The future and nature of work is changing. So here’s all you need to know about how to keep your people secure in the ‘new normal’.
Remote working, hybrid working, anywhere-working, flexible-working, 4-day-week working, and everything in between – if the pandemic has done one thing, it seems to have destroyed nine-to-five in the office.
Saying so long to the stationary cupboard and “auf wiedersehen” to the water cooler might have been great for staff, but presented a serious challenge for security leaders back in 2020. And while, way back then, many thought the situation was temporary – a few months at most – and would be mitigated by vaccines, that clearly hasn’t been the case
Indeed Forrester’s Predictions 2022 anticipates the following set up:
- 10% of firms will shift to a fully remote model 🏡
- 30% will go back to a fully in-office model 🏢
- The remaining 60% of firms will shift to a hybrid model 🏡 + 🏢
Those that insist on a fully in-office model, will find that employees simply won’t have it. Attrition at these firms will rise above their industry averages — monthly quit rates will rise to as high as 2.5% for as much of 2022 as needed until executives feel the pain and finally commit to making hybrid work … work.
Our own research bore this out too.
According to our Securing the Future of Hybrid Working report , just 11% of employees said they’d want to work exclusively in the office post-pandemic, with the average employee wanting to work from home at least two days a week. And, over a third of people said they wouldn’t even consider working for a company if it didn’t offer remote working in the future.
That represents a lot of employee churn and HR headaches for you and your security team, which we’ll explore shortly. But first, given we are in security, let’s recap the current risks.
What are the security risks with remote working?
The majority of IT leaders we surveyed believe permanent remote or hybrid work will put more pressure on their teams, while over a third (34%) were worried about their team becoming stretched too far in terms of time and resources.
While hybrid or flexi-working is great for employees, it’s the worst of both worlds for IT teams who have to simultaneously manage and mitigate security risks that occur in and out of the office, while providing a seamless experience that enables employees to work from anywhere. So if that’s the environment you’re having to work in, what are the risks?
Unsurprisingly, topping the charts is the classic phishing attack. 82% of IT leaders we surveyed believed employees are at greater risk of phishing attacks when working remotely. The pandemic saw a surge in these, with CISA specifically warning of attacks targeting remote workers back in Jan 2021.
Those threats haven’t gone anywhere in the meantime. Indeed, they’ve only increased with our reliance on delivery companies for shopping. But brand impersonations have expanded beyond the usual logistics and utility companies to software providers like Microsoft, Adobe and Zoom.
There’s a strong probability that, as we move forward in this new hybrid environment, remote work blindspots will be exploited.
This begs the question: How do you ensure people’s home networks are secure? There’s also concerns around liability. If company A faces a ransomware attack, it spreads to an employee, their home network, and then their partner’s company device to infect Company B…. Is Company A now liable for the losses Company B suffers?
This scenario is only exacerbated by having a Bring Your Own Device policy. Of course the benefits of BYOD are lower costs, increased flexibility for staff and a more productive workforce. But there are downsides around physical and network security.
An August 2021 survey conducted by Palo Alto Networks found that 83% of companies with relaxed bring-your-own-device (BYOD) usage led to increased security issues. We explore those for both security teams and workers themselves in this post.
How new habits become bad habits
That same Palo Alto survey also found that 35% of companies reported that their employees either circumvented or disabled remote security measures. Our State of Data Loss Prevention report backs this up with the following alarming stats.
48% of employees say they’re less likely to follow safe data practices when working from home.
84% of IT leaders report DLP is more challenging when their workforce is working remotely.
52% of employees feel they can get away with riskier behavior when working outside of the office.
When asked why they were less likely to follow safe data practices when working from home, employees cited not working on their usual devices (50%) and being distracted (47%) as two of the top three reasons.
We’ve listed the 13 worst cybersecurity sins below. So take a moment to see if people in your organization are making these security errors.
Evaluate and evolve your current process
So, we’ve understood the risks, and are aware of some less-than-perfect security habits. Now we need to examine our processes. You’ve probably implemented some form of remote security processes since the start of the pandemic. But you should always be looking to evolve it to stay on top of your game and in light of new threats and changing circumstances.
Education in security has a huge part to play in making people aware of the risks associated with working remotely, and dispelling some of those new, bad habits. Our views on security awareness training are well-known. An hour-long ‘test quiz’ once a year just isn’t going to cut it. Instead you need to bake security into your organization’s daily operations.
As Bobby Ford, Global Chief Security Officer at Hewlett Packard Enterprise says in this video, how can you get a little bit of cyber into other programs in your organization? And don’t just stop at events, town halls, intranets, or staff newsletters. These are all places to continually beat the drum for good security. So work with your people and comms teams to help enable that.
We have a bunch of tips, resources and best practice information in this post that you can use as part of your cyber security refresher training. And if you need support from the C-Suite, here’s how to get it.
We have a bunch of tips, resources and best practice information in this post that you can use as part of your cyber security refresher training. And if you need support from the C-Suite, here’s how to get it.
What’s perhaps most remarkable about the switch to remote working is that it happened almost overnight. The efforts and tools IT and security teams put in place quickly ensured that many companies stayed operating – jobs and lives were no doubt saved.
Now, however, those tools and processes are a permanent part of your business, and reviewing your security stack to ensure it’s fit for purpose in a remote world is critical. So what to look for? Well ask yourself questions like
👩💻 Does the application process personal data? If so, why and in what volume?
🌏 Where is the data processed?
📚 Does the application take back-ups of data? If so, how often?
🚫 Who has access to the data in the platform?
📱 Is access conditional upon Multi-Factor Authentication (2FA, for example)?
We’ve fully explored how to onboard remote Collaboration and productivity tools here
The Great Re-Evaluation and the future of remote work
Finally, there’s one other aspect of remote working to address, and that’s people themselves. The pandemic caused a lot of soul searching in many employees about their future and the sort of companies they wanted to work for.
The past 18 months has seen unprecedented demand for highly skilled roles, and many people are using this to turbo charge their careers. The person in this BBC article increased her salary by £10,000 in six months, she surely can’t be the only one.
So as well as dealing with protecting your people from external threats, there’s also potential dangers from within. If people are leaving, what better way to make a great impression on the first day at their new gig than by bringing a juicy file of customer data, source code, or other highly valuable IP.
Again, our State of Data Loss Prevention Report found that 45% of employees admit to downloading, saving, or sending work-related documents to their personal accounts before leaving or after being dismissed from a job.
Assuming your USB ports are disabled, staff will often extract these assets by emailing them to their personal accounts. This is a particular problem in sectors such as legal, financial services, and entertainment, where a client base and extensive networks are crucial.
We’ve explored in detail how to keep your data safe in The Great Re-Evaluation below
At Tessian, we know being an InfoSec leader is hard. The threats are relentless and the landscape is constantly changing. The halcyon days of rows of desktop PCs in an office block protected by on-prem Secure Email Gateway (SEG) are confined to the history books. Remote work, an infinite perimeter, and sophisticated attacks by email are here to stay.
The only question is, how are you going to deal with them?
To find out how Tessian can help secure your remote teams, get in touch for a demo
Andrew Webb
Senior Content Manager