However companies are operating after COVID - back to office, continuing remote work or a hybrid - cybersecurity requirements for both remote workers and third party service providers must be reviewed.
For decades cybersecurity was modeled on perimeter defense - barriers and protection at company network borders. With work from home during the pandemic, the broader attack surface made this model obsolete. The new security model is "zero trust" - all networks and devices are assumed to be potentially hostile or compromised, and continual authentication and verification are required.
Today's digital workplace includes internal systems and cloud-based services with shared security responsibilities. Companies need to Inspect or verify their suppliers' implementation and compliance with security requirements. Policies and procedures to be addressed include
- Safeguards such as multi-factor authentication, encryption and dual controls.
- Limiting remote access through virtual private networks or other means.
- Standards for hardware devices.
- Malware protection software.
- Advanced endpoint protection.
- Prevent printing or saving data on local devices. If remote workers need paper records, provide secure containers and ashredders.
The definition of a data incident must include incidents at a remote workers home or other off-site use.
Since hackers are aware of the increased vulnerability of remote workers, companies must also be aware.