How Hybrid Work Poses Major Cybersecurity Risks

As the accelerated digital transformation due to the pandemic falls into the rear-view mirror, many companies are now grappling with the challenge of mandating that employees spend at least a few days a week back in the office. A recent survey of U.S. workers indicated that the preference for the hybrid work environment rose from 31% to 36% from 2021 to 2022.

There are many advantages to hybrid work — but a smaller cyberattack surface is not among them. Hybrid work presents a significant opportunity for bad actors by making employees more reliant than ever on technology, much of which may be beyond the control of the companies cybersecurity team.

Insufficient Cybersecurity Awareness and Security Policy Training

A hybrid work model inevitably puts more security responsibility on employees while also pressuring cybersecurity teams to implement a zero-trust model to keep the increased risk at arm’s length. This often includes maintaining a cybersecurity posture on home networks and personal devices, especially if they are used to access company assets. According to ESET’s 2022 T3 Threat Report, password guessing remains one of the most favored network attack vectors despite the decline in remote desktop protocol (RDP) attacks that utilized this attack method.

The additional cybersecurity obligations that employees need to follow will help ensure online behavior does not make the hybrid worker more susceptible to social engineering attacks such as phishing. More than ever, hybrid workers need to understand how their online behavior either helps or harms the corporate security posture. A recent SMB Digital Security Sentiment Report, conducted by ESET, shows that 84% of SMBs feel that addressing the lack of employee cybersecurity awareness is a top factor in reducing the risk of a cyberattack.

Bring Your Own Device (BYOD) Risks

As lines between work and home blur, use of personal devices for work purposes is ubiquitous. But when hybrid workers use their own devices, unless there are strict compliance checks when connecting to the corporate network, it potentially gives cybercriminals a back door to access company networks and data via the employees’ home environment.
BYOD is not new and has been discussed for years, but the digital transformation in working practice has exasperated the problem. Employees working from home may be more likely to commit security blunders like using their work laptop for financial, shopping and other personal tasks, or even letting family members use their work device for personal activities.

Using Unapproved Cloud Apps

Cloud computing is the bedrock of this digital transformation and is exemplified by indispensable cloud-based apps for collaboration, productivity, video conferencing and much more. Motivated cybercriminals are fully aware that this switch to cloud apps opens additional opportunity. Research detailed in a recent Netskope report shows that more than two-thirds of malware downloads in 2021 targeted remote workers via cloud apps.

Unless company IT teams provide access to approved tools needed to efficiently work remotely, remote workers may venture off policy and use unsanctioned apps. These apps may lack robust security features, include code vulnerabilities and/or offer unsafe default settings, making them ideal conduits for cybercriminals to deliver malware payloads or to gain access to company resources.

Reliance on Remote Connectivity

Hybrid working entails moving between the relatively secure company network with its policies, firewalls and other protections to in-home Wi-Fi networks, public networks, potentially unmonitored personal devices, potentially unauthorized software, and so on.

Anytime users access company data over public networks, cyber risk goes up substantially. When smaller businesses implement remote connectivity, they often use the tools already in their possession, such as Windows Remote Desktop Protocol (RDP). Without the attention needed to secure access via RDP, such as the use of a virtual private networks (VPNs) and removing public facing access to RDP, hackers will relentlessly target these services to force their way into the company network.

Greater Vulnerability to Phishing and Business Email Compromise Attacks

Remote workers may also be less likely to track down coworkers or their IT specialist to cross-check suspicious emails, whether they be invoice requests, documents from external senders, shipping receipts, and more. Just being outside the company “hive” can reduce vigilance about cyber threats.

What’s Next?

Adequately protecting hybrid workers calls for reliable, multi-layered protection that includes technology to identify the threat posed by zero-day attacks. With 20 years of machine learning (ML) innovation, ESET’s multi-layered security architecture offers the channel and their customers the highest level of protection.  Find out more at https://www.eset.com/us/business/small-and-medium/.

When combined with ESET Cybersecurity Awareness Training, organizations can adopt a proactive stance against the risk posed by human behavior, educating employees to recognize phishing, avoid online scams, use strong password practices and understand Internet best practices. This helps add a vital layer of protection for organizations.

Tony Anscombe is Chief Security Evangelist for ESET. With over 20 years of security industry experience, Tony Anscombe is an established author, blogger and speaker on the current threat landscape, security technologies and products, data protection, privacy and trust, and Internet safety. His speaking portfolio includes industry conferences RSA, Black Hat, VB, CTIA, MEF, Gartner Risk and Security Summit, and the Child Internet Safety Summit. He is regularly quoted in security, technology and business media, including BBC, The Guardian, The New York Times and USA Today, with broadcast appearances on Bloomberg, BBC, CTV, KRON and CBS.

This guest blog is part of a Channel Futures sponsorship.