Remote Working: Taking Security to the Next Level
In analysis / By Phil Muncaster / 03 October 2019
Over the past few years, remote and flexible working have come in from the fringes of business thinking to be regarded as mainstream workplace activities. In the UK and across Europe, this has been enabled by government legislation. But there’s also been a realisation, driven by a new generation of workers with different expectations of their employers, that flexible working makes good business sense. The problem is how to deal with the increased volume of cyber-threats that comes with it.
New research from IT services firm Capita claims that many workers are not able to do their job properly because of restrictive cybersecurity practices. If accurate, it would seem to show that there’s still some way to go before organisations are able to balance productivity gains with cyber risk mitigation.
Falling at the First Hurdle
It’s no secret why increasing numbers of British organisations are adopting more flexible working policies; it helps employers to improve productivity, attract the best candidates, and even save money on rent and building facility costs. A study from employee engagement firm TINYpulse, reveals that 91% of remote workers think they perform better when working away from the office. Plus, a report from Ingram Micro claims that 60% of under-35s value remote working over generous holiday allowances.
However, despite the undoubted benefits on offer, many employers are falling at the first hurdle. And that hurdle, very often, is cybersecurity. The vast majority (92%) of the 2,000 UK knowledge workers polled by Capita argue that it’s their organisation’s job to secure remote working. But over two-fifths (42%) claim current security policies make it difficult to perform their roles adequately. In some cases, major restrictions are in place. Only half (52%) of workers said BYOD was even an option for them, while only 14% said they were encouraged to use their own device.
Threats are out There
On the one hand, IT departments are right to be cautious about remote working: after all, it could introduce a range of new risks. There’s the challenge of keeping malware off BYOD devices and home PCs that connect to corporate systems, especially if these machines aren’t protected with enterprise-grade security tools. In the case of smartphones and tablets there’s an additional risk beyond phishing emails and man-in-the-middle attacks on public Wi-Fi networks of malicious app downloads.
Then there’s the perennial problem of lost or stolen devices. In this regard organisations of all shapes and sizes have challenges. In recent months, the Ministry of Defence has admitted a 300% increase in lost data and devices over the past two financial years, whilst DEFRA and the Environment Agency have lost 540 devices over three years. Meanwhile, the BBC recorded 170 lost or stolen devices over the past two years.
Only 30% of organizations are confident of being able to tackle malware on BYOD devices, with many lacking visibility into the basic apps and services running on them, according to one study. A separate report reveals that over half (57%) of global IT leaders believe their mobile workers have been hacked over the past 12 months, with 81% noting Wi-Fi security incidents. In another study, 95% of UK firms have struggled to secure remote working and around a fifth say mobile workers don’t care about security.
For many, the key to ensuring employees have the flexibility to work in an environment that suits them whilst minimising cyber risk boils down to zero trust. It’s an increasingly popular security approach that makes sense amidst the agile computing environments that dominate many organisations today. Gone are the days when one could trust everything on the inside of a network. The death of the traditional perimeter, as new cloud and mobile-based services take hold, means IT leaders must fall back to a “never trust, always verify” approach.
The idea is that, wherever your staff are they should be authenticated in order to reduce risk. This means implementing risk-based multi-factor authentication (MFA) to ensure an employee is who they say they are. On top of this, consider mobile device management tools to support corporate security policy, for example by switching on remote wipe functionality and PIN-lock, and ensuring hardware is scanned before a device can connect to the enterprise network. Other important steps could include network segmentation and limiting access rights for remote workers, as well as enhancing end-user education.
The pros of remote working are simply too great to let your competitors steal an advantage. That means using cybersecurity according to best practices, as an enabler and not a block on growth. This may require a cultural change inside the organisation, but the good news is that technically the tools are available right now to make it happen. Follow best practices at the very least and GDPR regulators may cut you some slack in the event of a serious incident.