Microsoft has invested a bunch of effort into researching hybrid work, and browsing some of that research leads to some interesting issues—not because of what the data tells us about hybrid work, but because of what we as IT and security practitioners must do to enable and support it.
Hybrid work is really a mixed blessing—while it offers a lot of fantastic benefits for people who are able to take advantage of it, it can introduce some new and unpleasant security issues that you need to be prepared to deal with.
A few top-line facts
The point of this column isn’t to argue for or against hybrid work, so I’m not going to dig deeply into Microsoft’s research findings. I do want to summarize a few things to frame the rest of the column, though. To do that, let’s keep in mind four facts:
- In the US, 79% of workers don’t want to be permanently in the office; 47% preferred hybrid and 32% preferred fully remote.
- In the UK, the figure is 82% anti-office (59% hybrid and 23% fully remote)
- More than 20% of people who changed jobs during the heart of the COVID pandemic did so because they wanted more flexibility to work hybrid
- There are new security threats that are specific to hybrid work, including network scraping (essentially meeting-oriented phishing) and the use of audio or video deepfakes.
This last point is what I want to focus on in this column—there are some practical steps you should take to improve security for your organization and for your hybrid/remote workers.
Cybersecurity Risk Management for Active Directory
Discover how to prevent and recover from AD attacks through these Cybersecurity Risk Management Solutions.
Securing identity
Protecting your users’ identities (or, more precisely, the credentials they use to log into your environment) is the most important first step towards improving the security of your hybrid work environment. That’s because those credentials will be used by every user, whether at work or at home, and often from networks or devices that you can’t completely trust.
It should, at this point, go without saying that you should have multifactor authentication enabled and enforced for all your Microsoft 365 users. If you haven’t already done that, you should stop reading this article right now and go read this Microsoft article in a new tab and follow its recommendations. Even if you can only use SMS MFA, that’s still much better than no MFA, although using an authenticator app or security key is significantly more secure.
Once you have MFA deployed, you will want to ensure that you are appropriately using the sign-in risk features of Azure AD. Some of these features require Azure AD Premium licenses, which aren’t cheap. For example, if you want to force MFA or a password change based on elevated sign-in risk, that requires Azure AD Premium P2. Those licenses may represent a significant cost if you don’t already get them from a bundle such as the Microsoft 365 E5 SKU. However, adding those licenses only for users who face an elevated risk, such as your full-time remote workers, may lower the cost. If you’re unsure whether these features are valuable, you can test them using trial licenses and these test procedures.
Of course, your identity protection also depends on you using the right policies to monitor and alert you of other types of unusual events, but that’s a matter for whatever security monitoring or SIEM system you use. I’m going to assume that you already have protections in place for this, but if not, you should add them.
Securing connectivity
Remote access used to mean dialing into a data center using a phone line and a modem. Then we started to get SLIP and PPP, which progressed to a variety of different virtual private network (VPN) solutions. Along the way, it became common for applications to be published directly to the Internet, often behind a security appliance or proxy of some sort. Of course, that’s literally what Microsoft does with the entire Microsoft 365 suite; you don’t have to VPN in to Redmond to use the service. So why is connectivity important? It turns out that there are several reasons.
One is that an attacker may be able to eavesdrop on or tamper with traffic on a compromised network. Another is that compromising a single device on a network may give an attacker a pivot point to attack other devices. Compromising someone’s work laptop in a coffee shop may allow an attacker to implant malware, which then becomes a more serious problem when the infected machine next connects to the corporate network. (This possibility directly led to the popularity of zero-trust solutions because they don’t assume that either the network or the endpoint device are trustworthy.) A third is that compromised network devices themselves, including SAN units and Wi-Fi routers, are often used to host malware, DDoS bots, and other nastiness.
Every security vendor will tell you that you should secure your network; this is banal. I’m going to suggest a slightly different take: what have you done to secure the home networks that your hybrid-work users depend on? Are you supplying routers or other devices for users? Are you helping them ensure that those devices are properly patched and configured? Does your helpdesk provide any type of home-connectivity support? Are you using Azure AD conditional access, Intune, and Defender technologies where appropriate to help detect and remediate compromised devices?
Securing devices
Speaking of devices… this is probably the area where security professionals face the most resistance to applying security policies. For organizations that allow bring-your-own-device (BYOD) usage, users are naturally and understandably resistant to giving their employer access to the full range of data on their personal devices. Even for organizations where the standard is for everyone to use corporate-owned devices for everything, ensuring that these devices are properly secured and patched is a big job. That’s why Microsoft, Quest, and other vendors spend so much time building device-management solutions like Quest KACE and Microsoft Endpoint Manager. These tools are often complicated and expensive, which is why they are not as commonly used as I’d like. However, the built-in tools in Microsoft 365 (including the Software Updates report in the Health pivot of the M365 admin center, or the reports in the Microsoft 365 Apps admin center) can be very useful, especially in conjunction with some simple user education and reasonable defaults applied to Windows Update.
Hybrid happiness
There’s no question that many users prefer, and benefit from, the flexibility that hybrid work environments offer. Microsoft is continuing to try to make the hybrid work and meeting experiences better through improvements in the service, but there are some problems lurking in hybrid life that require you to focus your attention on securing the devices, networks, and identities that users use to get their work done from wherever they are.
Cybersecurity Risk Management for Active Directory
Discover how to prevent and recover from AD attacks through these Cybersecurity Risk Management Solutions.
Randy, I suspect that most organizations don’t even know about the NSA recommendations, which is too bad. It shouldn’t be controversial to recommend things like “use a VPN” or “patch your stuff.” Most orgs, I think, don’t realize how much they broaden the attack surface by allowing widespread remote work; some of them, unfortunately, will find out the hard way.
Good article Paul!
I saw that the NSA published an article the day before this article was published.
NSA Releases Best Practices For Securing Your Home Network [https://www.nsa.gov/Press-Room/News-Highlights/Article/Article/3304674/nsa-releases-best-practices-for-securing-your-home-network/]
It contains a lot of practical advice including:
– Do not exchange home and work content.
– If you must use public Wi-Fi, use a trusted VPN.
What do you think? Are these NSA best practices being implemented by remote workers? What can be done to ensure they are put into practice?