Remote working is now a way of life in the UK. Even as many European workers returned to the office during summer, UK employees were a notable outlier in staying away. The future is also increasingly remote: a recent study by the British Council for Officesrevealed that once government measures allow, organisations will increasingly move to a flexible mix of home and office-based work. As Trend Micro research has shown, this all has major implications for cyber risk.
To navigate these increasingly challenging business conditions, IT leaders will need to blend personalised user training with updated security policies and enhanced tooling.
What we found
Our Head in the Clouds research is distilled from interviews with over 13,000 remote workers in 27 countries. It reveals that, although most claim to be more security-aware since government lockdowns forced them to work from home (WFH), the reality is very different.
Thus, 72% feel “more conscious” of cybersecurity policies today, 85% say they take IT instructions seriously, and 81% agree that security is partly their responsibility. However, on the flip side, over half (56%) admit using non-work apps on their corporate device, and even more (66%) have uploaded company data to it. A sizeable minority (39%) “often” or “always” access corporate data from a personal device.
They may not realise it, but these employees are putting their company and its data at risk by doing so. Unsanctioned apps could contain information-stealing malware or even ransomware, especially if downloaded from unofficial app stores. There’s also a “shadow IT” problem with uploading data to unapproved apps, in that the IT department is then unable to secure or manage it. This could break corporate policy and land the company in hot water with regulators. Personal devices may be less well secured than corporate equivalents and therefore represent a potential infection risk if connected to work networks and data.
What happens next?
The good news is there are things you can do today to mitigate these risks. It starts by understanding that not all employees are the same. User training and awareness programmes should therefore be tailored according to their personality types and not reduced to a “one-size-fits-all” approach. Dr Linda Kaye, a Cyberpsychology Academic at Edge Hill University, has identified four separate personas which could help inform these initiatives.
Next up, if you haven’t already, it’s time to update security policies for the “new normal” of mass remote working. That means restricting use of applications and devices to only those approved by IT, according to your organisation’s risk appetite. It’s vital not only to update these polices but also to communicate them, ensuring staff know the repercussions if they break the rules.
The final piece of the puzzle is technology. You may want to roll-out corporate devices to all remote workers, featuring strong anti-malware and other protections pre-installed. Or use cloud-based tools to remotely patch and secure home devices and PCs dedicated for work use. Increasingly, organisations are switching from VPN to cloud-based security as it’s lighter weight, easier to manage and more streamlined. In this case, consider a zero trust modelfeaturing multi-factor authentication for each user to minimise the risk of breaches.
These are challenging times, but those organisations who manage the shift to secure remote working most effectively will be best placed for success when the pandemic recedes.