The widespread adoption of flexible working models hasn’t just normalised working from home.
Many companies are happy for their employees to work wherever, whenever and however they choose. This has given rise to “bleisure” and “workcation” trends that see employees combine business with leisure. Instead of being strapped to a desk at home or in the office, staff can work on the beach or in the mountains.
Indeed, millions of digital nomads have embraced a lifestyle in which they wholly relocate or travel abroad, working on the go on a long-term basis. According to The State of Digital Nomads Report, there are more than 4.8 million digital nomads from the UK currently roaming the planet – second only to the US.
Often when digital nomads are mentioned, many people think of freelancers. However, the normalisation of remote and flexible models has seen it now change the working dynamic for contractors and full-time employees too, with the ONS revealing that 16% of UK workers worked exclusively from home in 2023. And it’s a growing trend. The digital nomad lifestyle eradicates the need to take annual leave to explore the world, while also allowing employees to boost their experiences, productivity and wellbeing in the process.
At the same time, many governments are actively working to attract digital nomads to their shores, recognising the economic contributions they can make. The number of countries offering special visas for this category of worker has almost trebled from 21 in 2021 to 58 in June 2023. From online platforms such as Nomad List highlighting the best locations to work from in terms of access and affordability, to challenger banks making it easier to access financial services and avoid international transaction fees than ever before, there are several facilitators making the digital nomad lifestyle increasingly attractive and viable.
For employers, this is no bad thing either. There are many benefits to allowing employees to work fully remotely and across borders, enabling them to access global talent pools and better attract and retain talented workers with the promise of a better work-life balance and job satisfaction. But it’s not all good news.
Digital nomads are exacerbating cyber concerns
Cyber concerns are at an all-time high. According to Allianz, cyber incidents were highlighted as the most important risk among companies globally for the third year in a row in 2024. FBI and IMF data suggests that the annual average cost of cybercrime globally is expected to exceed $23 trillion come 2027 – up from $8.4 trillion in 2022. If security is not managed properly among remote employees, a significantly more complicated security picture may emerge that heightens organisational risk.
One of the most obvious areas of concern surrounds the issue of legislation with respect to data privacy and protection. While the adoption of standards has been growing around the world, with 137 out of 194 countries putting regulations in place, these vary significantly across borders. Countries such as the UK, America, Canada, China, India, Australia and those in the EU have developed strict and robust rules, but elsewhere regulations are less stringent and not so effectively enforced.
At the same time, some data protection regulations have restrictions in relation to data sharing between one jurisdiction and another. Typically, countries must have established agreements that legally state they view each other’s data protection frameworks as equal for open data sharing to be permitted. Such an agreement has been established between the UK and Japan, for example, but there are many instances where such agreements are absent.
The problems associated with secure access
It’s not just data protection and regulatory implications that must be considered. The ability to secure access to corporate data also represents a significant challenge. Digital nomads frequently tap into free Wi-Fi hotspots as they move around, in hotel lounges, local cafes, co-working hubs and other workable venues. However, those features that make free Wi-Fi desirable for digital nomads also make them attractive to threat actors.
These networks may not require authentication upon establishing a network connection, providing attackers with the opportunity to gain unimpeded access to devices operating on the same network. Hackers will often position themselves between a worker and their connection point so that, rather than communicating with a hotspot, digital nomads end up sending information directly to an attacker.
Most organisations will opt to use a Virtual Private Network (VPN) to protect internet traffic on public Wi-Fi, though these are far from infallible. From vulnerabilities in their code to poor authentication and encryption practices, the weaknesses of major VPN providers have been exposed over recent years. If these are then exploited, attackers can infiltrate the wider network unnoticed, providing them with the opportunity to escalate an attack.
If sensitive data is stolen it can lead to identity theft, fraud, and the theft of financial resources from employees and customers. Equally, key data may also be encrypted by threat actors in ransomware attacks, leading to the extortion of companies for millions of pounds. In fact, ransomware payouts totalled a record £1.1 billion across 4,399 attacks in 2023.
Breaches are attributable to remote workers in 26% of firms
To mitigate this risk effectively, it’s crucial to ensure VPNs are properly configured, avoiding default settings, and regularly updated with patches. Implementing the principle of least privilege (an information security concept in which a user is given the minimum levels of access, or permissions needed to perform their job) can also help to minimise risk. While VPNs are still used on a relatively broad scale, they are likely to be superseded Zero Trust Network Architecture (ZTNA) in the future, which requires continuous verification so that every connection attempt is verified.
Nomadic workers will almost always be reliant upon mobile devices – be it their phone, a tablet, laptop or portable storage devices such as a hard disk or USB stick. While these devices offer convenience and flexibility, it falls upon the employer to dictate how they are secured, an area in which many continue to fail.
According to an Apricorn survey from 2023, organisations are becoming less vigilant when it comes to managing and monitoring these devices. Only 14% now manage the risk of remote working by controlling access to systems and data using software – down significantly from 41% in 2022. Further, while 24% require employees to receive approval to use their owns devices for work, they didn’t apply any controls. And 17% didn’t require any approval or apply any controls at all.
This lack of effective policing is feeding into a growing number of breaches among remote workers. Over a quarter of companies stated that the breaches they suffered last year were attributable to remote workers. Poor employee buy-in isn’t helping matters. According to the Apricorn survey, almost half of those organisations surveyed (48%) revealed that mobile or remote workers had knowingly exposed data during 2023 – up from 29% in 2022. Shockingly, 46% stated that their remote workers “don’t care” about security, a rise on the 17% seen in the previous year.
The critical importance of encryption
Given the lack of employee vigilance and/or acknowledgement of security, organisations must take matters into their own hands, starting with encryption. Encrypting all data as standard, ensures that data will remain unintelligible if a device is misplaced or a connection is compromised.
There are two options available when it comes to implementing encryption: hardware-based encryption and software-based encryption. However, the latter can still leave a device susceptible to a variety of attacks. In contrast, hardware encryption sees authentication take place within hardware-encrypted portable devices, ensuring passwords and business critical data will never be shared with host computers.
Unfortunately, encryption isn’t actively being leveraged by many organisations. The Apricorn survey reveals that only 12% encrypted data on laptops last year – down from 68% in 2022. For mobile phones it’s a similar story: 13% in 2023 versus 55% in 2022. Further, USB sticks (17% down from 54%) and portable drives (4% down from 57%) follow the same trend.
It seems that remote working is perhaps a major culprit in the drop off in encryption, causing confusion in exactly where enterprise data is and what needs to be encrypted. 22% of firms revealed they had no control over where company data goes or where it is stored, with 14% simply stating they don’t understand which data sets should be encrypted.
Understanding and correctly deploying backup strategies
Remote working security need not be a complicated process. With modern cloud technologies, it’s possible for employees to mirror their corporate laptop while replicating their secure work environment on any host device, enhancing flexibility and mobility. The key is ensuring that security isn’t compromised in favour of flexible productivity.
Alongside encryption, backups are another key aspect of a remote security that must be considered. Specifically, digital nomads must have a secure and logical method of backing up their data remotely. Here, the 3-2-1 rule is often highlighted as best practice for companies to back up their data. At least three copies of data should be retained, stored on at least two different media, at least one of which is offsite. By following this method, information can be quickly and fully restored if one copy is compromised.
Automating the backup process can also help ensure that data is routinely saved. However, it is interesting to note that this approach has declined due to remote working as many now opt to make local backups manually. While backups were automated by almost all (93%) of companies surveyed in 2022, only half of companies opted to do so in 2023. Moreover, 48% of companies carried out manual backups last year – up 8% on 2022.
Critically, it’s a practice that is harming the ability of users to recover their data, with less than three in ten of companies that had to resort to backups able to recover all their information – down from 45% in 2022.
Now is the time for proactive prevention
Failing to implement secure access, encryption and back-up procedures for digital nomads and other remote users can, and does, lead to some very real consequences. To reiterate, more than a quarter of breaches suffered are now attributable to remote workers, with IBM’s 2023 Cost of Data Breach Report also revealing that the average total cost of a data breach is more than $170,000 higher when a remote workforce was a factor in a breach.
With governments making it easier than ever for digital nomads to migrate, the transient workforce is only expected to continue to expand. Therefore, given the growing responsibility and involvement of remote workers in data breaches, and the heightened impacts that these breaches can have, businesses need to be more proactive in their security practices.
As employees look to embrace a location-independent and technology-enabled lifestyle, so too should we see a parallel investment in cybersecurity best practices that ensure the confidentiality, integrity and availability of corporate data. By embracing key solutions that can support secure access, encryption and backups in a remote working context, enterprises can ensure they don’t fall victim to the novel security threats that digital nomads present.
Jon Fielding is the Managing Director of Apricorn in EMEA and has extensive experience in growing companies in the EMEA market. Jon is responsible for the sales & operations strategy, driving revenue growth and establishing the channel network in the region.
Jon is CISSP certified and has been focused on Information Security for the past 18 years, working with a variety of organisations from IBM to security start-ups such as Valicert and Tumbleweed.
Jon joined Apricorn from IronKey where he worked exclusively in the secure USB market having established the Ironkey office in EMEA 8 years ago as the first in the region. During his tenure, Ironkey was acquired by Imation and then by Kingston.