Only back in 2018, people suggested the growth of remote working was grinding to a halt, with only 6 percent of the UK workforce operating remotely on a regular basis. What’s more, remote working was only typically available to a select few, namely those working in the tech sector, where the parameters and expectations were clear and obvious.
The rest of the UK workforce simply didn’t have the opportunity to explore remote working, either because their employers either didn’t see it as a feasible option, or thought it would limit staff productivity.
The Covid-19 pandemic, however, completely tipped the traditional working office environment on its head. Industries and sectors where remote working would have been unimaginable only a couple of years ago, had to find a way to make it work.
And many haven’t looked back since, finally waking up to the widespread productivity benefits of employees possessing greater levels of autonomy and trust. In fact, research reveals that employers expect the remote workforce to double when the world returns to a semblance of normality.
The security threats of remote working
Whether, as an employer or employee, you welcomed the cultural shift or not, the new hybrid working model has thrown up challenges and opportunities in equal measure. Many companies went from 0-100 percent of their employees working remotely, overnight. The security challenges unearthed by this shift are monumental.
The safety net of in-office security teams, and the reassuring presence of on-site networks and infrastructures, were replaced by dicey Wi-Fi connections and reliance on employees to identify and report potential security breaches.
It’s no surprise then that the human element accounted for 85 percent of breaches, as revealed by our 2021 Data Breach Investigations Report (2021 DBIR). When combined with the knowledge that the median financial impact of a breach is over £15,000 (with 95 percent of incidents falling between £590 and £467,600), it becomes clear that remote working cybersecurity has to be treated as a fundamental lynchpin to business survival and success.
Four recommendations for safer remote working
However you look at, the sad truth is that remote employees are often putting their company at risk. It’s time to give them the tools to operate safely from home, without compromising the inherent benefits of working with more autonomy and flexibility.
Remote working security risks largely fall into four broad categories, each of which requires different approaches and levels of education to help mitigate the risk of human error and damaging security breaches.
1) Users and behaviors
Before anything else, businesses and their security teams must focus on user and employee behavior. It’s important to remember that many employees are already working at full capacity, and often don’t have the time, inclination, or patience to learn new technologies from scratch.
That’s why it’s useful for employers to consider introducing behavioral and mindset changes to security culture, across the entire organization. The more tired and stressed an employee is, the more likely they are to make mistakes, so the first port of call should be checking how well people are adapting to new ways of working. Other steps include:
• Educate your staff on the common signs and dangers of social engineering and phishing attacks – the latter has risen by 11 percent, according to the 2021 DBIR – and to never share information without verifying the request first.
• Use attack simulations to train employees to spot the common characteristics of phishing attacks, such as misspelled email addresses and unusual URLs.
• Extend training and policies across multiple attacks surfaces – including SMS, social media, and games.
• Ensure policies are up to date, including an easily understandable remote working policy and AUP (Acceptable use policy).
2) Apps
The number of apps that enable remote working have skyrocketed over the past couple of years. Companies are spoilt for choice, from video tools to file-sharing apps, and workflow management software to employee wellbeing platforms, each new app adopted by an employee represents a new attack surface for cybercriminals to potentially exploit. Recommendations include:
• Make sure employees are using only approved and verified apps while working, laid out clearly in your AUP.
• Establish a patch policy and ensure employees are regularly updating their apps, across all their devices.
• Consider introducing cloud access security broker (CASB), which prevents connection to company web apps if the employee’s device doesn’t adhere to existing security standards, such as the latest patch updates.
• Follow the National Cyber Security Centre guidance as closely as possible, including the introduction of two-factor authentication.
3) Devices
Remote working forced many employees to become familiar with unfamiliar working devices, such as mobile and personal laptops. And, even if employees are savvy with the security protocols of using specific devices in the office, it’s a whole different ball game when that device is taken out of the office and off the network. Recommendations include:
• Encourage employees to lock their screens whenever their device is left unattended, especially if working remotely in a café or public area.
• Ensure devices regularly encrypt data while in rest mode. While most modern laptops and mobile phones boast in-built encryption features, they may require regular configuration.
• Establish a clear and concise policy for lost or stolen devices, so employees can report the missing item to the right person as soon as possible, mitigating the risk of lost or stolen data.
• Use mobile device management (MDM) software to remotely lock access to, erase data on, and retrieve backup data from a missing device.
• Ensure employees set aside time to regularly download security updates for all their devices.
4) Networks and cloud
For some employees, remote working will be a completely new process, meaning they’ll never have used their home Wi-Fi networks for work purposes before. Recommendations include:
• Consider using Virtual Private Networks (VPNs) to allow employees safe and secure remote access to work practices and staff training.
• Restrict, or limit, the use of public Wi-Fi, as these are extremely unsecure environments and represent a hotbed for data attacks.
• Introduce or update policies to educate employees on the different types of networks available (VPNs, wireless networks etc.), and which should be used in which scenario.
• Ensure all employees have taken steps to ensure their own home Wi-Fi network is as secure as possible.
The future is here, now
Working remotely is here to stay, and companies can either embrace its meteoric rise, or be left behind. While many brands will basking in the productivity benefits, they must also make sure they’re rising to the security challenges of such a wholesale and rapid cultural shift.
Knowing the different types of threats is the first block to overcome, and employees must then be equipped with the right tools, educated to identify the first signs of danger, and empowered to make the right decisions to protect themselves and the company. Only then can companies start enjoying the widespread benefits of a remote, autonomous, and flexible working culture.
Ali Neil, Director of International Security Solutions, Verizon