Securing remote work isn't a perk of the job: 4 tips for the future of flexibility

In workplaces around the country, business leaders are struggling to settle on a long-term policy for their return to the office. The issue isn’t just the pandemic, although sudden changes have caused companies like Ford and Google to delay their return-to-office strategies. The more pressing challenge as enterprises grapple with the choice of remote or in-person work is employee retention and recruitment. The fact of the matter is some workers would rather quit than go back to commuting and working in an office.

But while corporate leaders are considering the impact of remote, hybrid, and in-person work policies as part of their retention strategies, they must also bear in mind the cybersecurity implications of these flexible approaches. For your CISOs and security team leads, securing remote workers isn’t a perk of the job.

Remote work is only secure when sensitive information is trusted and reliable, regardless of its format, where it came from, where it’s going, and how it’s used. Recognizing that most enterprises will not return to a fully in-person model, security teams must work to keep data secure throughout its lifecycle and at every point both on- and off-premises.

Here are four tips for our more flexible future, which will help businesses safeguard their data and defend against cybersecurity attacks:

1. Catalog, categorize and classify your data. When a business operates in a hybrid computing environment, their sensitive data can be stored and processed virtually anywhere. One of the most common phrases in cybersecurity is the idea that "you can’t protect what you don’t know." With the traditional perimeter now a thing of the past, it’s vitally important that enterprises identify all of their data assets and where they reside -- on local data servers, on mobile devices and in the cloud. Having an up-to-date catalog of data assets can also help to understand how data moves between your servers and those of your customers and partners. Once your data has been identified and cataloged, it’s equally important to classify and categorize that data according to its importance. Sensitive and personally-identifiable data requires stricter controls than non-critical information. This process should form the foundation for building security controls that are appropriate for protecting your data, not to mention maintaining compliance with a growing number of regulations.
2. Safeguard your data with encryption. The next step after categorizing data assets is to encrypt your data, in particular those assets which have been identified as critical and sensitive. Encryption converts data into a non-legible text before being sent over the internet, reducing the risk of theft, destruction or tampering. Encrypting your important data protects it both at rest and in transit, meeting a key requirement across several security and privacy regulations. For encryption to fulfill its function, you must carefully manage and protect the cryptographic keys used to decrypt your sensitive data. No matter how robust and resistant your encryption algorithm, a stolen or compromised key will allow bad actors to gain immediate access to your sensitive data. Preventing data breaches -- and the financial, reputational and regulatory penalties that come with them -- requires a combination of strong encryption and effective key management.
3. Maintain control over your keys. Once your sensitive data has been encrypted, you must determine where to store and protect your cryptographic keys. Many cloud providers offer native encryption and key management solutions, and with a growing number of enterprises opting for multi-cloud architectures, it can be tempting to turn over key management to the service provider instead of taking responsibility for multiple key repositories. Choosing a centralized solution delivers stronger protection by providing a consistent approach to key management across the entire estate of encrypted data. Strategies like Bring Your Own Key (BYOK) or Bring Your Own Encryption (BYOE) allow you to maintain control over your cryptographic keys and avoid the risks of an inadequate native Cloud Key management system. BYOK and BYOE approaches are also a healthy cybersecurity practice, as they keep your keys separated from your data by default. Segregating the roles of data storage and data protection offers enhanced resilience against advanced attacks. By trusting your cloud provider less and opting instead for an accredited Hardware Security Module (HSM), you can maintain confidence that your data is secure and in compliance with data sovereignty regulations.
4. Control who can access your data and when. Protecting important information in a hybrid work environment requires a strong trust chain involving encryption algorithms, cryptographic keys, and airtight access management. With employees accessing company data from outside a secure perimeter, enterprises should, at a minimum, deploy integrated solutions that include single sign-on (SSO), multi-factor authentication (MFA), and adaptive, risk-based identity validation. Access security should be based on a step-up process that accounts for all of your business risk scenarios, with employees accessing critical data from anywhere while using privately owned devices.

The past two years have demonstrated that no organization can count on a defined perimeter and a fully on-premises workforce. Bad actors continue to develop new tools and strategies to take advantage of organizations with insufficient security protocols, turning every unprotected hybrid work environment into a potential target. Enterprises must adjust to their new reality and take the steps needed to make remote work safe and efficient. Every enterprise must be responsible for ensuring that remote work is secure work.

Image credit: londondeposit/depositphotos.com

Todd Moore is Global Head of Encryption Products at Thales