The office space has changed over the last few decades: from cubicles and open space to what The New York Times has described as a ‘palette of places’. However, despite numerous benefits, cybersecurity of remote working can be a headache for companies, their employers or clients.
Although the remote working is increasingly popular among newer tech companies; older organisations such as Microsoft, IBM and General Electric are also adopting these practices. There are various forces behind the rise of remote working but one of the main reasons is that the workforce is increasingly getting mobile so that work can be done from anywhere and at any time.
A recent Gallup report suggests that about 43% of employees worked remotely in 2016, while the globe-spanning 2017 study from Polycom reported that the remote workplace is on the rise: 62% of 25,000 surveyed workers reported regularly taking advantage of flexible working practices offered to them.
Besides typical remote working for a company, a variant of this type of working also includes so-called ‘gig economy’ or ‘on-demand’ economy. It denotes an environment in which temporary positions are common and organisations contract with independent workers for short-term engagements. For example, a study by Intuit predicted that by 2020, 40% of US workers would be independent contractors.
Although beneficial, remote working comes with a number of cybersecurity issues. According to new figures from CybSafe, every third business in the past 12 months has suffered a data breach thanks to its remote workforce.
Remote working cybersecurity issues
The iPass survey ‘2018 Mobile Security Report’ found that the majority of Chief Information Officers (CIOs) suspected that their remote workers had been hacked in the last 12 months. Additionally, 67% of respondents believed that the most Wi-Fi related cybersecurity incidents occurred at coffee shops. Moreover, almost half of the CIOs surveyed said that Bring Your Own Device (BYOD) initiatives had increased cybersecurity risks.
Generally, the remote working is associated with three major issues: inability to enforce cybersecurity, lack of commitment to ‘best practices’ and risky behaviour of the mobile workforce. In the concrete terms, the remote working cybersecurity issues are associated with: (i) Wi-Fi security, (ii) hacking risks, associated with (iii) coffee shops Internet access, (iv) the use of personal devices for work (BYOD practices), and (v) use of free Virtual Private Networks (VPNs).
Although all of these cybersecurity issues are important, it seems that the weakest cybersecurity link is still the human factor. The most reported cybersecurity breaches of the remote workers are linked to (i) opening emails and attachments from unknown or suspicious sources, (ii) using work computers and devices for personal use (e.g. private social media networking), (ii) allowing non-employees to borrow work computers and devices for personal use, (iii) hijacking wireless internet connections from neighbours, (iv) accessing work files with personal, non-IT-protected devices, and (v) using ‘shadow’ (unsanctioned) devices or applications.
The Cisco Systems remote worker behaviour study, conducted in parallel in 10 countries, points out to several interesting facts:
- Online shopping: Nearly 40% of remote workers in the same respondent pool said they use their work computers for Internet shopping. Half said they make personal online purchases because their “company does not mind them doing so.”
- Sharing computers: 21% of users admitted that they allowed others to use their work computers. More than one in four stated that they “don’t see anything wrong with it.” And also believed that computer sharing “does not increase security risks.”
- Risky wireless behaviour: One in 10 users surveyed stated that they have used a neighbour’s Internet connection when working remotely. Most stated they did so because “they were in a bind.” 18% stated that “my neighbour doesn’t know, so it is OK.”
- Personal devices: Almost half reported that they used their own personal devices to access corporate resources. Yet only half of those who used these devices said they had antivirus or security software on the devices.
- E-mail downloading: 10 to 20 per cent of users in India and Brazil admitted to opening unknown e-mail messages and their attachments. Moreover, 38% of users reported that they click on unknown e-mail messages but do not open attachments.
In a world where the average website is attacked 44 times per day, the possibility of remote working cybersecurity breaches is not too hard to imagine.
Tips for remote working cybersecurity
The cited Cisco study survey showed that nearly one-third (29%) of users use the company computer for personal use. This not only affects productivity but also poses greater cybersecurity threats. Considering this and similar trends, the problem of cybersecurity for remote workers will undoubtedly rapidly grow – unless organisations and their remote workers confront the issues proactively.
Awareness is a crucial first step in safeguarding organisations. While end users might be aware of the importance of security, this knowledge is not sufficient to ensure safer behavioural habits among remote end users. “Just because users think or say they are cognizant does not mean they know how to be safe. An end user who is poorly informed about security best practices, yet believes he is working safely, can actually exacerbate security risks for IT organizations” – cautions Cisco study.
Hence, creating clear remote working policies and procedures, which cover the use of all sanctioned devices and applications, is of the utmost importance. It is equally important that the employees participate in policy creation. This will ensure that these policies will be aptly enforced and accepted by the remote workers.
But the first thing first: enforce multi-factor (at least, two-factor) authentication to control access to the organisational information system.
Providing workers with (from the business standpoint), effective but cyber-secure tools are also essential for securing the remote working. This practice will eliminate a need for ‘shadow’ IT. Of course, business and security software should be updated frequently.
Encrypting data on all devices in use is a must. In addition, the access to company’s data should be allowed only to the approved mobile devices – and only to data that employees need. Although sometimes it can somewhat slow business processes, the use of VPNs in this regard can help tremendously.
It is, however, of the supreme importance that organisational IT and cybersecurity teams nurture two-way communication with end users in order to collaborate and educate them about possible threats and risky behaviour. On the other hand, sharing their experience with the cybersecurity team, end users can help in fine-tuning organisational strategies for deploying appropriate technologies and non-technical safeguards.