The Apricorn 2022 Global IT Security Survey revealed that organizations have adapted security policies to accommodate hybrid work, but they are still at risk due to employee compliance and lack of security awareness — particularly when data is on the move between work locations.
In the survey, 397 IT security practitioners across North America and Europe responded to questions about security practices and policies during remote/hybrid working conditions.
The risk of moving data between work locations was highlighted by the fact that the majority of respondents (82%) said that encryption should be required to secure USB storage devices, but only 34% say encryption is mandated within their organizations to protect data on the move.
When it comes to security compliance, and mitigating employee risk in remote work environments, one-quarter of respondents admit that employees are aware of IT security policies for remote work but are not adhering to them. When remote policies are not followed, it is usually due to employees not prioritizing security practices despite being informed about them (52%) or because they are using personal devices (40%).
Improving remote work security
Opportunities to improve security culture within organizations are apparent. Eighty percent of organizations have changed their priorities in terms of compliance and security due to the pandemic. IT security professionals have expressed a desire for stronger security policies, but those expectations aren’t always being met.
Almost 40% say their IT department does not have the tools to monitor and enforce policies. However, they are making progress where they can, with 56% of organizations reinvesting in employee education, while 83% have continually reinforced policies with employees.
Endpoint security for remote work
“We have to assume there will be at least some level of personal use on the corporate device, especially in the current environment. Some people might not even have another device to use right now, and it might be their only source of news or ways of interaction. It would be foolish for us to believe that they won’t be using it for personal uses,” Fischer says.
Is your team using their own personal devices (BYOD), or has the company provided them? Because this pandemic progressed so rapidly, companies found employees working from home quite literally overnight, meaning there was no time to order a hundred new laptops to provide their workers.
If employees are working on their own devices, the company has far less control of who is accessing that device, where data is being stored on the device, and what is being accessed on the device.
This creates the potential for blending personal data with company assets. Because working from home may lend to kids, spouses, roommates, etc. easy access, Fischer recommends the following device management precautions:
- Sandbox off the work environment.
- Restrict the ability for employees to save to their own hard drive.
- Consider extra password security (two-factor authentication) or other identifiers to restrict other users from gaining access.
- Using a Virtual Private Network (VPN).
Fischer reminds us that home Wi-Fi is traditionally not as robust or protected as work Wi-Fi. Home routers may be operating from the default settings because they were never altered, which makes it much easier for breaches to occur. Additionally, consider the risks involved with multiple individuals using that Wi-Fi.
Identity and access management strategy
Fischer recommends limiting access for employees to the smallest amount necessary for them to fulfill their role at the company. Every employee doesn’t necessarily need access to every component of the business, especially in the remote workforce environment.
Also, be sure to monitor your network for someone logging in as a legitimate end-user who is not.
Since most of the country and the globe is adhering to varying forms of “shelter in place” policies, you should investigate when an employee is logging in from the UK when your company is based in California, for example. Did an employee travel to Europe, or is there something more serious happening? Keep an eye on your logs and system feedback.
Third-party security and remote work
Fischer recommends checking with your third-party vendors to see what your contractual obligations are regarding remote work. Are you required to provide company devices? Do you need to purchase technologies to ensure you have the correct encryption functionalities to fulfill agreements?
In turn, you need to perform due diligence to ensure your vendors are upholding their data security and privacy requirements as well.
“It’s not a bring down the hammer moment for your vendors, but it’s an opportunity to make sure that data security and privacy stay top of mind for them,” explains Fischer. “We are all only as strong and secure and private as our weakest link. If you have a vendor that doesn’t take this seriously as they transition to remote work, then anything you do is still going to be compromised by their potential vulnerabilities.”
Cyber insurance updates to shifting the risk of the remote workforce
When appropriate, Fischer explains, you may need to update your insurance to reflect a remote workforce. This can add extra protection and might even be required depending on the industry.
You also might be able to transfer some risks contractually; however, the most important risk mitigation is up to management to determine how or if it should be lowered.
You may need to change where you put data, and you may need to enable stricter password policies or change where you access systems.
“We are distracted right now, and we as humans are more vulnerable to making mistakes,” Fischer emphasizes.
For more information, click here.
Report – Security Staff
