• Advertise
  • Subscribe
  • Forums
  • Buyer's Guide
  • Contact Us
  • Connect on LinkedIn
    1. Security Executives

    How to Secure Today’s Workforce and Workspaces

    July 3, 2023
    Security teams need to be developing long-term mitigation plans for this new workplace reality
    Courtesy of Getty Images -- Credit:Anchiy
    Organizations today are not only offering employees more flexible work arrangements, but they are also looking to secure those setups.
    Organizations today are not only offering employees more flexible work arrangements, but they are also looking to secure those setups.

    Three years removed from the onset of the pandemic, organizations across industries are still grappling with security concerns as they figure out the best way to secure employees moving between workspaces and working from a mix of personal and corporate devices.

    While many positions spanning the likes of healthcare, manufacturing and retail never had the opportunity to move to a remote or hybrid work arrangement, the reality is that millions around the world will never return to a full-time, office-based role. However, this does not mean that all these workers will never return to the office.

    Major corporations like Amazon, Disney and Starbucks have instituted return-to-work mandates with mixed receptions, but the more likely outcome for employers going forward is taking the middle ground between fully remote and fully in-person work. Most have categorized this style as “hybrid” work, but the more appropriate classification would be “flexible” work. Hybrid implies something of a dichotomy, i.e., an employee works from home, or from the corporate office. But the working options that many of today’s employees have extended well beyond just two locations.

    Organizations today are not only offering employees more flexible work arrangements, but they are also looking to secure those setups. As more companies deploy flexible work, new questions are being raised about both physical and cybersecurity.

    Finding the Answers

    There has been no greater need than now to merge and intersect physical and facility data with cybersecurity. Organizations must leverage all avenues at their disposal to prevent physical and cyberattacks. Without the blending of physical and cybersecurity, teams could be missing out on valuable insights that could prevent a breach in either realm.

    The current workforce situation is precisely what an approach like Zero Trust was tailormade to protect. Malicious actors know that potential gaps exist as employees bounce between corporate offices, work-from-home setups, shared workspaces and more.
    Courtesy of Getty Images -- Credit:Anchiy
    Organizations today are not only offering employees more flexible work arrangements, but they are also looking to secure those setups.
    Organizations today are not only offering employees more flexible work arrangements, but they are also looking to secure those setups.

    Though the concept has been around for more than a decade, executing Zero Trust is still a hurdle for organizations today. The idea behind Zero Trust is that only trusted identities are granted access to applications, systems, networks and data given their role within an organization. This trust must then be reestablished at each step to ensure that a user attempting to gain access is who they claim to be.

    By adopting a Zero Trust security model, enterprises are enabling breach prevention. It would be impossible for any given security tactic to stop breaches altogether, but Zero Trust helps position organizations to contain isolated events before they become significant breaches. In today’s flexible working environment, companies have to be prepared for security incidents to pop up just about anywhere.

    The Overlap of Physical and Cybersecurity

    With more companies accommodating flexible work, one of the burning questions among security practitioners is, “How do we secure all the different spaces where employees are working?”

    Modern buildings and workplaces have breakout spaces, creative spaces, hot desks, meeting rooms and more, giving employees more choices than ever when it comes to deciding the ways and places in which they want to work and collaborate with their teammates. The power of choice grants employees flexibility that the workforce has never previously experienced.

    Organizations are ultimately responsible for securing themselves and their employees, regardless of where they are physically located. An employee’s physical location, be it the corporate office, a local coffee shop or elsewhere, can no longer be viewed as an inherent source of trust. This is why the Zero Trust framework has become so valuable.

    Identity and access management is one of the key pillars of a Zero Trust framework. Under this model, it is assumed that a network is always hostile, whether it’s a corporate network or otherwise. Geography is only one consideration used to gauge trust. By applying more stringent access controls, such as attribute-based authentication or other additional security checks, companies can build the foundation of their Zero Trust model.

    Watching Your Back

    It is difficult to say which type of workspace is best protected, or easiest to secure these days. Companies fell into routines when employees were working remotely, just as they had security best practices solidified back when most teams were working out of the same office. Now, security teams are being forced to divide their attention and resources across several spaces, again underscoring the importance of Zero Trust.

    Security teams need to be mindful of who is managing a building when employees are not around and monitor the flow of people in and out of that building. Everything down to the literal facility management systems needs to be protected. Attackers know as well as anybody that corporate spaces are going to be unoccupied at certain times. The same systems that facility managers are using to manage buildings remotely can be coopted by attackers for their own nefarious purposes.

    Facility management technologies serve as a prime example of the intersection between physical and cybersecurity. For example, proximity sensors and badge readers confirming someone’s physical presence in an office contrasted with cyber activity indicating that someone is somewhere else can raise a red flag. This hypothetical could be indicative of a stolen badge used to access a physical site, or that an attacker is leveraging compromised credentials to pose as an employee from an entirely different location. Regardless, it illustrates where cyber and physical security meets and why organizations need to integrate both into their strategies.

    Securing Assets

    Beyond the people management component of security, flexible work also creates a set of new challenges around protecting company assets. This primarily includes assets you typically think of in an office space, like laptops or mobile devices, but also company equipment such as vehicle fleets or heating and cooling systems.

    The conversation around devices, however, extends beyond corporate-issued items. With the prominence of bring-your-own-device (BYOD) policies, many employees are using personal devices in corporate spaces and accessing corporate networks.

    Personal devices may not be subject to the same stringent security policies as company-issued devices. Signing into a corporate device may trigger certain security and governance policies, preventing that user from accessing something like a malicious web link or file. Working from a personal computer, an employee may not have those same policies in place, leaving their device and data more vulnerable to threats. Malicious actors may have more success infiltrating an organization through an employee’s personal laptop that has less sophisticated controls attached to it.

    Implementing robust corporate security controls is an important step toward protecting employees, and the company, across devices and across locations. Under the premise of Zero Trust, employees need to be reauthorized each time they go to access corporate applications or sensitive data. By adhering to Zero Trust principles, companies can do their part to ensure that any unusual activity gets flagged at the source before the entire organization is put at risk.

    The Big Picture

    Building a cybersecurity program in the context of today’s flexible workforce is a tall order for any security team. With so much evolution in the workplace happening so quickly, the emerging challenges of balancing physical and cybersecurity may not yet be realized by key stakeholders.

    Developing a modern security strategy around corporate resilience starts with a top-down approach. This means that executives, starting with the C-suite, need to buy in and be involved in conversations around the organization’s strategy for securing flexible work arrangements. These stakeholders ultimately control the purse strings, which dictate the budgets for security initiatives, tools and teams. Fostering these relationships helps lay the groundwork for executing a successful security strategy.

    This all starts with an open dialogue. Security leaders need to articulate how cyber and physical risk overlap, as well as communicate how security can impact the bottom line. The objective of the security team should be to easily connect the dots for executive decision-makers, explaining just what could happen should a vulnerability be exploited successfully. Whether it's data loss, regulatory compliance failure or reputational damage, security issues often carry a financial consequence that matters to the board.

    Security posture is also connected to valuation. When it comes to mergers and acquisitions, security is increasingly taken into consideration as part of the evaluation process, underscoring the need for executives to make cyber strategy a top priority. A company can lose value if it is perceived to be under-protected and no security team wants to be blamed for a failed merger or acquisition.

    Companies need to be able to manage risk proactively and can set themselves up for success by ensuring that corporate leadership is dedicating time and resources to security efforts. Highlighting relevant data points can help tell the story for those who may not be involved with the day-to-day security activities. Practitioners must ensure that they are collecting data that matters, such as occupancy and space utilization statistics, to help illustrate the direction behind proposed security initiatives like Zero Trust.

    Putting the Pieces Together

    For security practitioners, the adoption of flexible work has demonstrated where organizations have room for improvement in their security postures. Even as attackers get more creative with their exploits, models like Zero Trust provide an outline of how to protect your organization, employees and assets.

    The pandemic years have been inherently difficult to plan around, and while the future of working arrangements is still being written, cues can be taken from business operations around the world. Office occupancy has returned to pre-pandemic levels across the Asia-Pacific region and Europe is not far behind. While North America, and the United States in particular, trails their international counterparts, it seems that the tide is slowly turning.  

    Flexible work is proving to be a key driver behind this return and security teams should be developing their future plans in the context of this arrangement. Pursuing a top-down approach that accounts for physical workspace and asset security, alongside cybersecurity, allows organizations to embrace flexible work models with peace of mind.

    CISO James Carder of Eptura.
    CISO James Carder of Eptura.
    About the author: CISO James Carder of Eptura, a newly formed work tech brand focusing on workplace, facility and asset management. In his role as CISO, James is dedicating his time to solving security challenges – both cyber and physical – presented by remote and hybrid work styles. Carder brings more than 25 years of corporate IT security and consulting for the Fortune 1000 and the U.S. Government. Prior to joining Eptura™, James served as Chief Security Officer and VP of LogRhythm Labs where he built the program into a world-class security organization. James is a sought-after and frequent speaker at cybersecurity events and is a noted author of several cybersecurity publications.        
    About the Author

    James Carder | CISO, Eptura

    CISO James Carder of Eptura, a newly formed worktech brand focusing on workplace, facility and asset management. In his role as CISO, James is dedicating his time to solving security challenges – both cyber and physical – presented by remote and hybrid work styles. Carder brings more than 25 years of corporate IT security and consulting for the Fortune 1000 and U.S. Government. Prior to joining Eptura™, James served as Chief Security Officer and VP of LogRhythm Labs where he built the program into a world class security organization. James is a sought-after and frequent speaker at cybersecurity events and is a noted author of several cybersecurity publications. He is an Advisory Board member for the University of Colorado Denver, PlexTrac, TruKno, Coalfire, Circle Systems, Resurface Labs, Cyber Sainik, and the Identity Defined Security Alliance (IDSA); a Certified Information Systems Security Professional (CISSP); former ICIT Fellow; and a member of the Forbes Technology Council.

    Courtesy of Getty Images
    COVID-19 has created a hybrid workplace unlike any other in global history, presenting security new challenges.
    Courtesy of BigStock.com -- Copyright: designer491
    Focusing on improving password security to maximize workforce continuity will significantly help IT leaders successfully transition into making a permanent hybrid workforce their new normal.
    (Photo courtesy stock.xchng/Iafrate)
    The proliferation of mobile devices has forced companies to examine the steps they should take to ensure the security of senstive, proprietary data when allowing employees to use their own smartphones in the workplace.