Hybrid Workplaces Are A Cybersecurity Nightmare
It’s a hacker’s dream: a constantly changing mix of workers and stretched security staffs.
It’s a hacker’s dream: a constantly changing mix of workers and stretched security staffs.
For many bosses and employees, there is a measure of relief in returning to the office—especially for those who have the flexibility of continuing to work from home part of the time. But for those teams working to protect their offices from hackers, the new hybrid workplaces aren’t nearly as welcome.
In a typical hybrid workplace, some employees will be in the office, some will be working from home—or spaces like coffee shops and client headquarters—and some will be cycling back and forth. Devices, too, are moving in and out of the company network, with employees bringing their laptops onto company networks and then taking them back home—where they’re much more exposed to hackers and can easily get infected with malware.
So, security chiefs are faced with the task of supporting a constantly changing mix of office workers and remote workers, and company and home devices. Whereas security teams were able to focus on protecting the remote workforce during stay-at-home orders, doing so when employees are in the office for certain days of the week and at home for others will be difficult, says Rick McElroy, principal cybersecurity strategist at VMware Inc.’s Security Business Unit.
“It’s hard to maintain a security staff that looks one way in the data centre or one way in an office, and then one way for remote employees,” he says.
Making things even worse: Security teams have been stretched thin by the demands of the pandemic. For the past year, they’ve had to make sure everyone is equipped to work from everywhere and can use critical tools such as virtual meeting rooms. Things will only get tighter now that businesses are hiring more workers and launching into new projects they had put on hold during the pandemic.
The issues associated with hybrid work follow a bruising year for companies that were caught flat-footed by the coronavirus pandemic, many of which had to move to a fully remote model for the first time—and often almost overnight. Hackers were quick to realize that insecure home networks and a lack of security controls typically found on corporate networks could work to their benefit. The World Economic Forum estimates that cyberattacks jumped 238% globally between February and April 2020.
Those attacks have continued to hammer corporate networks, and in many cases target the technologies that companies implemented to quickly provide for remote work, such as cloud services. A report from Verizon Communications Inc., published in May 2021, found that attacks against cloud-based email, remote desktop applications and similar technologies designed to assist with remote work all increased over 2020.
“I think many organizations probably rushed [the move to remote work] and maybe haven’t done it in the right way,” says Phil Venables, a vice president at Alphabet Inc.’s Google and the chief information security officer of its cloud unit.
Now, the task gets even harder, as some workers return to the office, some stay home and some do both. Here’s a look at some of the challenges businesses are facing as they make this transition—and how they’re dealing with them.
One of the most basic problems security teams face is getting their machines up to speed with the latest software patches. These updates are released constantly to ensure that security vulnerabilities aren’t left open for hackers to exploit. If companies miss just one of these, they can pay a high price in terms of their vulnerability.
Now security chiefs are wary of the number of devices that may have sat idle in offices for over a year—turned off and unable to download patches—while employees have been absent, says Jadee Hanson, chief information security officer at cybersecurity firm Code42 Software Inc. And we’re not talking about just one patch, but potentially dozens or hundreds.
Of equal concern are devices that have been used by employees during remote working. Because of the extended time away from the office, users may have gotten negligent about installing patches, leaving machines vulnerable when they reconnect to the corporate network, says Ms. Hanson, a former security chief at Target Corp.
“We push a lot of the patching stuff down to our end users,” says Ms. Hanson. “But if they have not connected to the network in a long period of time, we just don’t know what’s left unpatched out there.”
When it comes to employees’ work-from-home devices, it’s not just a lack of patches that’s a problem. It’s the fact that many employees have gotten lax about security practices while stuck at home for so long.
Email-security firm Tessian Ltd. published a survey of 2,000 workers in December, for instance, that found over half had connected work devices to public wireless networks, which are often regarded as insecure.
Similarly, a survey of over 3,000 workers published by AT&T Inc. in March found that over half of respondents had used work devices for personal business such as online banking and downloading apps, and over a third had connected them to smart home devices such as speakers.
Bringing those machines immediately into a company network, where they might spread infections and give hackers a beachhead, could be dangerous. Instead, the safest thing may be to have personal devices log into a “quarantine network,” says Mr. McElroy of VMware.
Under this model, he says, user devices would connect to a network that is separated from corporate systems until security staff can ensure the devices are free of malware and appropriately patched.
Security staff must also be vigilant for deeper threats that may be waiting in employee devices—such as malware that can stay asleep for some time before it awakes and allows for further infection.
Will quarantining work on a continuing basis? Quarantine networks may be difficult to manage if workers are in and out of an office frequently and have to continually quarantine devices, rather than doing so once during a full office return, Ms. Hanson of Code42 says.
“If somebody is doing 100% overnight, that might make sense” to go with a quarantine, she says.
To some security chiefs, though, the hybrid model has so many risks that we need to rethink the way we approach network safety entirely. Imagine if we had hybrid work from the very beginning. Would we really be treating cybersecurity the same way we do now?
Not likely, the security chiefs say. The usual ways of training employees to guard against hackers often don’t work, they say, so we should take that responsibility out of workers’ hands—and create defenses that work behind the scenes as much as possible.
“I think it’s insane that we have basically said that we are going to train people to filter phishing emails. We didn’t train people to filter spam emails, we just invented spam filters to take the problem away,” says Tim Sadler, Tessian’s CEO.
So, what’s the alternative? One possibility is a concept called zero trust.
To understand zero trust, consider the traditional type of network security. Usually, it focuses on building a perimeter around the company network to keep intruders out—think of firewalls.
The problem is that hybrid work makes it very easy for intruders to breach those outer defences, because employees working at home aren’t as vigilant as they should be. And because traditional security is focused on keeping hackers out, it’s tough to stop them once they get in—so the bad guys can run wild.
Systems that are more vigilant use multifactor authentication: Users might have to confirm their identity rigorously when they sign in to the network, such as entering a password along with something else, like responding to a message on their phone.
Zero trust takes that a step further. Even after users pass the authentications, security checks constantly exchange information in the background to verify whether users can access certain systems or files, rather than assuming that because they passed through the gateway, they should be allowed free movement.
By doing it this way, security staff assume hackers are already inside a company’s digital walls, and their job is to make it difficult for them to wreak havoc. And, because these processes are usually automated, zero trust doesn’t have to rely on users to make it all work.
At Microsoft Corp., CISO Bret Arsenault’s team has built out a zero-trust system to check employees’ identities and devices at every turn, including through multifactor authentication that can include face, eye and fingerprint scans. Once the tools verify Microsoft users, he says, they will push employees directly to cloud-based apps such as the Office365 workplace suite, rather than onto a corporate network.
Security veterans such as William O’Hern, the chief security officer at AT&T, say that improving identity management and other core zero-trust concepts can go a long way toward foiling hackers, who often rely on compromised credentials such as breached usernames and passwords. Around 61% of attacks during 2020 involved this information to some degree, Verizon said in its May report.
“If I had one thing to tell everyone to do, it would be to focus on strong identity proofing, not only of individuals but of [devices], too,” Mr. O’Hern says.
Chris Dixon, a partner who led the charge, says he has a ‘very long-term horizon’
Booming demand for wellness tourism shows no slowing, with travel related to health and well-being projected to have reached $1 trillion last year and to hit $1.3 trillion by 2025, according to the Global Wellness Institute, a nonprofit based in Miami.
Curated wellness travel programs are especially sought-after, specifically holistic treatments focused on longevity. Affluent travellers not only are making time to hit the gym while gallivanting across the globe, they’re also seeking destinations that specifically cater to their wellness goals, including treatments aimed at living longer.
“I believe Covid did put a spotlight on self-care and well-being,” says Penny Kriel, corporate director of spa and wellness at Salamander Collection, a group of luxury properties in places like Washington, D.C., and Charleston, South Carolina. But Kriel says today’s spas are more holistic, encouraging folks to understand the wellness concept and incorporate it into their lifestyle more frequently.
“With the evolution of treatment products and technology, spas have been able to enhance their offerings and appeal to more travellers,” Kriel says.
While some growth is connected to the variety of treatments available, results and the digital world are also contributing to the wellness boom.
“The efficacy and benefits of these treatments continue to drive bookings and interest, especially with the support of social media, influencers, and celebrity endorsements,” Kriel says.
While genetics, environmental factors, and lifestyle choices such as regular exercise, a diet free of processed foods, sufficient sleep, and human connection play essential roles in living well and longer, experts believe in holistic therapies to help manage stress, boost immunity, and ultimately influence length and quality of life.
Anti Ageing and Beyond
“For years, people have been coming to spas, booking treatments, and gaining advice on how to turn the clock back with anti ageing and corrective skin treatments,” Kriel says. However, today’s treatments are far more innovative.
On Marinella Beach in Porto Rotondo, on the Italian island of Sardinia, guests at the five-star Abi d’Oru Hotel & Spa can experience the resort’s one-of-a-kind “longevity treatment,” a unique antiaging facial using one of the island’s native grapes: Cannonau. The world’s first declared “Blue Zone”—one of five designated areas where people live longer than average, some into their 100s—Sardinia produces this robust red wine varietal, the most widely planted on the island.
Known as Garnacha in Spain and Grenache in France, Cannonau supposedly contains two to three times more antioxidants than other red-wine grapes. By incorporating Cannonau, Abi Spa says its unique 50-minute longevity session increases collagen production for firmer, younger-looking skin.
Maintaining a youthful appearance is just one facet of longevity treatments, which range from stress-reduction sessions like massage to nutritional support and sleep programs, Kriel says. Some retreats also offer medical services such as IV infusions and joint injections.
Keeping with the trend, Kriel is expanding Salamander Collection’s existing spa services, such as detox wraps and lymphatic drainage, to include dedicated “Wellness Rooms,” new vegan and vegetarian menu items, and well-being workshops. “Sleep, nutrition, and mindfulness will be a big focus for integration in 2024,” she says.
Skyler Stillings, an exercise physiologist at Sensei Lanai, a Four Seasons Resort—an adults-only wellness centre in Lanai, Hawaii—says guests were drawn to the social aspect when the spa opened in November 2021.
“We saw a huge need for human connection,” she recalls. But over the past few years, what’s paramount has shifted. “Longevity is trending much more right now.”
Billionaire co-founder of tech company Oracle Larry Ellison and physician and scientist Dr. David Angus co-founded Sensei. After the death of a mutual close friend, the duo teamed up to create longevity-based wellness retreats to nurture preventative care and a healthy lifestyle. In addition to the Lanai location, the brand established Sensei Porcupine Creek in Greater Palm Springs, California, in November 2022.
Sensei has a data-driven approach. The team performs a series of assessments to obtain a clearer picture of a guest’s health, making wellness recommendations based on the findings. While Sensei analyses that data to curate a personalised plan, Stillings says it’s up to the guests which path they choose.
Sensei’s core three-day retreat is a “Guided Wellness Experience.” For spa treatments, each guest checks into their own “Spa Hale,” a private 1,000-square-foot bungalow furnished with an infrared sauna, a steam shower, a soaking tub, and plunge pools. The latest therapies include Sarga Bodywalking—a barefoot myofascial release massage, and “Four Hands in Harmony,” a massage with two therapists working in tandem. Sensei Guides provide take-home plans so guests can continue their wellness journeys after the spa.
Sanctuaries for Longevity
Headquartered in Switzerland with hotels and on-site spas across the globe, Aman Resorts features an integrative approach, combining traditional remedies with modern medicine’s advanced technologies. Tucked behind the doors of the storied Crown Building in Midtown Manhattan, Banya Spa House at Aman New York—the brand’s flagship spa in the Western Hemisphere—is a 25,000-square-foot, three-floor urban oasis.
Yuki Kiyono, global head of health and wellness development at Aman, says the centre provides access to holistic and cutting-edge treatments benefiting physical, mental, emotional, spiritual, and social well-being. Aman’s customisable “Immersion Programs” consist of a three- or five-day immersion. “The programs encompass treatments and experiences that touch every significant aspect to create a path for longevity, from meditation and mindfulness to nutrition and movement,” Kiyono explains.
The spa’s “Tei-An Wellness Solution” features 90- to 150-minute sessions using massage, cryotherapy, and Vitamin IV infusions. Acupuncture is also on offer.
“With its rich history of Chinese Medicine, modern research, and the introduction of sophisticated electro-acupuncture medicine, acupuncture has been proven to assist with problems and increase performance,” Kiyono says.
Resetting the Mind and Body
Beyond longevity, “healthspan”—the number of years a person can live in good health free of chronic disease—is the cornerstone of Mountain Trek Health Reset Retreat’s program in British Columbia, Canada.
Kirk Shave, president and program director, and his team employ a holistic approach, using lifestyles in long-living Blue Zones as a point of reference.
“We improve our daily lifestyle habits, so we live vitally as long as we’re meant to live,” Shave says of the retreat. He built the program from an anthropological stance, referencing humans as farmers, hunters, and gatherers based on their eating and sleeping patterns. Food includes vegetable-centric meals sans alcohol, sugar, bread, or dairy.
Guests wake at dawn each day and have access to sunrise yoga, several hours of “flow” or slow hiking, spa treatments, forest bathing, calming crystal singing-bowl and sound therapy sessions, and classes on stress reduction—one of Mountain Trek’s primary goals. The program motivates people to spend much of their time in nature because it’s been proven to reduce cortisol, the stress hormone that can lead to inflammation and disease when elevated for extended periods.
While most guests aren’t aware of how immersive Mountain Trek’s program is when they arrive, they leave the resort revitalized after the structured, one-week program. Set in the Kootenays overlooking its eponymous river, the resort and adventure promise what Shave calls a “visceral experience of transformation.”
“They’re interested in coming to be in nature,” Shave says of the guests. “They hit a wall in their life and slipped backwards, so they know they need a reset.”
This article first appeared in the Winter 2024 issue of Mansion Global Experience Luxury.
Chris Dixon, a partner who led the charge, says he has a ‘very long-term horizon’