As employees split their time between office and off-site work, there’s a greater potential for company devices and data to fall into the wrong hands
Over the past few pieces of this mini-series on hybrid working, we’ve explored the potential cyber-risks posed by humans and their use of cloud and other services. But what about the key piece of technology that connects these two? Portable devices, such as laptops, smartphones, tablets and thumb drives, have always represented a major risk to corporate IT security. But during the pandemic these devices were mainly static.
As offices reopen and hybrid working becomes a reality, new working patterns will expose employers to a familiar set of risks. However, this time the sheer number of employees shuttling back and forth between home, shared workspaces, customer locations and the office means a far greater potential for devices and data to end up in the wrong hands.
A new way of working
Over 60% of businesses are hoping to adopt hybrid working after restrictions ease in the UK. The figure is even higher (64%) across global business leaders. However, while a blend of office and remote work will suit most employees, driving both productivity and staff wellbeing, there are challenges. At the center of these lies your most important asset and potentially the organization’s weakest link in the security chain: its workers.
What will most likely emerge when restrictions are eased and the dust settles is far more fluidity in how and where employees work. Apart from splitting time between office and home, there could be an opportunity to work from shared workspaces, while visits to customer and partner premises will also start-up again in earnest. All of this means one thing: change. That’s a potential issue when it comes to cybersecurity, as humans are creatures of routine. One of the best ways to teach more secure practices is to encourage automatic behaviors, but this becomes much harder when employees no longer have a single working pattern.
The device security risks of hybrid working
At the same time they’ll be carrying around mobile devices, connecting on the road and potentially even transporting sensitive paper documents. In this context, the main cyber risks can be defined as:
- Lost or stolen mobile devices: If not protected with passcode, strong encryption or remote wipe functionality, laptops, smartphones and tablets could expose corporate data and resources. For example, the UK’s financial watchdog has recorded hundreds of lost or stolen employee devices over the past three years.
- Lost or stolen paper documents: Despite the popularity of digital technologies, traditional documents remain a security risk. In June, a trove of secret UK Ministry of Defence (MoD) docs were discovered behind a bus stop.
- Shoulder surfing/eavesdropping: With the advent of more trips to and from the office and other locations comes a greater risk that individuals close by may try to listen in on video conversations, or snoop on passwords and other sensitive data. Such information, even if only partially captured, could be used to commit identity fraud or in follow-on social engineering attempts.
- Insecure Wi-Fi networks: More remote working also means greater exposure to potentially risky Wi-Fi hotspots in public locations like train stations, airports and coffee shops. Even if such networks require a password, employees may be at risk of digital eavesdropping, malware, session hijacking or man in the middle attacks.
How to mitigate device security risk
The good news is that these threats have been around for years and tried-and-tested policies can help to take the sting out of them. The urgency comes from the fact that, pretty soon, a majority of employees may be exposed, rather than the relatively small number of pre-pandemic remote workers. Here’s what you can do:
Employee training and awareness: We all know that effective staff training programs can help to reduce phishing risk. Well, the same processes can be adapted to add awareness raising for employees on the potential threats mentioned above, including topics such as password management, social engineering and safe web usage. Gamification techniques are increasingly popular as they have been proven to accelerate the learning process, improve knowledge retention and effect lasting behavior changes.
Access control policies: User authentication is a key part of any corporate security strategy, especially when managing large numbers of remote users. Policies should be tailored to the organization’s risk appetite, but best practices usually include strong, unique passwords, stored in a password manager, and/or multi-factor authentication (MFA). The latter means that, even if a digital eavesdropper or shoulder surfer captures your password or one-time credential, the account will remain secure.
Device security: It goes without saying that the devices themselves should be protected and managed by IT. Strong disk encryption, biometric authentication, remote lock and data wipe, passcode protection with automatic lockout, endpoint security, regular patching/automatic updates and cloud back-up are all important elements. The NSA has a useful checklist for mobile devices here.
Zero Trust: This increasingly popular security model was designed for a world in which users can access corporate resources securely from anywhere, on any device. The key is continuous risk-based authentication of user and device, network segmentation and other security controls. Organizations should assume breach, enforce a policy of least privilege, and treat all networks as untrusted.
The shift to hybrid working won’t be easy, and there may be multiple corporate casualties in the early days. But with a solid set of security policies enforced by trusted technologies and providers, employers have much to gain from ‘setting their workforce free’.