Share this article on:
IT managers need to act now to prevent overzealous security measures from curtailing the productivity of remote and mobile workforces, writes Michael Covington, vice president, portfolio strategy at Jamf.
Organisations across the world are focused on future-proofing their workplace to meet both remote employee demands and future flexibility for hybrid work.
This year and beyond, 62 per cent of employees say they will work both at home and in the office and nearly half (47 per cent) anticipate continuing to do so through 2025. In Australia, over 65 per cent of people now work from home at least some of the time.
Employees look for specific features in the technology used for work: most commonly, these are performance/speed, system usability and battery life.
But too many organisations incur a strike against one or more of these features by putting the user needs and the total user experience last on the priority list.
Strike one: Less device choice
We know from our research that employees value a choice of device (which usually also means a choice of operating system).
Device choices in the workplace are often heavily influenced by what workers choose to purchase and use in their personal lives. Historically, when given a choice, employees favoured Apple devices over alternatives, and this is particularly the case for smartphones.
Employers have strong incentives to offer employees a choice of devices for work use. There’s a comfort factor in giving employees what they’re used to: putting technology that people already know meets their needs into their hands at work, should unlock productivity gains. Employees that are looked after at work are also more likely to stay. Yet, company choice programs have declined in recent years, from 61 per cent in 2016 to only 40 per cent today. This is “strike one” against these organisations.
Strike two: The corporate software slowdown
Employees want performance and speed, and value the battery life on their portable devices. But the way they access business applications are often through a mandated corporate VPN that drains their device battery and struggles to maintain a performant connection to critical applications.
And so even if they are in the 40 per cent of employees that can choose a device for work that best meets their needs, they may be forced to use corporate software that makes work frustrating. Remote users working via corporate VPNs often report lengthy authentication times, disconnects, and slow speeds trying to participate in calls via VPN.
Corporate software choices matter. Organisations that funnel users through software that offers a suboptimal experience incur strike two.
Strike three: Overzealous security rules
Lastly, employees are generally willing to cooperate on security, but at the point it causes usability friction, it can quickly inhibit productivity. IT organisations are rightly concerned about the security implications of managing a fully remote or hybrid workforce. When people left the workplace, organisations lost direct contact with and over their endpoints — laptops, mobile devices — and the ability to impart very specific policies that were important. They then overcompensated for the loss with an overzealous application of security rules — for example, forcing repeat multi-factor authentication prompts every couple of hours to have users re-sign into their applications, as a “safety net” that the user remained authentic and in control of their device.
A risk-based, rightsized approach
Incurring one, two or all three of these strikes should be considered cause to rethink the way remote workers and their devices are secured.
Organisations need to focus on providing workers with the best end-user experience, while keeping them secure, all while helping to preserve their privacy in the process. Security cannot come at the expense of user experience.
Increasingly, the way to do this is by taking an end-to-end approach that helps secure devices and workers outside of the business, while at the same time, providing new modern technologies that help workers connect to the datasets and applications they need to perform their jobs and to stay productive.
Consider “end-to-end” in this context as a layered set of security services that can handle threat defence against devices and users; device management outside of the traditional business perimeter; and secure remote access to applications and data.
The combination of two services, in particular — rightsized endpoint security and zero-trust access is helpful in securing a work-from-anywhere model. Organisations also need to consider the security needs of different device types — e.g. mobile vs desktop — and deploy specific security mitigations and solutions accordingly. In particular, as we have discussed, performance matters: mobile endpoint security needs to have minimal impact on the end-user experience.
Rightsized endpoint security sits on a device and actively monitors for threats. The range of threats it targets is typically broad: from a rogue profile or vulnerable operating system that may need to be patched to malicious and even “good” apps that become vulnerable to in-the-wild exploits, to apps that do not adequately protect data they handle or ask for, or that use infrastructure that makes them vulnerable to man-in-the-middle attacks.
A new breed of rightsized endpoint security services designed specifically for remote work scenarios are typically capable of even more.
They may offer lightweight inline services that check a destination address that the user wants to action, to make sure the page is safe before allowing the user to continue, and visibility of all requests coming and going from a device, meaning it can identify behavioural anomalies or protect users from known bad destinations.
But where these new services really come into their own is in using what they know about a device and a user to give them a risk score.
That risk score influences zero-trust access, such that only a device with a risk score below a certain threshold can connect to corporate assets or systems.
With a traditional VPN, application and data access decisions are static. They’re defined by IP subnets and IP addresses. What ensues is permissible access to entire networks without any granular control. Endpoint devices are given more access than they should have.
Zero-trust access flips that model around. All access decisions are dynamic, based upon a device, its health, the user, the app or host they want to reach or the security of the session that is being established. This is conditional, context-aware access that gives just the right amount of access to the apps and services that a user needs.
Importantly, zero-trust access is designed with users in mind. It operates firmly in the background, without interrupting productive workflows and establishes secure connections to destination servers or services, with minimal battery drain, minimal device performance impact, and great speeds for the user.
Security set-ups that were created with mobile users and hybrid and remote workforces in mind offer organisations the best way to avoid striking out on enabling a work-from-anywhere model.