Flexible work arrangements have become an ingrained part of the modern workplace, with the time of daily commutes increasing and employees wanting better work-life balance, the traditional nine-to-five routine has changed for many Australian workers. According to research by Indeed in 2018, more than two-thirds (68%) of Australian employers now allow employees to work remotely. This provides many benefits for the mental health and wellbeing of employees however employers are wise to be increasingly concerned about security issues brought about by remote workers.
When working remotely, people are more likely to have a more relaxed attitude to security in general, mixing personal and business devices, software, and data. The environments from which they are working are also outside of the control of the organisation, often in open public places such as cafés, public transport and airports, leading to physical security concerns such as lost or stolen devices, or even casual observation of confidential information. In those environments, and even when working from the relative “safety” of their homes, the networks that employees are connecting to are not protected in the same way as a corporate environment exposing organisations to additional entry points for attackers to access company networks, devices, or information. In many cases, successfully phishing and/or attacking a remote worker may offer a higher payoff than hacking an in-office employee. In the UK over 2018 and 2019, it is estimated that one-third of businesses suffered a data breach due to remote access to corporate networks in the past 12 months.
More than half of remote workers spend up to one day per week connected to unsecured networks such as public wifi hotspots – many are not aware that when doing so browsing history including usernames and passwords, or even individual keystrokes could be scooped up by attackers. The modern smart home with ‘connected’ home appliances can be another entry point for attackers, providing access to a home or local network. Recently stories of smart fridge and wifi connected doorbell attacks have been reported in the media, and if work devices are connected in an unsecured manner, smart home vulnerabilities could be potential entry points for an attacker into a corporate network.
Luckily, despite these risks, there are options which can reduce risk while still ensuring that employees have the freedom to work remotely:
- Opt for company-issued equipment – Hardware that is company issued can be automatically set to apply the latest security patches and updates and access can even be restricted so that employees can only use approved applications;
- Encryption – Ensure data located on devices is not only appropriately encrypted but also that data transmitted or received by devices utilise encrypted channels such as a secure VPN;
- Endpoint management – Ensure that endpoint management is installed and monitored on devices which can assist in the early identification of malicious software; and,
- Education – A vital step to the success of any strategy is to ensure that you have clear communication with staff around IT security hygiene, and that you educate employees around what is (and isn’t) appropriate when working remotely.
With the right attention to requirements, training, and technology, Organisations can ensure that a flexible workforce is prepared to protect sensitive data and minimise risk.