As we continue into 2022 and different variants of Covid continue to affect the way businesses operate, I’m a firm believer that businesses in the channel will continue to embrace hybrid working for another year, if not forever more. For most employees even just a day in the office each month, with a social activity attached, might be all that is needed to reinforce a sense of belonging to a team and to enhance camaraderie for a distributed workforce. This will ultimately leave far more work days out of the office than within it, which means that companies will have to come to terms with the implications of ‘work from anywhere’ on workforce security.
With cybersecurity incidents skyrocketing - over 5,250 confirmed data breaches occurring in 16 different industries and four world regions in 2021, according to Verizon - the time is now for channel businesses to pay attention to cybersecurity issues.
As we consider security in a distributed workplace that includes people’s private homes, favourite coffee shops, and beyond, here are the key factors that channel businesses should keep top-of-mind as we head into a new year:
Channel vendors and MSPs will need to remain cautious with regard to security controls for home networks.
Being on an out-of-office network in any form is a risk. While MSPs and vendors give their employees guidance on how to keep their work laptop safe, with reminders to not click on unfamiliar links and by using anti-virus software, there are not many controls in place in a user’s home environment and network aside from a reliance on good faith.
As employees switch between a corporate and home office, laptops need to be secured differently depending upon the network being accessed, as do any connected devices.
MSPs and vendors are well aware of the inherent dangers behind clicking accidental links and installing malware onto work computers.
We know how to do this from a control and licensing perspective, for work owned machines, but we now have to figure out how to handle this for employee-owned machines. There are many ways to address this, from strict lockdowns of machines (removing any individual control of the individual’s owned machine), to enforcing preferred anti-virus solutions, to next-gen A/V and Endpoint Detection and Response (EDR) solutions.
These solutions and approaches are all geared towards keeping the bad guy off the system and off the corporate network. But the bad guy isn’t always a malicious hacker - the bad guy may be a family member using the same home network as an employee with their work-managed laptop, or their partially-work-managed, BYOD (hybrid work inspired) laptop. Remembering that security breaches aren’t always due to malicious hackers: how do we lock down our home office life to make sure that our work product is as protected at home as it is at work? This will be a key consideration for channel businesses into 2022.
Both channel companies and employees alike are going to need to be more open to BYOD strategies.
Long rejected as a “substandard” security approach, bring-your-own-device became the standard for many companies throughout the last two years. But the question for MSPs and vendors in 2022 will be how do you secure devices that don’t conform to corporate standards (and how do you handle licensing for BYOD-required solutions)? Providing employees with options, from employer provided security tools to an employer-approved workstation image to a virtual desktop option that can be used from any BYOD device, may be one way to make sure that employees have access to the resources they need in a secure manner. Regardless of which option is used, MSPs and vendors should ensure that all workstations, laptops and devices accessing the corporate network are managed to the MSP/vendor’s standards.
Businesses need to be aware of the security posture of their vendors.
Companies need to know what controls their vendors have on their vendor’s work-from-anywhere staff. Channel vendors and MSPs are going to have to be more open with regard to their processes and controls, and their customers are going to have to accept that they really are doing the right thing for their business. At the end of the day, both want the same thing: to stay in business and support their customers.
Companies must be more vigilant with regard to ransomware, especially to retain cyberinsurance.
What companies saw in 2021 was, ultimately, just a warning sign. There will be way more ransomware around for channel businesses in 2022, and those without good security controls on their workstations, both in and out of office, will be the ones hit the hardest.
After almost two years of working through a pandemic, channel businesses are now pretty worn out. Hackers aren’t though. They’re getting better and better with their attacks, as evidenced, in part, by the increasing amount of risk-averse behaviour from cyberinsurance companies. Rates are doubling, and some companies even are being refused insurance altogether for not keeping their environments secure enough. The influence of cyberinsurance on defences against ransomware and in 2022 will be worth keeping an eye on.