The most recent data from the UK Office of National Statistics shows that 35% of working adults are working exclusively from home, while in the US a study by Upwork found that 42% of the American workforce remains fully remote. After many months of the COVID-19 pandemic, organisations and their employees are adapting to, and valuing the benefits of, remote working. These include:
- A better work-life balance and improved wellbeing for employees.
- Increased job satisfaction.
- Improved productivity.
- A positive environmental impact.
A July 2020 Gartner survey found that 82% of company leaders plan to continue to allow employees to work remotely, at least part of the time, after the pandemic subsides.
Remote working can seem like a win-win for organisations and their employees but there are potential downsides in terms of information security and data privacy. The sudden and dramatic impact of COVID-19 meant that the shift to working from home was largely unplanned. Consequently, there was a surge in security breaches directly related to remote working.
An August 2020 survey from Malwarebytes found that one in five organisations reported facing a security breach as a result of a remote worker, while one in four said that they had paid unexpected expenses to address a cybersecurity breach or malware attack following shelter in place orders.
Mixing the personal and the professional
More homeworking has meant that the boundaries between our personal and professional lives have become ever more blurred. A recent Mimecast survey found that 73% of respondents had used company issued devices for personal matters including:
- Personal email.
- Financial transactions.
- Online shopping.
- Personal social media.
Conversely, Malwarebytes found that 28% of their respondents were using personal devices for work related activities. Either way, this mixing of the personal and professional exposes organisations to increased cybersecurity risk.
Home network configurations are often less secure than the connections employees would normally use in the office. For example, routers and internet of things devices that still operate with default login credentials (as many do) are vulnerable to attack. As a result, home networks have been found to be three times more likely than corporate networks to have at least one family of malware (a malware family is a collection of malware that is produced from the same code base). VPNs and cloud-based secure web gateways may be available to home-based employees but enforcing their use can be a challenge for security teams operating at arms-length.
More remote working means more outbound emails, which means more email related data breaches. A recent report from Egress found that 94% of organisations have experienced an increase in outbound email traffic during the COVID-19 pandemic. Perhaps as a result, for the second quarter in a row, the UK Information Commissioner’s October 2020 security trends report saw misdirected emails as the top cause of security incidents. Egress also found that 93% of organisations had suffered email data breaches in the last 12 months, with the main causes including:
- Incorrect recipients added.
- Incorrect files attached.
- Encryption not used.
- Errors using Bcc.
- Intentional exfiltration.
Although unsolicited emails from Nigerian princes may raise nothing more than a wry smile nowadays, phishing still works. Attacks continue to become more sophisticated and often target home workers with messages apparently from their senior leadership team or IT Support, or by tapping into our understandable fears and concerns about the pandemic.
According to Symantec “phishing increased significantly during the first quarter of 2020, accounting for one in every 4,200 emails.” Although 96% of respondents to the Mimecast survey claim to be aware of the risks of links in emails, 45% of respondents to the same survey admitted to opening emails they considered to be suspicious.
Training is the answer; isn’t it?
Technical security measures to support homeworkers will no doubt continue to improve over time. However, most data breaches and security incidents are caused by human error and this risk is exacerbated when we work from home.
Large organisations now routinely deploy information security and data privacy training to their employees. The Malwarebytes survey found that the challenge most respondents were worried about was training employees on how to be security compliant at home. However, 44% of respondents said that they did not provide cybersecurity training which focused on the potential threats of working from home.
Given the surge in security breaches associated with the increase in remote working, it seems certain that standard, generic security and data privacy training simply isn’t hitting the mark.
Tips to improve the security and privacy behaviours of home-based employees
- Don’t roll out the standard corporate training and expect your employees to make the connection to their home environment. Tailor your awareness training to give people relevant and useful support and guidance specific to home working.
- Acknowledge the overlap between the personal and professional. While you are helping people keep corporate data safe, help them to keep themselves and their family safe online too.
- Help employees to use the tools available to them (such as VPNs and encryption) to keep data secure.
- Combat a potential sense of isolation and fear of a blame culture by encouraging employees to use the available support channels and to speak up if they have an issue or concern.
- Don’t make security and privacy training a “one and done” event. Regular reminders drive better outcomes.
- Make your training short and to the point; especially if you are going to increase frequency.
- Focus on behaviour and motivation over knowledge and rules (for further information, see Improving Your Security Awareness Campaigns: Examples From Behavioral Science).