By Jon Fielding, managing director EMEA, Apricorn
Human error and apathy still present a major threat to the security of data when employees are working remotely. This is despite valiant efforts from organisations to educate their workforces in cybersecurity risks, and the practices they must follow.
In a recent survey carried out by Apricorn, more than half (57%) of UK IT leaders said they expect remote workers to expose their organisation to the risk of a data breach, up from 44 percent in 2018. More than a third believe their remote workers simply don’t care about security.
For those organisations that had experienced a data breach in the last year, employees unintentionally putting data at risk was the leading cause (33%), followed by lost or misplaced devices – cited by 24% of respondents, a rise from 17 percent a year ago.
These findings highlight a continued and growing ‘insider threat’ that organisations must address. Given the increased numbers of people working remotely due to the COVID-19 outbreak, any weaknesses in the security strategy will be amplified. Increasing volumes of sensitive and confidential data are being accessed from outside the traditional corporate network perimeter, from a combination of work devices and personal devices. And regulations such as GDPR certainly haven’t gone anywhere.
Malicious actors are seeking to take advantage of any chinks in an organisation’s armour – and the human being is often the target. According to research from KnowBe4, for example, phishing email attacks relating to the pandemic rose 600 percent in the first quarter of the year, as hackers sought to profit from disrupted businesses and distracted individuals.
A lack of buy-in
The growing human risk uncovered by Apricorn’s survey suggests that organisations are still struggling to get employees to buy into the security strategy, and that’s a problem which cannot be addressed by IT alone. Different functions of the business – in particular HR, but also communications and the executive team – need to collaborate to ensure a consistent and effective approach to cybersecurity across a highly distributed workforce.
Not only do organisations need to protect their data, but they need to do so while enabling staff to be productive and efficient.
The approach taken must combine the right technology and tools with policy, education and culture change.
Find and address the vulnerabilities
IT first needs to identify exactly where the organisation’s cybersecurity vulnerabilities lie, encompassing both technology and human factors.
This must include an audit of all software to determine whether the latest updates and patches are in place, and a check of all security controls currently applied to on-premise network infrastructure, databases and systems, as well as any parts of the IT estate that run in the cloud. Any gaps where infrastructure, hardware or software are exposed to a breach must be immediately addressed.
In addition to technology, weaknesses in security policies, procedures and processes must also be addressed, particularly those that cover remote working and employees’ use of their own devices for business purposes. IT, HR and the internal comms team should work together to update policies and create new ones where appropriate, setting out clearly how employees are expected to behave, the best practice protocols they must apply, and the devices they’re allowed to use and how.
Strict policies around the use of removable media such as USBs and hard drives are also essential.
All policies then need to be communicated effectively to the entire workforce, in a way that ensures they understand what they must do differently and how to comply. An effective education programme is essential, which again demands collaboration with HR and comms teams.
Build a culture of accountability
Nearly two thirds (63%) of respondents to Apricorn’s survey said their remote workers are willing to comply with security measures, but don’t have the necessary skills to do so. Comprehensive training programmes must be designed and rolled out to all employees, including temps, contractors, part-timers and senior executives. These should be both informative and engaging in order to secure buy-in.
In addition to being trained in good cybersecurity practice, to build a security-focused culture employees should be educated in the specific risks and legislation that apply to the organisation, why certain requirements are in place, and the consequences of failing to follow procedure.
More than ever before, protecting data from loss or theft is everyone’s responsibility, and senior teams must lead by example, modelling best practice behaviour. They should be involved in communicating key messages directly to employees, perhaps via video.
The risk of human error will always remain, and enforcing policies is a challenge when the workforce is so dispersed. To mitigate this risk, IT should implement a safety net of technical controls that will protect data if employees make mistakes or decide to cut corners.
Strengthen endpoint controls
Securing the endpoint will protect data and systems wherever the employee is working, and whatever device they use, allowing the organisation to have complete confidence in the integrity of its information.
This can be done through, for instance, only allowing remote workers to use devices that have been provisioned or approved by corporate IT, and putting in place a policy that requires hardware encryption of all data as standard – whether it’s being stored or is on the move. Encryption creates the all-important ‘last line of defence’ which will keep information safe whatever else is happening around it.
One way to guarantee that remote employees work in the best and safest way is to provide highly secure portable hard drives and USBs with in-built encryption capability. All data is automatically hardware encrypted as the user uploads it, so that if the device does end up in the wrong hands the information on it will be inaccessible.
IT can also use such USB devices to roll out a secure remote working environment to the entire workforce, by loading them with the corporate ‘desktop’, featuring all standard applications, operating systems, configurations and security settings. Employees simply boot this up on whatever computer they’re using, and work within a trusted environment that has the same approved settings and controls they would get in the office.
Tightening up access control will also mitigate the insider threat. Establish who has permission to access each data set and each corporate application. What devices are they using for this purpose? Do they really need to be able to access everything? Next, restrict employees’ access to systems and databases according to ‘least privilege’ principles, and implement a privileged access management (PAM) solution.
A long-term solution
This current situation is likely to trigger a more sustained shift to hybrid office/home working models for many organisations. Collaborating across departments to facilitate secure and productive remote working should therefore be seen as a long-term approach.
Increased collaboration will help to equip employees with everything they need to access their work data and systems seamlessly and securely from wherever they’re working, while ensuring that their need for productivity and flexibility is not compromised.
The outcome will be an engaged and committed workforce, made up of individuals who use the right tools in the right way, and take personal responsibility for protecting corporate data when they are out of the office.