabler. To do that, they need to understand business goals and how workers get things done, in order to help them get those things done securely.
Taking this path requires, first and foremost, the right tools for the job. Where legacy security tools are notoriously difficult to navigate and impose new friction in workflows, the ideal tool does the opposite, making the secure thing to do the easy thing to do.
In that scenario, everyone wins: The tool itself ensures that minimum security requirements defined by the company are always met, and the worker doesn’t have to use crazy workarounds that compromise security to do their job.
Getting a handle on security costs
The cost of continuing to do things the old way grows every year. There’s the cost of a data breach itself ($4.45 million on average, according to IBM).
There’s the SSO tax, or the cost of adding new services to your SSO provider. And there’s the cost of things like password resets, which comprise a surprising amount of IT’s overall workload.
It all adds up, but it doesn’t have to.
In the coming weeks, we’ll explore these topics in more depth here on the 1Password blog, but you can learn how to secure your hybrid workforce right now by downloading The new perimeter: Access management in a hybrid world.