Remote Working: Is the Cyber Risk Over-Hyped?

If you explore the debate about remote working and cyber security, it’s easy to find contrasting information. There are people who argue that working from anywhere with your own devices creates additional risk for companies. There are also those who believe this risk is over-hyped.

Some believe that even in the face of an overnight switch back in March, the growing trend of remote working meant businesses were ready for the change. They had their endpoint security set up; controls in place and, importantly, colleagues who were trained on working securely from remote locations.

But on the other side of the debate, this picture is less clear cut. There is a school of thought that believes people working remotely cause more headaches for security teams. The attack surface of a business is larger and there are more issues with verifying people’s identity. This results in more opportunities for hackers to target.

“I’m in the middle of those two arguments,” says Thomas Lemon, who leads Protiviti’s technology consulting practice in the UK. “Working remotely changes the way your threats can proliferate and your risk profile. If companies have changed the way people work without understanding this, of course there is going to be additional risk.”

His colleague Vinayak Ram, a director at Protiviti, agrees. “Companies like GitHub, for example, have always operated remotely,” he says. “They have processes designed for it, but many businesses are still adapting to remote working. They still need to develop the right mix of technical and awareness controls for people to work securely.”

The inside story of remote working

This is what we know to be true. Before the coronavirus pandemic, some companies were working remotely part of the time, and others were fully remote. The trend of people using their own phones and computers for work has been developing for several years. And there was a widespread expectation that these things would continue to grow.

The impact of these changes meant that more devices were being connected to corporate networks from different locations. The old enterprise perimeter, where security was typically enforced, was dissolving; the devices themselves were become the edge of the business. That meant finding new ways of protecting it.

In 2020, Thomas and Vinayak have watched these trends accelerate fast. They have witnessed five years of technology change in six months. They have worked with businesses making the switch and scrambling to provide equipment. They have also seen business forced to allow users to connect with their personal laptops as an emergency response measure to keep the business going. Their experience has allowed them a unique window on this debate.

“In the first part of the pandemic, in the weeks from mid-March, companies had to implement tactical measures to respond,” says Vinayak. “They had to adapt to people working remotely and not everyone was able to provide laptops to all their staff. Now, we have been in this place for six months, and we need to assume it’s the new normal. It’s unlikely we will go back to a full-time office environment anytime soon.”

They both believe companies are ready to move into the next phase because they have been reflecting on their actions. Internal audit teams are now looking at remote working arrangements and asking whether the right things have been done. Boards are also asking if their businesses are secure. “We are beginning to see these conversations emerge,” says Vinayak.

 “For some companies, it has been pretty straightforward, such as those that are born digital; for others, it has been quite a change.” says Thomas

Technology and training: it’s really all about risk

Vinayak and Thomas are asking companies to think about their new risk profile and how they will secure data in future. They believe that looking at the big picture first will unlock what has been happening during the pandemic. This will allow security teams the chance to discover what’s being used, assess their capability to protect it, and put the right controls in place.

Vinayak explains there will be a combination of human and technology solutions to help move forward. But companies will need to consider everything. In a typical office environment, for example, people are used to printing a lot of documents. There are secure boxes to store information and secure waste collections to destroy data. But most people don’t have the ability to do those things at home.

In addition, people working remotely are sometimes with friends, roommates or partners, and confidential information is being discussed. Not everyone will appreciate the need to be discreet. This is especially true in sensitive, regulated industries. In the office, workplaces are designed for these discussions, but at home, they’re not.

“These are the kind of things people need to be looking at,” he says.

In the past, the technology focus for security leaders was about securing devices. But they can’t do that now because personal laptops are being used, in some cases. The next best thing is to secure the data. If that can be done as it flows through the company, a secure system can be designed.

People can be given access to the network, providing they can prove their identity on a device that has basic security controls. The company can secure data by restricting where it can be stored. There might be limits on local storage or uploading to websites in the cloud, for example, but the data is wrapped in a bubble. That will determine who can do what and where.

“These are subtle points, but they are all tied back to risk,” says Vinayak. “It’s about training people to behave in a slightly different way and helping them to become aware.”

What happens now?

Companies are coming around to an understanding that remote working is here to stay. The forward-thinking ones know that designing processes to help it happen will be beneficial in the long term. While arguments about the security of remote working will rumble on, the debate will become less about where people are working, but more about understanding the risks involved in each case – and then doing something about them.

“As always, attackers will find new ways to target you; it’s a constant game of cat and mouse that we play,” says Vinayak. “You are forced to respond and make yourself more immune to these things. It’s about investing your time now and putting the right controls in place when you can rather than responding in crisis mode.

“Remote working is not necessarily riskier than working in an office. If you put the right mix of technical and awareness controls in place, you can set up an environment for people to work from wherever they want. But it’s important to understand the risk profile of the business and how to secure data.”

October is cyber security awareness month. The theme for 2020 is ‘Do Your Part. #BeCyberSmart’, which is aimed at helping to empower individuals and organisations to own their role in protecting cyberspace. During the month, Protiviti will publish a series of article that will explore the thoughts and ideas of our technology leaders, and the future of cyber security.