Thankfully the global pandemic of 2020 is long gone but working from home is here to stay, even adopting its own acronym, WFM. Certainly, a perk to attracting and retaining talent, when WFM is implemented on a mass scale, it can invite a host of cybersecurity risks and challenges. Let's understand why.
1. Remote Workers Are Easy Prey
When employees work from the office, they are typically protected behind a secure corporate perimeter. When they work from home, hardly any such perimeter exists. Home Wi-Fi is no match for corporate Wi-Fi. Office employees mandatorily use company-owned computer devices; however, at home, they can use personal devices to access corporate resources and sometimes they use company devices for personal items. These different scenarios make remote workers a softer target for opportunistic threat actors in comparison to in-office workers.
2. Remote Work Is Ideal for Social Engineering
When employees operate remotely, they rely solely on digital communications and virtual interactions. As a result, they become habituated to receiving business requests via email and instant messaging. This creates the perfect environment for cybercriminals to launch highly targeted and advanced phishing campaigns. Studies show that lone workers are more susceptible to phishing and social engineering attacks in comparison to in-office workers.
3. Remote Workers Are Less Likely to Follow Security Best Practices
Recent research concluded that remote workers show certain behaviors that increase organizational security risk. For instance, 45% of remote workers reuse passwords for their work and personal accounts; nearly one-third of remote employees work more than 20 hours per week from their personal devices; and 90% of employees access corporate resources from more than five locations. Remote workers tend to leave their computers unlocked, which can allow family members easy access.
4. Remote Workers Are Distracted
Remote work blurs the boundaries between professional and personal lives. Workers have many distractions relating to family commitments and household affairs. Moreover, there is a constant barrage of emails, notifications, and messages, combined with interruptions from visitors, deliveries, children, pets, etc., and social media. Scammers and cybercriminals leverage such situations on social engineer victims, steal data or credentials, and gain access to the target's environment.
5. Remote Workers Cut Corners With Security
Most workers want to be productive and get things done. However, when you're remote, going through official channels can be a laborious and frustrating process, especially if one needs to jump through multiple hoops, cut through red tape and seek approvals to use a particular tool or software.
Consequently, employees might cut corners, and download or use unauthorized software and apps. Cybercriminals can trick users into downloading cracked software, which is usually laced with malware.
A Security-First Culture Is Needed to Overcome These Risks
If technology were a panacea for all cybersecurity woes, then it would be too easy for large, deep-pocketed corporations to deploy technical security controls and call it a day. Unfortunately, that's not the case. Most cybersecurity issues stem from human error, not shortcomings of security technology.
Culture helps shape behaviors, which is why HR teams working in concert with cybersecurity pros must take the initiative in building a security-first culture. Below are recommendations that can help.
1. Train Employees to Adopt a Security Mindset
Remote workers lack proper knowledge and understanding of cybersecurity. Through security awareness initiatives and phishing simulation exercises, staff can develop security habits and instincts and grow to become confident with cybersecurity best practices that extend to working remotely.
2. Provide Tools to Be Secure and Successful
Be mindful of the security needs of employees. Support them with tools for secure operations. For example, train on regular use of password managers which can store and auto-generate complex and unique passwords. The organization should enable phishing-resistant multi-factor authentication (MFA) to protect employees from identity theft and credential harvesting.
3. Set Clear Policies and Expectations
As administrators and policymakers, HR and security teams must set clear guidelines and policies around expected security behavior and the consequences of non-compliance. Ensure employees are aware of these protocols and offer updates, advice, and training, emphasizing the importance of security in the organization.
4. Focus on Improving Work-Life Balance
Although it's not apparent, there is a direct connection between mental stress and cybersecurity performance. When employees feel relaxed and healthy, they tend to be more engaged and alert, feeling a sense of pride when security standards are upheld.
HR teams can offer mental health resources and stress management techniques. They can foster a supportive culture where people feel appreciated, supported, and empowered to manage cyber threats effectively.
5. Tighten Access and Security Measures
Remote workers who manage sensitive data are sometimes unaware of the risks they are exposed to. Access to sensitive systems and data must therefore be limited and security measures must be upgraded to reduce the risk of infiltration, exposure, or compromise. As access requirements evolve, privileges must be reviewed, tweaked, or revoked.
6. Promote and Celebrate Security Internally
Business book author John R. Childress says, "You get the culture you ignore." In other words, there must be an intentional effort by HR and the leadership team to build, promote, and reinforce corporate security values. They must lead by example because culture is infectious and driven from the top down. They must recognize and reward people whenever the opportunity allows (via internal newsletters, company events, all hands, etc.) and celebrate positive security behavior and contributions made by employees.
A secure remote working environment needs more than just security technology. It needs employees with a security mindset and a culture and environment that is transparent, trustworthy, inclusive, and supportive. Cybersecurity teams will, of course, do what they can, but in the end, security is everyone's responsibility.
