As organisations prepare for what life looks like in a post-pandemic world, one of the many issues they’ll have to address are the cyber security risks of remote working.
A remote workforce comes with myriad dangers, with employees relying on their home networks – and sometimes their own devices – to complete tasks. And you better hope they have technical skills, because should they experience any technical issues, there’s only so much your IT team can do to help.
According to the Velocity Smart Technology Market Research Report 2021, 70% of remote workers said they had experienced IT problems during the pandemic, and 54% had to wait up to three hours for the issue to be resolved.
Yet, for better or worse, remote working is here to stay, with the benefits simply too appealing.
Indeed, a Gartner survey has found that 47% of organisations will give employees the choice of working remotely full-time once the pandemic is over, and 82% said employees could work from home at least one day a week.
If you’re among the organisations giving employees that choice, you must take the time to review whether your remote working practices are suitable.
You may have escaped unscathed so far, but it only takes one mistake for disaster to strike.
We explain everything you need to know in this blog, including our top tips to ensure remote workers stay safe.
Remote working cyber security risks
We are far more vulnerable to cyber attacks without the security protections that office systems afford us – such as firewalls and blacklisted IP addresses – and increased reliance on technology.
The most obvious risk is that most of our tasks are conducted online. After all, if something’s on the Internet, then there’s always the possibility of a cyber criminal compromising it.
Your Cloud documents, emails and attachments, instant message clients and third-party services are all vulnerable – and with so much information being shared digitally, your attack surface has grown much wider.
Meanwhile, according to CISO’s Benchmark Report 2020, organisations are struggling to manage remote workers’ use of phones and other mobile devices.
Many employees are using their personal devices for two-factor authentication, and they may well have mobile app versions of IM clients, such as Teams and Zoom. These blurred lines between personal and professional life increase the risk of sensitive information falling into an insecure environment.
There’s nothing your IT team can do to protect you from this, which is causing major headaches. Indeed, according to CISCO’s report, 52% of respondents said that mobile devices are a significant challenge when it comes to cyber security.
You can find more tips on how to work from home safely and securely by taking a look at our new infographic.
This guide explains five of the most significant risks you and your organisation face during the coronavirus crisis.
Another threat that remote workers face is the possibility of attackers sending phishing emails.
These are scams designed to fool people into handing over your details or downloading a malicious attachment containing a keylogger.
The dangers of phishing should already be a top concern, but things are especially perilous during the coronavirus crisis.
A recent report found that there has been a 600% increase in reported phishing emails since the end of February, with many of them cashing in on the uncertainty surrounding the pandemic.
To protect against this risk, all work where possible should be done on a corporate laptop subject to remote access security controls.
This should include, at the very least, two-factor authentication, which will mitigate the risk of a crook gaining access to an employee’s account.
This ensures that the necessary tools are in place to defend against potential risks, such as anti-malware software and up-to-date applications.
It also gives your IT team oversight of the organisation’s IT infrastructure and allows it to monitor any malicious activity, such as malware and unauthorised logins.
Tired employees make mistakes
You may have felt that remote working is more tiring than being in the office. Perhaps you lose motivation in that post-lunch, not-quite-early-enough-to-clock-off window where you’re simply going through the motions.
If so, you are far from the only one. A Society of Human Resources Management study found that 35% of employees reported feeling tired or having little energy while working from home.
Similarly, the Velocity Smart Technology Market Research Report 2021 found that half of UK workers cited a lack of motivation while working remotely.
This should be a major worry for organisations, because tired or unmotivated employees are liable to make careless errors – whether that’s in the quality of their work or a poor decision that jeopardises the security of sensitive information.
Two of the contributing factors behind this are inherent to the nature of remote working.
First, employees are more likely to be distracted. This is particularly true if they have spouses or children at home, but it could be as simple as knowing you have to do the washing up or the laundry to do.
By taking your mind off work, you become less attentive to the small details. Perhaps you’ll rush an email and send it to the wrong person, or you’ll file a confidential document in the wrong place.
The second issue is that, despite being distracted, remote workers might actually spend more time working.
An Office of National Statistics study found that remote employees worked five hours a week more on average than those who worked in the office. They also did six hours of unpaid overtime on average per week, compared to 3.6 hours for those who never work from home.
This is likely the result of home workers either overcompensating for the flexibility afforded to them, or their temptation to put in a few extra hours in their spare time given the accessibility of the work environment.
With no need to commute into the office, it’s easy to stay late or log in again in the evening or on weekends.
And as admirable as it is to put in those extra hours, it makes you susceptible to mistakes. After a long, productive day, it’s so easy to make one critical mistake.
It could be as basic as saving a document in the wrong location or not configuring the database you’ve been working on properly.
No matter what task you’re working on, you must give it the attention that it deserves – even if that means shutting off your laptop at the end of the day and coming back to it when you’ve had time to refresh your mind.
Control the risk
Any organisation with employees working from home must create a remote working policy to manage the risks.
If you don’t know what this should contain, our Remote Working Policy Template provides everything you need to know.
It includes guidance on storing devices securely, creating and maintaining strong passwords, and an acceptable use policy for visiting websites that aren’t work-related.
Organisations should also explain the technical solutions they’ve implemented to protect sensitive data and how employees can comply. For example, we recommend applying two-factor authentication to any third-party service that you use.
Although it shouldn’t be a concern during the lockdown, your remote working policy should also address the risks that come with employees handling sensitive information in public places.
For example, when business goes back to normal, staff may well use company devices in places such as trains and cafés, where opportunistic cyber criminals can lurk without drawing attention to themselves.
Security incidents are just as likely to occur even if there isn’t a malicious actor. Consider how often you hear about employees losing a laptop, USB stick or paperwork.
Secure your staff wherever they are
Whether your staff are working in the office, at home, in shared working spaces or anywhere else, you need to manage their security risks.
Regulators such as the ICO (Information Commissioner’s Office) have shown lenience regarding potential data protection violations during the pandemic, because of the difficulties in organising employees while complying with lockdown restrictions.
However, now that most countries are moving back towards business as usual, it’s essential that you don’t get caught out.
If your organisation is yet to consider the security practicalities of mixing on-site and remote working, IT Governance can provide the support you need.
Our combination of tools and advice ensures that you have the knowledge and the means to protect your organisation while implementing a hybrid working model.
Find out how we can help you monitor the way your sensitive information is used, check for vulnerabilities in your systems, adapt to the latest data protection requirements and respond if and when a cyber incident occurs.
A version of this blog was originally published on 6 April 2020.
Hi Luke – what are your view on working outside the office & home remotely i.e. in a coffee shop, internet café or library etc., when they eventually open, apart from connecting to a insecure wifi and shoulder surfing, what other risks can you foresee in allowing work activity in such locations ?
The other main risk is losing your device or having someone steal it. Opportunists may grab a laptop or USB drive from someone’s bag when their back is turned.
Whoever will be letting a non-encrypted laptop or USB device in the wild should re-think their policies. Same is true for having no backup plan for these.
So the added loss should be limited to the financial value of the device.