putilov_denis - stock.adobe.com
Work is now location-agnostic as employees use the internet to access their business apps from home offices, branch locations and other sites, including airports and coffee shops. As such, legacy security controls are no longer relevant.
Securing collaboration tools, too, must become a priority, as employees have come to rely more on cloud-based communications, including messaging and video.
"We never stopped to think about the implications in terms of what video meant to a work environment," said Frank Dickson, group vice president of security and trust at IDC.
Video is an immersive technology, and enabling an immersive experience bridges the context of security, compliance, privacy and access, he said. When video became the primary way many employees communicated during the COVID-19 pandemic, security teams had to adopt new security measures, including password requirements and blurred backgrounds for privacy.
Prior to the pandemic, security teams had the mentality that virtual work was something they didn't need to worry about because it wasn't "real world," said Christopher Rodriguez, research director of network security products at IDC.
Dickson and Rodriguez spoke at Zoom's Zoomtopia user conference on the topic of collaboration security in the hybrid workplace. The rapid shift to remote work at the onset of the pandemic proved virtual work was real world. The key to hybrid work is that employees must have a uniform experience, no matter where they are -- and security is no exception.
"You're trying to build trust at the end of day with the organization and end users," Rodriguez said.
Build security requirements around use cases
Now, as organizations shift to hybrid workplaces, security teams need to determine what security measures are necessary to protect corporate data.
"Not everybody is doing all things," Dickson said.
Early in the pandemic, some security experts touted that organizations needed every security measure to protect their collaboration platforms, including multifactor authentication (MFA), 256-bit encryption and waiting rooms. But most organizations won't need to implement every security feature in a platform, he said.
"The number one thing I advise CISOs on is: What is your context?" Dickson said.
If organizations are having large meetings with more than 300 participants, then using MFA to confirm their identities is a good idea. But, for a small business with only 20 employees, MFA wouldn't be necessary, as it's easier to see who shouldn't be on a call, he said.
While security teams may not need to implement every security measure, they shouldn't assume that data is secured behind a corporate firewall. A zero-trust model assumes all users are untrustworthy, regardless of their location along the network perimeter. This model provides granular controls for security teams and grants users access based on their identity or role, rather than their location.
A zero-trust approach ensures a consistent approach to security in the hybrid workplace, according to an IDC white paper written by Dickson and Rodriguez.
When evaluating collaboration platforms, it's important for organizations not to consider the "perfect features," but rather platforms with a variety of features to enable customization for specific use cases. That customizability is the difference between security and resiliency, and as hybrid work grows, organizations will discover new security use cases, Dickson said.
"It's not necessarily that you go out with the idea that we're going to launch the most secure platform," he said. "What you do is launch a platform, and a lot of times, you don't know what you need until you figure it out."