Mitigating security risks in a hybrid working environment
How to protect employees and the wider organisation.
Despite showcasing great flexibility and resilience amidst turbulent times, organisations continue to face challenges around how to develop productive and cost-effective hybrid working structures. Underpinning this is the need to mitigate the security risks that arise from increased remote working. According to the 2021 Verizon Business Data Breach Investigations Report (DBIR), cyber threats have increased significantly in the last 12 months. We’ve seen credential theft and social attacks – whether phishing or business emails being compromised – making up 67% of all breaches. On top of this, web application breaches have doubled, accounting for 43% of all attacks.
It’s therefore essential for IT departments to implement secure processes and procedures to mitigate any security risks arising from hybrid and remote working. And with 22% of all breaches being underpinned by human error and ignorance, communication and employee training are key for effective risk mitigation strategies. This is a challenge that can and must be tackled. Yet what may appear insurmountable can be effectively solved with the right polices, software, hardware and communication.
The consequences of a security breach can be significant
Whether a cyber security breach, data breach, data leak or phishing attack, substantial financial losses can occur from theft of information – whether corporate or payment. There is also the impact of disruption to trading to consider too. Once details of the leak is in the public domain, significant reputational damage will also likely follow, which can lead to loss of customers and sales and have a direct impact on the bottom line. And if data has been accidentally or deliberately compromised, this could result in fines and regulatory sanctions in line with data protection and privacy laws.
Clearly, this is a situation to be avoided at all costs. So, with the switch to remote and hybrid working, businesses must ensure that the day-to-day activities of all employees don’t leave them exposed.
Hybrid working can increase company-wide security challenges
Over the last year and a half, remote teams have been finding workarounds. Weekly stand-ups are now done via video conferencing. Daily communication happens on team spaces like Slack. And they’ve been grappling with full working weeks using only their existing home Wi-Fi network. They’ve made do and found quick fixes.
Unfortunately for IT teams, it’s not enough to simply make do. With all staff logging into the business VPN via their home networks, this poses a huge challenge to ensure visibility and to monitor every single employee’s VPN access and networks. People working from home are also at much greater risk than those in the office. As home connections are less secure, cybercriminals can access the company network much more easily. And whilst online tools and solutions for collaboration and productivity are great for employees, they often have the bare minimum when it comes to default security settings. Updates from third-party vendors can easily change security preferences and be easily overlooked.
It is therefore essential to invest in a robust, integrated suite of cybersecurity solutions that prevent, detect and mitigate cybersecurity threats. And where this may once have been mainly focused on network security, it should now also encompass device and document security as well.
Network, device and document security
Software considerations include effective and updated anti-virus software installed on every employee’s work laptop or desktop as a minimum. It is also key to continually review any changes made by third-party suppliers against any SLAs and data sharing agreements and assess the risks introduced by these changes. To provide added protection, consider adding additional steps to certain tasks. This could include the implementation of identity and access management solutions, such as multi-factor authentication, for example. This might involve an additional step for people to verify their identification when logging on to the company network, team spaces or project management tools, but it also provides an easier way for IT administrators to adjust permissions to prevent unauthorised access. It’s a small extra step for staff but an essential one for the added company-wide security benefit.
Hardware considerations may include a VPN-capable firewall, whilst any decisions around in-office hardware, such as printers and scanners, must focus on the specific security features offered. This should encompass additional network security, individual device security and ultimate security of documents.
The risks associated with the invisibility of remote working
Security challenges are also compounded by the invisibility of remote working. For hybrid working to be effective, it relies on trust. Line managers will now be focusing on measuring deliverables and outcomes to assess performance and productivity, as opposed to purely time in the office. Team members are empowered to make their own decisions and manage their time effectively.
Yet where there is a lack of understanding and ignorance around cyber security, employee empowerment to make decisions that work for them can easily lead to human error. Team members may save backups of work on personal laptops or email business documents to personal email addresses to easily access the home printer for example. Whilst this may seem like a quick fix, it can easily cause a breach in security, leaving information and data vulnerable to theft and cyber-attacks.
In an office setting, there’s also a natural defence against phishing. Team members can simply ask their manager or person next to them if something doesn’t look quite right, and they can quickly escalate. This is much harder to replicate remotely. Some staff may also feel that they have done something wrong and may be more reluctant to seek help.
Communication and training are vital for cyber-security
Cyber security training is now critical for all organisations, it can’t simply be viewed as a ‘nice-to-have’. All employees must be thoroughly trained to be able to spot potential security risks and know where and how to quickly escalate them. They must also understand the dangers and security risks of potential quick fixes or bad home working habits. As a minimum training should cover:
- Choosing strong passwords – avoiding common words, opting for longer passwords and not using the same passwords across multiple work and personal accounts
- Installing software updates in a timely fashion (including anti-virus software)
- Learning how to detect and recognise phishing scams
- Keeping the VPN turned on (and used) at all times
- Ensuring work and home devices (and email addresses) are kept separate
Lines of communication should always be open and easy to access. This may include increased IT Helpdesk hours, as well as security channels set up on the likes of Slack or Microsoft Teams. Regular updates in these channels will increase awareness of immediate threats as well as providing an opportunity to escalate potential security problems.
Simple and straightforward changes can make all the difference
Increased remote and hybrid working can increase security threats. But it doesn’t have to be this way. The tools, software and technology is available and can be easily implemented. And with the right training and communication, staff can be aware of and empowered to spot and escalate security threats. They will also be armed with the knowledge of how to work securely away from the office. With the right steps and an evolving approach to cyber security, peace of mind can be found.
Head to the Brother UK Hybrid Working hub to discover more about creating effective hybrid structures for your workplace or contact one of our expert team for more guidance, expert advice, recommendations, tips and information.
