Barely a week goes by without the remote working v office-based argument surfaces somewhere, usually it must be said, at the corporate level, although many SME owners remain nervous of it, with others downright against it.  My client base appears to be largely OK with a hybrid model of working and only one is 100% remote based, having given up their office.

The COVID pandemic was the catalyst for this with businesses of all sizes being forced to transform their operations to support remote work and by and large have done well, but not without many challenges, including video conferencing burn out, (along with wishing they’d taken out shares in Zoom!!), and a yearning to work together in person again, someday.  We all realise that group working, face to face, is often necessary not just for efficiency, but because we are social animals.  Experience has taught many businesses many things but are often still struggling with the potentially dire consequences in terms of cyber security and data protection.

I should perhaps mention that in the corporate IT world, where I worked for many years for major system integrators like HP, hot desking and remote working was introduced in the early 2000s and therefore this was no problem for us.

A distributed work environment i.e., personnel spread around various locations, office, home working, even the local coffee shop, creates critical challenges and new security threats as a result.  The speed with which this has happened has meant that many simply did not take cyber security issues into account and if they did, thought, well, this is temporary, and it won’t matter in the long run.  Well perhaps, but as many are now finding, there have been advantages to home working, not least a lowering of costs in terms of how much office space is needed to carry out the business function.  Many are now looking at Hybrid working i.e., from home with a day or two in the office during the week.  There are pros and cons to this outside of the scope of this article, and businesses will have to make their own judgements, but one thing is clear and that is that businesses need to understand the risks now inherent in distributed work and need to get better at cyber security and data protection, in those environments.

Employees when remote working, are at much greater risk than those in offices. Since home connections are less secure, cybercriminals have an easier entry into the company network.  Furthermore, the explosion of various online tools, solutions, and services for collaboration and productivity tend to have the bare minimum of security default setting, and updates from third-party vendors can change security preferences and be easily overlooked.

Phishing becomes an even greater threat to home workers simply because, in an office environment, they have access to colleagues and managers, who they can approach for advice and guidance.  This is much harder to replicate with remote workers, especially those who may not be particularly tech savvy and who may not wish to become ‘burdensome’ to their co-workers.

Ransomware also enjoys an advantage in the remote working model.  If their connection to the company is blocked, it is more difficult for workers to get assistance from the right experts and authorities.  And since trust levels are lower when working from home, some workers will be concerned that they have “done something wrong” and so may be more reluctant to seek help. While this risk can be addressed by increased training, as well as messaging that vigilance and involving IT support will be rewarded, it can still be an uphill battle.

In a study carried out by Entrust it was clear that many organisations are grasping the concept of cyber awareness training, although there are still too few amongst SMEs that take this on board.  Of those who responded to Entrust:

• 94% said employee training has a positive impact on data security.

• 95% agreed that they trust remote employees to comply with data security best practices and training.

• 93% said they felt positive about the impact data security training had on them.

Of course, this was a sampling and only 61% of employees said that their company offered training.

Whatever system of hybrid you are proposing to use, or are using, it is clear that you will need to go beyond baseline security measures.  In this case we are almost certainly dealing with baseline protections such as multi-factor authentication, known as MFA or sometimes 2FA, and virtual private networks (VPNs).  Both have their place and will be needed. 

The Entrust report cites a contradiction here, and it’s one I have also noted.  Many company owners/directors say they believe company data is protected with these baseline solutions, yet they also say that home internet connections, leaked sensitive company information and cyber-attacks are their top concerns.

If organisations are going to use hybrid work models successfully over the long term, then they will need to further invest in their security strategy. MFA and VPNs, while important, should be seen as part of a larger strategy for data security in a hybrid work model. Throughout and beyond the pandemic, bad actors have exploited security deficiencies of remote environments such as insecure home tech hardware, poor password hygiene and employee use of unapproved tools.

If you are going to adopt this new normal, or already have adopted it, then the process must start with understanding your risk posture which will inform you of what measures you need to take to secure your data.  Below is a link to a short video explaining cyber risk management, at least at a high level.

https://bit.ly/3FdZ6x0

Once you have a clear understanding of what your risks are, then you might like to consider a zero-trust approach to data security.

With employees having the ability to work anywhere in a hybrid environment, the office perimeter is no longer relevant to digital security.  Zero Trust frameworks are designed to apply the concept of least privileged access to people, systems and devices, giving these entities only the access they need to fulfil their role and nothing more. Additionally, a Zero Trust approach continually monitors user and device behaviour to identify suspicious patterns and take preventive action, including a step-up authentication challenge.

You may need to consider other protections such as:

• Passwordless single sign on involving Privileged Access Management (PAM) to facilitate a Zero Trust approach. 

• Data Loss Prevention.  Whilst a VPN will protect your data in transit, file level encryption ensures that it is protected at rest, at both ends of the tunnel, so that if it does get stolen or otherwise compromised, the impact is severely lessened.  There is more information in the short video below.

https://bit.ly/4berDPa

• Protective Monitoring.  This has long been considered too expensive for an SME.  Well, no longer, there is now a system which is effective and affordable and is explained in the video below.

https://bit.ly/3Qy4u0x

If you feel a no obligation chat about this would be helpful, give us a call.