How to ensure cybersecurity as staff return from home (with dodgy devices)

When the world changed, so did the way we do busi­ness. In an instant, work­places shift­ed from offices to kitchen work­tops, front rooms and spare bed­rooms. It was a cyber­se­cu­ri­ty night­mare that some busi­ness­es strug­gled to han­dle: in 2020,  report­ed a breach or attack.

The pro­por­tion of busi­ness­es report­ing a cyber­at­tack has dropped sev­en per­cent­age points in the past year, accord­ing to data gath­ered by the UK Depart­ment for Dig­i­tal, Cul­ture, Media and Sport. But as the world of work begins to get back on an even keel and busi­ness­es adapt to a hybrid world of work­ing from home and in offices, there are more new chal­lenges to face.

Six in 10 employ­ees use their own per­son­al mobile phone for work, while 44% use their own lap­top, accord­ing to a sur­vey by secu­ri­ty plat­form provider Armis. “Peo­ple have become com­fort­able using a vari­ety of con­nect­ed devices while work­ing from home,” says Paul Davis, region­al vice pres­i­dent for EMEA at Armis. “The issue of unse­cured devices pos­ing a risk to busi­ness­es isn’t exact­ly news; how­ev­er, this will be exac­er­bat­ed by the surge in devices that will poten­tial­ly con­nect to com­pa­ny net­works.”

It’s a chal­lenge busi­ness­es are fac­ing every­where. Glob­al com­pa­ny SoPost, which has 65 employ­ees world­wide, has always been a semi-hybrid work­place. But the pan­dem­ic has made employ­ees do a lot more remote work­ing, says founder Jon­ny Gru­bin. They’ve also added 35 employ­ees in the past 12 months, and so have ensured that devices used in the busi­ness can be remote­ly man­aged. Doing so requires strong lead­er­ship.

How to handle the return to work

“From a man­age­r­i­al per­spec­tive there may be issues with how the return to work will be han­dled,” says Abi­gail McAlpine, a cyber­se­cu­ri­ty researcher at Sheffield Hal­lam Uni­ver­si­ty. “How organ­i­sa­tions han­dle the human aspects of secu­ri­ty com­ing back to a cen­tralised work­space is equal­ly as impor­tant as the tech­ni­cal.”

McAlpine sug­gests busi­ness­es engage their employ­ees in a crash course around cyber­se­cu­ri­ty as they begin to return to the office – even if it’s only as part of a hybrid work­ing arrange­ment. “A lot of things that may seem basic may have felt unnec­es­sary to indi­vid­u­als work­ing alone and secure at home, such as lock­ing com­put­er screens when leav­ing the desk, or pass­word-pro­tect­ing their devices,” she says. While such things may be com­mon sense to some peo­ple, if indi­vid­u­als need remind­ing of it then it’s not that com­mon­ly held.

It isn’t just rein­stat­ing good cyber­se­cu­ri­ty habits that busi­ness­es might need to do. In the rush to ensure busi­ness con­ti­nu­ity when the pan­dem­ic first struck, many work­ers made do with what­ev­er devices they could get their hands on – includ­ing shared tablets, phones and lap­tops that are passed around a fam­i­ly – and which now hold the keys to a busi­ness king­dom. “Any­one in a posi­tion of author­i­ty should encour­age a con­ver­sa­tion about the poten­tial secu­ri­ty issues with a bring your own device (BYOD) pol­i­cy,” says McAlpine.

At SoPost, Gru­bin issues employ­ees with a com­pa­ny lap­top or com­put­er. “It’s sup­posed to be for busi­ness pur­pos­es only, but I’m sure peo­ple may watch Net­flix on it,” he admits. But addi­tion­al secu­ri­ty is bol­stered through a remote device man­age­ment pro­gramme called Jamf, which allows machines to be set up remote­ly and secu­ri­ty patch­es installed by the company’s IT depart­ment. “Secu­ri­ty is impor­tant but when peo­ple are busy in their role, noti­fi­ca­tions to update things may not be a pri­or­i­ty,” says Gru­bin. “Jamf allows us to see the sta­tus of every device, so we know exact­ly what every­one is run­ning.”

Starting small to resecure cybersecurity

The idea of under­stand­ing an entire organisation’s cyber­se­cu­ri­ty needs may seem daunt­ing when busi­ness­es are strug­gling to nav­i­gate the return to offices. Yet busi­ness­es are con­scious of the risks involved. Four in 10 busi­ness­es told web-host­ing com­pa­ny IONOS that they have a cyber­se­cu­ri­ty skills gap. “Secu­ri­ty depart­ments will need to pre­pare a proac­tive secu­ri­ty plan with spe­cif­ic poli­cies to make sure their staff can con­tin­ue to use these devices in the office,” warns Davis. “It’s bet­ter to have an extra lay­er of secu­ri­ty than suf­fer the con­se­quences of a breach.” But there needn’t be a sig­nif­i­cant under­tak­ing – employ­ee edu­ca­tion can go a long way.

“Half an hour of dis­cus­sion around poten­tial issues, gath­er­ing employ­ees’ insights, opin­ions, and ques­tions allows for bet­ter oppor­tu­ni­ties to under­stand the risks fac­ing an organ­i­sa­tion both short term and long term,” says McAlpine. The great work­ing reset is an oppor­tu­ni­ty to cre­ate a secu­ri­ty-con­scious cul­ture with­in an organ­i­sa­tion. McAlpine sug­gests appoint­ing secu­ri­ty ambas­sadors to lead the rethink­ing of cyber­se­cu­ri­ty issues and to smooth the tran­si­tion to the new world of work. Above all, she advis­es putting issues front and cen­tre in every employee’s mind. “Secu­ri­ty is an ele­ment of every employee’s role, not just those in IT,” she says.

Yet it’s also vital for organ­i­sa­tions to acknowl­edge the chang­ing way of work. Employ­ees won’t always be in the office and under the watch­ful eye of col­leagues and their IT depart­ment. As hybrid work­ing takes hold, the move­ment of devices into and out of offices is inevitable. So a new con­tract with employ­ees is impor­tant that takes into account the real­i­ties of work­ing life nowa­days, while keep­ing things as secure as pos­si­ble.

Forewarned is forearmed

“Remote and hybrid work­ing look set to become the norm for mil­lions and busi­ness­es need to ensure that infor­ma­tion secu­ri­ty and pri­va­cy man­age­ment sys­tems are over­hauled to reflect the changes to the threat land­scape,” says Steve Lamb, prin­ci­pal con­sul­tant at Bridewell Con­sult­ing. It’s unre­al­is­tic not to expect employ­ees to use their home com­put­ers or net­works to dip into key work doc­u­ments and files. But instead of bar­ring them out­right, it’s impor­tant to try to secure how those devices con­nect to a work net­work. 

“Organ­i­sa­tions will need to pre­vent employ­ees from con­nect­ing to busi­ness net­works and using per­son­al machines that don’t have basic secu­ri­ty con­trols,” says Lamb. Like­wise, it’s bet­ter to allow employ­ees to access inter­nal net­works – where secu­ri­ty checks and encryp­tion are like­ly to be stronger – than to save files local­ly on poor­ly secured stor­age, warns McAlpine. Loss or mis­al­lo­ca­tion of data is more like­ly when sav­ing things off work net­works. Com­pa­nies with­out appro­pri­ate BYOD poli­cies will find it hard­er to track doc­u­men­ta­tion when it is stored or shared to dif­fer­ent devices.

Aside from offi­cial poli­cies, a large part of man­ag­ing risk involves man­ag­ing peo­ple. “It’s a lot of edu­ca­tion, and talk­ing around things,” says Gru­bin, who ensures employ­ees under­go secu­ri­ty train­ing and gen­er­al rules around shar­ing infor­ma­tion. It’s a mod­el that keeps his com­pa­ny safe – and could help keep yours safe, too.