This article originally appeared in June's edition of IT Pro 20/20, available here. To sign up to receive each new issue in your inbox, click here.
Working from home is not a new concept. Many employees have been working remotely for the past few years, and the vast majority have managed to do so without falling victim to a craftily-worded phishing attempt or downloading credential-stealing malware onto our devices.
You’d be forgiven for thinking that wasn’t the case. Ever since the coronavirus pandemic began and employees across the globe were forced to adopt this supposedly ‘new’ way of working, our inboxes have been stuffed-full of emails warning about the “devastating” security risks associated with remote working, and how woefully unprepared organisations were to manage this “unprecedented” shift.
It’s tiresome, and simply isn’t the reality. Admittedly, there will be some sectors and industries that are perhaps not as well-prepared as others, such as construction and hospitality, but the majority of businesses were well-placed to deal with the transition to a fully remote workforce, particularly from a cyber security point of view.
Prep works
The rise in popularity of initiatives such as Bring Your Own Device (BYOD) and hot-desking, for example, have ensured that the majority of companies had remote working strategies in place long before the pandemic hit; a 2019 study by Switzerland-based serviced office provider IWG found that 70% of professionals worked remotely at least one day a week, while 53% work remotely for at least half of the week.
Sure, things may have been turned out differently a few years ago, but these figures alone all-but-confirm that prior to this mass shift to remote working, the majority of organisations were ready. Employees already had access to devices that are fully-secured for use both inside and outside of the corporate network, and many were already using cloud-based software, such as Microsoft 365, that has been developed with security at the forefront; although it may feel safer to store data on-premises, this is a false sense of security in the age of cyber crime.
What’s more, Platform as a Service (PaaS) and Software as a Service (SaaS) applications, which have grown in popularity in recent years, allow IT teams control who has access to those applications and services, regardless of the employee’s location.
“When the transition was made from the office to home, there should have been no heightened risk for employees using company resources like laptops or work phones to access the company network,” says Richard Meeus, security, technology and strategy director at Akamai.
Risky businesses
While it’s certainly true that the number of cyber criminals attempting to capitalise on the pandemic and the growing number of remote workers is on the rise – Google in April said it was blocking some 18 million coronavirus-related phishing emails a day – that doesn’t mean these attempts are successful.
We’re yet to report on a major breach or attack that’s arisen as a result of employees working from home, and that’s ultimately due to the fact that in the majority of cases when it comes to cyber security, your home office is no less secure than your employers’.
Peter Bassill, founder & senior security researcher at Hedgehog Security, agrees, telling IT Pro: “How many times have we heard ‘working from home poses security risks?’ It is pretty much an hourly occurrence and 99% of the time they are trying to sell a box with blinking lights that is posed as the answer to the questions.
“The simple fact of the matter is, home working is just as secure as working from an office. If the company has in place the right IT controls and the right training and information for the end-user, working from home is just as secure, if not more secure than working from an office.”
The IT Pro Podcast: Staying sane while working from home
With remote working set to continue, how can we avoid stress and burnout?
Some also believe that, although many hackers have attempted to cash-in on the current situation, a remote working environment isn’t an attractive target for most cyber criminals and the risk to home-based employees is lower than for those in a traditional office.
“There is an interesting example where being outside the corporate network is of real benefit to security,” comments Colin Truran, principal technology strategist at Quest. “Once cyber criminals have found their way into an organisation they typically use this point of compromise as a ‘beachhead’ from which to propagate laterally throughout the organisation.
“Working from home, combined with the move towards cloud services such as Office 365, means that there is a more substantial gap between endpoints within an organisation, making this kind of rapid expansion of cyberattacks across whole networks much more difficult.
“Organisations shouldn’t see the rise of remote working as an instant cybersecurity threat, but it should prompt more conversations about new cybersecurity models and strategies.”
High priority
Over the past few years, cyber security has been a priority for businesses, the majority of which have moved fast to ensure they have strong protections in place. Multi-factor-authentication has become the norm across businesses of all sizes, many companies have started offering security awareness training and the rise of AI systems will have enabled some companies to autonomously defend workforces.
Gartner estimates that worldwide security spending grew 10.5% in 2019, compared to 0.4% growth in IT spending overall. Most businesses had already identified holes in their practices, leading them to be more diligent in response to cyber security threats.
“Fortunately, cybersecurity has been on the radar of businesses for the past few years and is already a priority,” Joe McManus, director of security at Canonical, tells IT Pro. “The current situation is simply a pivot for security protocols, especially if businesses have applied sound security controls.
“Many enterprises have confronted the need to choose the right OS, one that will ensure the long term security of desktop software; one that incorporates both automatic updates and was designed with security from the ground up. Software of this nature takes the onus off the end-user and ensures patches are kept up to date significantly decreasing the attack surface.
“Functions such as automatic updates have long been considered the bread and butter of a rigorous IT system.”
Organisations have also been forced to look beyond the network, and many have been quick to implement ‘zero-trust’ and ‘always verify’ security models and acknowledged the true attack surface of the organisation. With this kind of security in place then the location of the employee makes no difference to the risk profile of the organisation.
Meeus adds: “Zero-trust can authenticate and direct users safely, no matter where they are, or where the application resides, while not overwhelming the system or handing entire access of the network over to potential hackers.”
A matter of trust
Speaking of trust, this has never been more important. Due to the growing number of scaremongering headlines regarding the security risks of working from home, it’s important to communicate that working from home should not increase an organisation's cyber security risk at all and that employees can be trusted to keep valuable information safe.
While some will argue that employees may be feeling more relaxed about security due to their newfound comfortable surroundings, it’s also worth remembering that millennials – those between the ages of 22 and 38 – now make up 50% of the workforce. People of this age have never been more aware, nor concerned about their data privacy, and typically have a good understanding of cyber security best practice.
What’s more, millennials – often referred to as “digital natives” – are also much more at ease with new technologies, and some will have had their experience of access to online banking entirely defined by the use of biometrics to sign into their account, for example. This means using the same approach in the workplace to secure confidential documents or sign in remotely comes easily and naturally to them.
Paul Williams, director of Highstream Solutions, adds: “Provided the core network for business users is secure, and they are using all of the security tools available to them, such as multi-factor authentication, and the user base has been educated on what potential risks look like and how to deal with them, I see no reason for working from home to incur any more cybersecurity risks than working in the office.”
