There is a common consensus that remote and hybrid employees more easily subject organizations to danger. The fact of the matter is: Breaches can occur in any location, but companies that have employees working from one general location may lower their chances of an attack by having fewer digital avenues.
“Whether in person or remote, the amount of information being shared [in] the workforce will be tremendous for an organization,” Lal says. “Limiting the threats by only using approved devices in one location can lessen the probability of a breach or the severity of one.” He adds that in the event of an onsite breach or attack, having dedicated personnel, like a chief information security officer can help tame the fire before spreading.
Kiser concurs that lessening the number of tentacles an organization has better supports safety. Breaches existed in the pre-pandemic era as well, but the newly distributed nature of today’s organizations presents new challenges—especially as identity becomes the center of security strategies.”
But Iqbal notes that not all breaches have external origins. “It's easy to assume that employees inside the physical security perimeter present a lesser risk, however, insider threats present a complex and dynamic risk to domains of organizations,” he says. “Even the most trusted employees can do harm to an organization's resources, including personnel, facilities, information, equipment, networks, and systems.”
And for Collins, in-office employees pose an even greater threat than remote workers by displaying a level of comfort that could leave key information unguarded. “Even if you eliminate insider threats (employees with malicious behavior), people tend to let down their guard at the office. One of the easiest ways to access sensitive information is to walk up to someone’s desk and the computer is unlocked or sensitive information is not put away,” she says.
But more important than which type of employee poses a greater risk, Alyssa Miller, chief information security officer at Eqip, says is securing an organization’s framework. “Helping employees ensure their home networks, internet connectivity, and even personal devices that now share network infrastructure with the corporate assets is important. At minimum, organizations need to be committed to a comprehensive security awareness education campaign with their personnel.” She adds that helping remote and in-office employees understand best practices for securing their devices and networks and recognizing and avoiding potential attacks is key.
39% of respondents cite cyber security as their top concern this year.
Though some threats are inevitable, having the right protection in place can help identify the threat quickly, therefore minimizing the negative impact it will have on a company. The IBM survey found that shortening the time it takes to identify and contain a data breach to 200 days or less can save over a million dollars in costs. It also found that organizations that had a fully deployed artificial intelligence (AI) and automation program were able to identify and contain a breach 28 days faster than those that didn’t, saving $3.05 million in costs. And even the companies with a partially deployed AI and automation program did far better than those without one at all.
With this in mind, Dr. Kraemer says companies must update their processes and policies, especially for remote workers, or run the high risk of data compromise. He gives several ways to do this, including:
Since nearly 95% of cybersecurity breaches are a result of human error, another line of defense is having a well-educated team that understands how to identify threats and risks and knows what to do in the event of a breach. “I suggest organizations educate and train their workforce often on the risks they face and the protocols in place to help them avoid cyberattacks,” Lal says. “Next, executives need to make an investment in secure workplace communication platforms that are fully encrypted and don’t allow data to be tracked and give IT teams or CISOs account control.”
Lal also recommends simple measures, including:
A Zero Trust model is another avenue to pursue, becoming somewhat of a standard in workforce security in recent year. According to Iqbal, there are three approaches to building an effective Zero Trust security architecture.
Salesforce’s MacMillan looks at a Zero Trust model as the ultimate “home” security. “Implementing a Zero Trust architecture, where employees are only given access to the devices, applications, and systems they need to do their job, allows a business to put guardrails around the already-security-conscious workforce to even further reduce the chances of sensitive data being compromised,” he says. “Think of it like allowing someone into your home — just because you let them in the door doesn’t mean they need to go through all your bedrooms and cabinets.”
Dr. Kraemer says a Zero Trust approach replaces old unsecure methods that ran rampant during the pandemic and that made many organizations more vulnerable. “Surveys following the working-from-home shift caused by the COVID-19 pandemic crisis are concerning for security departments. Bring-your-own-device policies and out-of-date-software were some of the challenges,” he says. “Without a Zero Trust setup, employees must be forced to use VPN for work to get behind corporate firewalls.”
A data breach costs U.S. companies $9.44 million.
Businesses can install and implement all the new software and programs that they please, but it’s imperative that regular examination is performed to identify the differences new processes are making.
“IT teams and CISOs should do routine checkups of their systems to make sure there aren’t any weak points leaving them vulnerable,” Lal says. “Hackers are continually becoming more sophisticated and stealthier with their attacks. It is an organization's job to remain diligent in its protections.”
Miller says that collaborating with cybersecurity experts is one of the best ways to verify an organization’s security posture as it pertains to systems, processes, and procedures.
She lists some verification practices to employ, like:
penetration testing;
vulnerability scanning;
security program assessments; and/or
bug bounties (for companies with more advanced systems)
Businesses can also place themselves on a path to more secure systems by asking simple questions like the following.
In the end, each organization will have different needs, but one thing will be consistent across the board—the need to remain agile and secure at all times. “The proper protection is often subjective: what are the proper controls for this particular set of data, at this particular time, for these particular identities,” Kiser says. “Rather than a static concept, protections must be dynamic, responding to the changing environment.”