February 24, 2021
The feelings of isolation being experienced by employees is the biggest concern IT and cybersecurity teams have around home working, say almost one third (31 percent) of respondents to the latest Twitter poll run by Infosecurity Europe. The objective was to investigate views on the current threat landscape, as remote working remains the norm and ‘lockdown fatigue’ sets in.
Staff isolation is causing more worry than employees sharing devices with other household members, the top concern for 26.4 percent, reduced vigilance (24.9 percent), and the risk of clicking malicious links (17.7 percent).
“The results illustrate that the welfare of employees – and the impact ongoing remote working is having on their security behaviours – is currently top of mind,” says Nicole Mills, Exhibition Director at Infosecurity Group. “Being isolated, while juggling work and all the other competing pressures generated by the pandemic, is likely to be affecting people’s mental health. Working at home also potentially distances staff from company security policies and the support of the IT team, making them more susceptible to letting their guard down, being overly trusting, or simply losing motivation.IT and security leaders must find ways of keeping employees engaged and firmly anchored in the company security strategy.”
Awareness training is key to sustaining connections with employees, according to Infosecurity Europe’s poll, with 39.2 percent of respondents believing awareness training is the best way of mitigating remote working risk. This is followed by web and email security (28.1 percent), endpoint protection (19 percent) and identity and access management (13.7 percent).
“I would suggest that understanding where your risks are is more important than jumping into ‘solution mode’ with endpoint protection, for example,” says Steve Wright, CISO of Privacy Culture. “Organisations have not carried out a proper assessment about the whole impact of working from home, with respect to data, IT and general operations. This will differ by business operation, role and function, in addition to people’s home circumstances – such as whether they’re in a shared flat or their Wi-Fi speed. Once assessed, the necessary policies and procedures should be updated, and training and communications carried out to staff. Refresher training delivered via short videos and animation is necessary for the whole workforce. As well as easily accessible awareness training and guidance employees need more automation and dynamic support, with messages that say for example ‘this looks like it’s confidential, go here to protect it’.”
Maxine Holt, Senior Research Director at Omdia, echoes the importance of addressing the human factor: “Organisations need data protection, but also to ensure that the remote working environment is as secure as it can be. Remote employees don’t have the same ‘mindset’ as they would in the office – they walk away from laptops without locking them, set easily-guessed passwords on routers, or don’t apply updates to equipment. We’ve seen IT and information security functions provide great regular hints and tips for staying secure when working from home, improving awareness and education. This can also include support for mental health, as security may well decline if an individual is suffering. There’s definitely evidence of the boundaries of responsibility between information security and HR merging – and this is for the better.”
“We need to know what people are accessing, and what they’re doing with it.”
On the other hand, Mark D. Nicholls, CISO at Chime Group, believes organisations should adapt controls to be more data-centric, starting with visibility. “We need to know what people are accessing, and what they’re doing with it. Do we truly know what’s going on with an employee’s home broadband network, and the personal devices being used to access corporate data? Our controls must also be truly device and location agnostic. It’s important to leverage cloud solutions that enable agile working along with good security controls. We must not forget about basic hygiene, either – for example enabling multi-factor authentication (MFA), and ensuring employees know how to create strong passwords. It’s no longer easy to just walk down the corridor and speak to someone if there’s a security issue, so IT helpdesks should be empowered to use remote management tools where possible to fix issues.”
More than half (52 percent) of respondents to Infosecurity Europe’s poll believe that unsecured personal devices pose the biggest security threat within the remote working environment, followed by unsafe VPN/Wi-Fi connections (30 percent). Unapproved cloud apps (10.6 percent) and collaboration tools (7.3 percent) are seen as relatively low risk.
Nicole Mills continues:“Security threats have evolved as the pandemic has advanced. Attackers are ready to strike at the weak points that emerge as new ways of working and living continue to affect employees’ behaviours and mindsets. One particular area we all need to guard against now is the rise of ‘fearware’, as criminals seek to trick remote workers with ransomware and phishing scams, often linked to messages about COVID-19. Training undoubtedly has a major role to play here.”