How remote working increases cyber security risks

We live in a world of increasingly sophisticated hackers and adversaries, out to steal data from people and companies for profit, knowledge or disruption. As businesses embrace digital transformation and new ways of working, keeping sensitive information safe is a growing challenge for employers and employees.

The workplace is changing fast, particularly offices. A 2019 study by International Workplace Group, which operates serviced offices and co-working spaces, found that 50 per cent of employees globally work away from their office at least two and a half days a week. Some analysts predict that up to half of the workforce will be freelance within 10 years, as short-term work becomes more common. Meanwhile, many businesses have increasingly long — and global — supply chains. Inevitably, these changes come with added cyber-security risks.

“It makes [cyber security] a lot harder when your attack surface — the culmination of all the networks and systems you use for work — is sizeable,” says Justin Harvey, global incident response lead in the security division of consultancy Accenture.

Chris Miller, regional director for the UK and Ireland at RSA Security, a cyber-security company, points to the difficulty in knowing if someone is who they say they are online. “A new digitally enabled, dynamic workforce can operate from various locations, and these remote workers introduce new identity-assurance problems,” he says.

Many cyber-security advisers recommend businesses move their work applications to the cloud, so that data remains on company servers wherever staff are located.

“The use of virtual environments is key to providing capacity and flexibility, but this means placing applications in the public cloud for easier access,” says Alex Schlager, chief product officer in the cyber-security group at US telecoms company Verizon. This means “traditional ‘physical’ perimeter security solutions that have protected critical applications in the past are no longer effective”.

In response, companies must tightly control who has access to their data, and for how long. For example, if a temporary worker leaves a project, access must be rescinded. “Without having control over who has access to what, when and under which circumstances, data and the wider network will be put at greater risk of human error and malicious attack,” says Miller.

There are many software tools that provide “the means necessary to enforce good protections around data, such as access control and encryption”, says Eric Haller, vice-president of security operations at Palo Alto Networks, a US cyber-security company, adding that legacy systems may need to be updated.

But employers also need to provide training. Constructive criticism is encouraged. “Notify employees of bad behaviour at the time they do it,” says Amir Ben-Efraim, co-founder and chief executive of Menlo Security, another US cyber-security company.

Above all, the blurring of boundaries between home and workplace can be an unsettling factor. “One of the biggest risks of the new ways of working is ‘BYOD’,” or bring your own device, says Accenture’s Harvey. “Companies are paying millions of dollars a year to protect their systems,” he adds, citing firewalls, intrusion detection and antivirus software. “When you introduce BYOD, you are essentially trusting that your employees are taking the right precautions.”

When you introduce BYOD you are trusting employees are taking the right precautions

Employees’ own computers do not have the same protections as work devices, nor the same capabilities for monitoring activity. If you are compromised while away from work premises, an attacker could “tailgate” you — that is, get into the systems in the building when you go into work the next day, says Harvey.

It can be difficult for businesses to formulate policy. Steven Booth, chief security officer at US cyber-security business FireEye, notes that each approach is “highly dependent on the company”. Some workplaces, such as hospitals, have special laptops that can be used only in patient care. Others set a “whitelist” of websites that can be accessed on work devices.

Providing devices for home working can be costly, so many organisations rely on staff using their personal devices. “As a Silicon Valley tech company, I would have an attrition problem [if work on personal devices was banned] — people would quit,” says Booth.

Businesses such as FireEye typically introduce extra security measures, in particular mobile device management, sometimes via a third party. This might include introducing monitoring capabilities to a phone, or making sure that when staff check email from a personal device, it is one known to the company.

Employers also have to consider what happens if they accidentally capture employees’ personal data, says Sharon Chand, a principal in the cyber-risk practice at Deloitte, a consultancy. “The question of how employees can track and monitor their personal data is really driven from a privacy perspective — what right do employees have to privacy and knowledge of how their personal data is being used?” she says, adding that this will depend on the workplace culture and local regulation.

Employees should be alert to the usual pitfalls of day-to-day cyber security, such as poor password practices. According to a Verizon Data Breach Investigations Report this year, 29 per cent of breaches involved the use of stolen credentials.

Security advisers recommend two-factor authentication. Some point to the growing trend among employers for biometric security, such as fingerprint or facial-recognition identification. There are even more sophisticated tools coming to market, notes Verizon’s Schlager, such as asking users to type in a passphrase — a question and response. Software verifies the response but also “determines how a user types, using variables such as the speed between each letter”, he explains.

Employers must be wary of staff introducing “shadow IT” — using their own systems instead of company ones. This often happens because it is an easy option or they cannot work out how to use what they are offered. For instance, an employee might open him- or herself up to vulnerabilities by sharing documents via Dropbox, even though the company does not have a partnership with the cloud storage service. A high-profile example is former US presidential candidate Hillary Clinton, who used her own email server to conduct official business during the 2016 election.

Security consultants recommend addressing this problem with education but also by making their systems as frictionless as possible. “The fastest way to get a ton of shadow IT is to make the normal IT path difficult,” says Charles Henderson, global head of IBM’s hacking unit X-Force Red. “If you make it hard to [access certain data], users are still going to do it, in a new and interesting way.”

Why ‘loose lips sink ships’ on workplace chat apps

Employees are increasingly lax about what they say on workplace chat apps, such as Slack, Google Chat and Facebook’s Workplace, as boundaries blur between the workplace and socialising. Such digital habits represent a security risk for employers.

A 2019 survey of more than 1,500 US and UK workers found that 76 per cent discussed their personal lives on messaging and collaboration platforms, and 25 per cent talked negatively about their bosses. A quarter said they shared confidential company information on these apps, according to the survey by the secure chat and collaboration platform Symphony Communications.

“The more consumer-like and informal the experience, the more likely employees are to accidentally let slip confidential or inappropriate information,” says Amanda Finch, chief executive of the UK Chartered Institute of Information Security.

Data suggest it is younger, tech-savvy millennials who are more comfortable online and thus more inclined to express themselves and overshare at work. This may land employees in trouble with their company, but also expose them to blackmail, for example. It can also be unclear how securely third-party platforms are storing that information. “There are some platforms out there that basically never delete your history,” says Justin Harvey, global incident response lead in consultancy Accenture’s security division.

Businesses need to give employees training and ensure they understand how these platforms differ from emails and calls. “Whatever channel they use, employees need to understand how to minimise risks, and that ‘loose lips sink ships’,” says Finch.