A young woman works on a laptop at a table next to a bank of windows. She wears a black tank top and has her hair pulled back into a bun. A potted plant and a paper cup of coffee sit on the table next to the laptop.
In the realm of cybersecurity, knowledge is power. Keep your employees informed by offering security training and refresher courses. — Getty Images/d3sign

Hybrid work has evolved from a novel new way to work to the preferred practice for many businesses. By one estimate, 74% of U.S. companies are using or plan to implement a permanent hybrid work model. However, while this style of working brings flexibility, autonomy, and cost savings, it also presents some security concerns. Employees working in and out of the office need to be aware of the risks — and take steps to protect company data.

[Read more: How the Remote and Hybrid Work Era Impacts Employers]

4 common hybrid work security challenges

No matter what type of business you are or what your hybrid workforce looks like, there are some common issues that affect every remote setting.

Phishing attacks

Phishing attempts are extremely common — and effective. These scams can be hard to recognize, in part because they’re constantly evolving.

Phishing attacks target individuals, rather than IT vulnerabilities. For instance, a phishing attempt may send a fraudulent email to try to solicit your employees’ personal information. Employees may respond to these emails or click on these links thinking they are from their employer, a bank, or an insurance agent. When people open or respond to these emails, they unknowingly put their personal and the company's information at risk, and everyone becomes vulnerable to a larger data breach.

Employees and business owners are only human, and it’s easy to fall for a sophisticated phishing scheme regardless of where you work.

Missing security patches

Security patches are software and operating system updates that aim to fix security vulnerabilities in a program or product. Most corporate devices automatically download and install patches when connected to the corporate network.

However, when employees are working remotely, they may miss these essential updates while logged on to a personal network and not the organization's network. Without the right security patches, devices could be open and vulnerable to ransomware attacks or other threats.

Vulnerable remote environments

Unlike in an office setting, a hybrid setup doesn’t limit employees to using corporate devices exclusively for work. Your team may use their company devices on public Wi-Fi networks, share devices with other family members, or use unsanctioned apps to share information. It’s also possible they’ll connect an unsecured device to your corporate network on days when they are in the office, introducing a new attack vector.

“Organizations cannot independently ensure network and endpoint security with a hybrid workforce in action. A company is also much more reliable in trusting endpoints trying to gain access to company resources as identities or devices can be compromised,” wrote NordLayer.

While seemingly harmless, using a foreign device or having another user on a corporate device may lead to a compromise of security controls, rendering home networks vulnerable.

Employee error

An employee’s personal work environment isn't monitored by IT support the same way an office environment is. This can lead to careless mistakes, such as not using the company’s virtual private network (VPN), installing malware, and reusing old passwords. Every hybrid and remote employee needs to be properly trained in remote working protocols to ensure their office outside the office is just as secure as their corporate one.

[Read more: Protecting Your Business Data in a Hybrid World]

Catching the problem early can minimize the damage, but first, you need to create a culture that embraces cybersecurity.

6 ways to make a hybrid workforce more secure

Offer regular security training

Employees working remotely have no internal IT support to help them when an issue arises. This means you'll have to train your staff in good digital security habits and how to protect themselves while they're working from home or somewhere else outside the office. Offer regular updates and resources to help them understand how to minimize new threats and spot sophisticated phishing attempts.

Institute a zero-trust policy

Zero-trust is a security approach that follows the rule, “never trust, always verify.” Essentially, a user or program should have the minimum privileges and level of access necessary to perform their job. For example, only the recruiter in charge of the hiring process should be able to access a candidate’s contact information.

To implement a zero-trust policy, set up multifactor authentication on all your company programs, devices, and networks. It’s also helpful to outline the specifics of which roles can access what data on Google Workspace, Slack channels, cloud storage, and other shared platforms.

Make security easy

Phishing attempts can go unreported, either because the victim isn’t aware that they’ve been had or because they’re embarrassed. Catching the problem early can minimize the damage, but first, you need to create a culture that embraces cybersecurity.

“That means creating a security-positive culture that removes roadblocks, makes security personnel available to solve problems, educates employees, and rewards security-centric decisions,” wrote 1Password.

Hybrid workers should feel equipped with the tools and knowledge to secure their devices, spot suspicious behavior, and report to the right people if they’re concerned.

Create a separate network

Provide a new VPN for employees to connect to when working remotely. This will enhance your existing security features as well as protect remote employees’ accounts’ security and accessibility.

Audit work devices for hybrid or remote work

If an employee is going to be using a corporate device remotely for work, update the device on all your network’s security systems. Regularly have these devices audited by your IT support to make sure they are running properly and that the most up-to-date patches have been installed.

Perform penetration testing

Pen testing is just one way to monitor your system and see if your devices and firewalls are working as planned. Regularly test your corporate devices to see how vulnerable they are to cyberattacks. Analyze the results and make the necessary updates to make them more secure.

This story was originally written by Dan Casarella.

CO— aims to bring you inspiration from leading respected experts. However, before making any business decision, you should consult a professional who can advise you based on your individual situation.

CO—is committed to helping you start, run and grow your small business. Learn more about the benefits of small business membership in the U.S. Chamber of Commerce, here.

Published