After multiple lockdowns across the country, employees in India are gradually returning to their offices. Working remotely for nearly two years has both organisations and employees wanting flexibility in operations and the hybrid work model is becoming a popular choice. A vast majority of Indian organisations (80%) plan to adopt the hybrid work model in the next 12-24 months, while 63% plan to make a permanent move to remote work over the next two years, a Forrester study revealed.
While hybrid work is here to stay, 88% of Indian organisations witnessed business-impacting cyberattacks in the last 12 months and these were largely attributed to remote work. Business and security leaders must factor in the lessons learned from remote work while planning their future workforce strategies. As organisations begin getting accustomed to the new way of work, security leaders need to understand the risks related to remote/hybrid work and how it will change the way cybersecurity is viewed.
Switching to a hybrid work model is not easy
While organisations rushed to adjust operations due to the pandemic, many did not factor in the cybersecurity implications. A vast majority of Indian organisations witnessed business-impacting cyberattacks due to systems put in place during COVID-19.
As organisations plan to adopt a hybrid model, concerns have mounted due to the atomised attack surface. The hybrid work model has dissolved the workplace perimeter, allowing employees to work from anywhere; business-critical assets have moved to the cloud; and the software supply chain has expanded as organisations adopt new technologies.
These new shifts have caused the corporate attack surface to expand drastically, with many organisations left struggling to address the new risks. And despite the hybrid work model becoming an accepted norm among Indian organisations, 56% of security leaders say they are unprepared to secure the new workforce strategy. Only when cyber risk is considered a business priority can organisations tailor security strategies that suit their needs.
The home network is now the corporate network, but visibility is lacking
The pandemic provided multiple attack vectors that cybercriminals capitalised on to target Indian businesses. According to CERT-In Indian organisations witnessed 6.07 lakh cyberattacks in 2021, a 300% increase since 2019.
Since the first lockdown in March 2020, employees were no longer confined to a perimeter-based corporate network. A remote worker could be connecting from home one day or from Wi-Fi hotspots at a coffee shop or hotel. Perhaps the greatest concern is that remote workers are able to access sensitive corporate data from insecure networks.. More than half (54%) of security teams in India lack visibility into employee home networks and connected devices. But the buck doesn’t stop there. Visibility into employee security practices is also a great challenge for security teams.
Organisations cannot secure what they cannot see. It’s also why 56% of cyberattacks on Indian organisations targeted remote workers. Many of these cyber attacks, however, are the result of poor cyber hygiene. Cybersecurity cannot be narrowed down to employee security practices alone. Business leaders need to realise that cyber risk is equivalent to business risk, especially in a highly digitalised world. Cyber attacks can have a huge impact on business continuity considering the reputational, financial and legal costs of a cyberattack.
Re-evaluating cybersecurity strategies
Given the propensity of the attacks and the vast implications they bear, security policies and technologies focused on perimeter-based attacks won’t cut it. It’s time for organisations to redefine what’s an “asset” and a “vulnerability” — and how to improve visibility into both — all while keeping employees productive and safe.
Organizations must rethink how they define risk and look beyond software flaws and compliances. Investing in adaptive user and data risk profiles to secure Active Directory along with a flexible security strategy based on changing conditions, behaviors or locations of employees is the way forward. This is possible by continuously monitoring and verifying every attempt to request access to corporate data — regardless of whether it’s a device, app, user, or third-party network. It’s not just risk management, but for many organisations, it could mean reimagining vulnerability management practices or taking the first steps towards zero trust. Whatever organisations may prioritise, one thing is clear: to tackle the challenges of remote/hybrid work, business and security leaders need to work in lockstep to develop a robust cybersecurity strategy in the new world of work.
The author is Country Manager, Tenable India