The shift to working from home, fuelled by the COVID-19 pandemic, might now be reversing as a trend – with more and more employers making workers return to the office for at least a few days per week. But despite how much new work patterns have shaped industries and lives in recent years, experts question whether enough has been done to fully respond to remote working risks.
Chintan Patel, chief technology officer for Cisco UK & Ireland, tells ITPro that few companies are well-prepared for remote risks. Cisco’s Cybersecurity Readiness Index demonstrates how just 17% of UK organizations have a mature level of preparedness to handle the security risks of this hybrid world.
But Patel concedes the onus is not purely with bosses to deal with the problem – employees must share it too. “With the freedom and power also comes the responsibility to work in a cyber-secure manner,” he says. “A more relaxed environment shouldn’t mean a more relaxed approach to security, especially when it’s at the expense of their business.”
Simple methods such as using a VPN or password manager can return big dividends when it comes to safe remote working. Multi-factor authentication (MFA) is another easy win to prevent malicious access and downloading the latest system updates is always advised.
Mark Raeburn, global cyber investigations and forensics response (CIFR) lead at Accenture, admits greater financial investment from the board level is also essential. Accenture’s latest Pulse of Change survey found six in 10 British C-Suite leaders plan to increase spending on cyber security in 2024, nearly double the figure from 2023.
“2024 will, and should, see a fresh injection of investment into security teams and tooling,” he says. “Even before COVID, remote working was already common, and staff now consistently expect to be able to work on the road.”
Raeburn also acknowledges how “complacency breeds vulnerability,” adding: “Endpoints are always going to be seen as an easier target, but increasing the protection and, more importantly, detection of a breach – both in the office and from home – becomes key.”
Remote working risks: Nurturing the human firewall
Absolute security is impossible, whether in the office or within a remote scenario. CTOs, CIOs, and CISOs can only manage and mitigate risks to what is deemed an acceptable level within their own organization. Given the huge scale of the problem, that can be easier said than done. Tris Morgan, managing director of security at BT, points to the telecoms giant’s own teams finding 46 million indicators of cyber attacks per day.
“It is all too easy to fall into the trap of thinking that a cyber attack might not happen to you – either due to the nature of your work, or the perceived safety of the network used while remote working,” he explains. “This is, of course, a myth.”
Morgan believes employees should view the issue like they do their own home security: “In the same way one wouldn’t leave a door or window open for intruders to take advantage of, it is just as important to prioritize good cyber hygiene wherever they are working.”
This extends, he says, to implementing remote access to secure networks and saving documents containing sensitive information on secured, password-protected servers, rather than on company or personal hard drives. Using personal devices such as smartphones and laptops for work presents a greater risk than using locked-down equipment provided by IT.
Employees working remotely can prove to be their own worst enemy. For example, connecting to unsecured, public Wi-Fi in cafes or train stations is a major open door for hackers, while human error in not picking up on phishing scams via email is another.
A study by SoSafe found three-quarters of respondents believed remote working risks have contributed to the overall worsening of the threat landscape, especially as security teams lose oversight and monitoring of remote workers. It suggests employees working remotely click on phishing emails at three times the rate of employees working from the office.
“The large-scale shift to remote work means it’s more vital than ever to build and reinforce a strong ‘human firewall’,” warns Dr Niklas Hellemann, CEO at SoSafe.
Remote working risks: Replacing legacy tech
Supporting and protecting a remote workforce means having a watertight security strategy, good oversight, and up-to-date systems. But Quentyn Taylor, senior director at Canon EMEA, suggests businesses “remain dangerously behind in the uptake of security technology”, often relying on outdated legacy tech with limited protection, authentication, or authorization.
“Simplicity is key for a good cyber defense, especially when it comes to remote working. Start by investigating your cyber footprint, and understanding what your business looks like to an attacker. Businesses must be clear about which of their assets require the most protection and isolate sensitive data from other vulnerabilities.”
He also predicts: “In the hybrid working world, we will continue to see the nature of ransomware become more diversified as criminals move down the value chain to smaller enterprises that don’t have the robust resources or cyber resilience in place to establish a proper cybersecurity team or defense mechanisms.”
Other techniques to prevent remote breaches can be as simple as personally verifying any information received or actions requested plus always locking a device’s screen with a password when it’s not being used. Such tips should always form part of company-wide education programs, experts advise.
Lewis West, Head of Cybersecurity at Hamilton Barnes, one of the UK’s largest specialist network and cybersecurity recruitment providers, has seen increasing numbers of businesses investing in such security awareness training for employees. “There is even a better understanding around less obvious hazards such as employees sharing photos of their work screen on social media that accidentally feature sensitive company details,” he adds.
Should a breach occur from remote working, the legal consequences for employer and employee are complicated. Andrew Whiteaker, Head of Employment at law firm Boyes Turner, explains this will be taken on a “case-by-case basis”.
“There are situations where it can be a training issue, such as responding to a phishing email. However, where it can be shown that an individual has failed to comply with, or follow, safe remote working policies, this can give rise to disciplinary procedures,” he says. “There are also cases where culture around cyber has been affected by, for example, managers who condone shortcuts being taken. Again, disciplinary action can follow where employers can show individuals failed to follow clearly outlined policies.”
As an overarching action towards greater remote working security, establishing a “single source of truth” using a Critical Event Management system can be critical, argues Keiron Holyome, VP UKI & Emerging Markets at BlackBerry.
“Internal communications can ensure all employees are alerted and instructed on a potential breach in one single action,” he explains. “This frees IT team resources to tackle the issue at hand. Providing regular advice and updates ensures that employees – wherever they are working – remain cyber secure and fully informed.”