Securing remote access has been top of mind in most businesses over recent years in a bid to support the remote, mobile and hybrid working practices that are now commonplace.
In the last count, 80% of the UK workforce worked from home some or all of the time in June, according to the ONS. This is creating a much more disparate network and wider attack surface which is then more difficult to protect.
Organisations have attempted to bolster remote working security following a hasty pandemic rollout, not least because there’s now much more awareness over the potential costs of a breach. Attacks at the endpoint (aka user devices) tend to be far more costly, with the Ponemon Institute estimating the impact is twice that of a general data breach and IBM that it’s around $1m higher in companies with remote workers.
Ensuring those workers operate securely can be challenging, requiring the business to put in place access controls to enable the employee to securely connect, to stipulate and enforce acceptable use, storage and backup policies, and to provide staff awareness training which is often delivered at a distance. But all the efforts of the business can be easily undermined if employees circumvent or fail to adhere to these controls. Right now, there appears to be a crisis of confidence, with employers losing faith in the willingness of their staff to meet security requirements.
Are employees becoming too lax?
User behaviour outside the confines of the office can undoubtedly be less secure. There’s the problem of users choosing to connect over public WiFi or home networks that are shared with other devices, their screen being open for others to observe, or losing their devices altogether. They may not update their software, backup data correctly or change their passwords in line with the company policy. These workers are also more isolated, making it more difficult for them to verify the legitimacy of a request which sees them become more susceptible to attack.
The Apricorn annual survey of UK and US IT Security Decision Makers conducted in May 2024 reveals that 63% expect their employees to put corporate data at risk. What’s more, those fears appear to be well founded given that 55% said those workers had already knowingly put data at risk of a breach over the course of the past year, up from 48% compared to 2023. In fact, employees were the top cause of data breaches cited by 74%.
Security is not top of mind for most employees, with 43% saying their remote staff just don’t care. Admittedly, this could be interpreted to mean they are ambivalent with respect to security or do not regard it as their responsibility. Either way, the implication is that employees aren’t fulfilling their obligations to keep data secure.
However, a closer look at the responses shows that 95% agreed that mobile and remote workers are aware of IT security risks and best practices, and that they followed the required policies to protect the data they work with at all times. In the UK, this has increased significantly from the 58% in 2023 to 92% in 2024. So employees are willing to comply which begs the question why are they failing to do so?
The figures further reveal that just under half of businesses (47%) had an information strategy/policy in place for BYOD, indicating that many still do not have this guidance in place. Presumably they either allow employees to use their own devices without support which is a substantial risk or insist only company sanctioned devices are used which is an added expense.
Willing but unable to comply
Tellingly, the majority (73%) confessed their workers lacked the skills and technology to keep data safe. Therefore, even where they are aware of the policies and processes they should be following they are unable to do so. What’s more, the chasm between the good intentions of staff and their abilities to follow those security guidelines is widening: only 55% of those in the UK admitted this was an issue in 2023 but this leapt to 74% this year.
What this illustrates is that businesses need to do more and not rely purely on trust and goodwill when it comes to securing remote access. There has been progress made here, with the number of businesses electing to install controls on employee devices up by more than three fold to 47% compared to a year ago but 17% said they did not have the technology in place to secure mobile or remote working, with 36% blaming this on complexity and 28% expense.
Clearly more does need to be done to equip employees with the necessary technology and know-how to safeguard data, but there’s also a cost sensitivity issue here. While zero trust does indeed improve access and protect data, it’s not going to be something that all businesses can dedicate spend to. So, what measures can businesses take that could make a difference?
Practical steps to tighten security
Firstly, do make sure that policies are in place to govern use and that these specifically address procedures for remote working. If users are allowed to use their own devices, stipulate the conditions under which this is allowed. For instance, access should only be permitted via the company VPN. If you do choose to install software on the device, consider using mobile device management (MDM) so that it can be remotely managed and updated. Be aware too that these policies will need to be revisited and refined on an ongoing basis to keep pace with evolving threats.
Alongside this it’s important to provide tailored security awareness training that deals with the likely scenarios the remote worker will face. Phishing continues to be a major cause of data breaches (the survey found that it was the top attack type) and such assaults are likely to become more sophisticated as threat actors begin to harness generative AI to fine tune them, making them harder to spot.
We’re also now seeing AI used to create deep fake attacks such as in the case of the video conferencing call which saw an employee of UK engineering firm, Arup, duped into transferring £20m. In that example, all of those attending the call were fake avatars of real employees. Such cases illustrate the importance of locking down video platforms and controls such as MFA in collaborative working platforms but they also mean there needs to be culture of openness and a reporting process that avoids blame so that employees can flag any incidents without fear of reprisals.
When it comes to provisioning, a balance needs to be struck between providing employees with the freedom to work productively while protecting data. Removable storage devices such as USBs and hard drives will ensure workers have the convenience of portable media but they can be effectively protected by automatically encrypting the data on them. This then provides assurance that the data is protected should it fall into the wrong hands.
Controlling how data is accessed, stored and used is critical in protecting the business. Alarmingly, the 2024 Apricorn survey found almost a quarter (24%) of those questioned admitted they had no control over where company data goes and could not be certain that it was adequately secured. It’s this inability to focus first and foremost on the data, where it is and what needs to be protected that is at the true crux of the matter. If the business can secure the data, the need to place trust in the employee becomes redundant.
Jon Fielding is the Managing Director of Apricorn in EMEA and has extensive experience in growing companies in the EMEA market. Jon is responsible for the sales & operations strategy, driving revenue growth and establishing the channel network in the region.
Jon is CISSP certified and has been focused on Information Security for the past 18 years, working with a variety of organisations from IBM to security start-ups such as Valicert and Tumbleweed.
Jon joined Apricorn from IronKey where he worked exclusively in the secure USB market having established the Ironkey office in EMEA 8 years ago as the first in the region. During his tenure, Ironkey was acquired by Imation and then by Kingston.