Remote work: Make cybersecurity a top priority, say data security pros
Workers using personal devices for work has opened up a huge new pathway for cyber criminals to gain access to sensitive company data – 91% of data security professionals see high risk implications from remote work, says a new report.
Senior leaders see big data security risks coming from remote work and hybrid schedules, a report has found.
FTI Consulting’s “The Most Valuable, Vulnerable Commodity“ reported that 91% of data security professionals have seen negative risk implications from remote and hybrid work.
Forty-five percent of respondents say remote and hybrid work has increased the potential for data breaches, while 41% say data has been shared on and through unapproved devices, systems and networks outside their company data privacy policies.
In addition, 38% said remote work has increased their potential attack surface, or potential avenues unauthorized users can use to access company data.
“It’s not just data volume that’s growing,” the report reads. “New tools and platforms, particularly for remote collaboration, are giving rise to a host of non-traditional data types and formats.”
FTI Consulting surveyed 150 senior and C-suite executives around the world for this report, many of them general counsel.
The report likens data to “the new oil,” an immensely valuable asset for businesses but also one that can create cataclysmic fallout if those entrusted with protecting it, including legal chiefs, fail to do so.
Information technology security expert Daniel Andrea, a partner at the cybersecurity consulting firm KLR, said in a recent article that companies with remote workforces often also allow employees to use their own devices, instead of company-provided ones.
These policies, referred to as “bring your own device,” or BYOD, often become a massive vulnerability, Andrea said.
Executive risk consultant Kelly Geary said that during the COVID-19 pandemic many companies suddenly switched to remote work schedules. The initial motivation was to protect employee health, but then companies were reluctant to call employees back to the office because they didn’t want to lose them during the Great Resignation.
Criminals often are coming up with schemes to obtain sensitive data on personal devices faster than companies are able to adapt to defending that data, Geary said.
“All of my large clients have bring-your-own-device policies in place,” said Geary, the national executive risk and cyber practice leader at EPIC Insurance Brokers and Consultants. “They allow employee-owned smartphones, tablets, and laptops to be used, so employees can access firm or company networks on their own devices.”
Related: Death knell for remote work? New bill would bring federal workers back to the office
Personal devices often come with preexisting vulnerabilities, such as out-of-date security software and a scarcity of network controls for in-house security specialists to defend company data.
The consequences of this vulnerability can be dire. Andrea cited a study by Ponemon that found companies with more than 80% of their employees working remotely paid about $5.1 million following a data breach in 2022. Meanwhile, companies with less than 20% of their employees working remotely paid an average of $4 million.
“That isn’t to say that employers should put an end to all remote working arrangements,” Andrea wrote. “But a critical takeaway from Ponemon’s survey is that cybersecurity should be a top priority when you allow remote working arrangements.”
Geary said companies trying to tighten cybersecurity policies might be wise to review the language in cyber-liability insurance policies. Such policies have long lists of security protocols companies are required to implement for full coverage and can serve as useful guides for best practices.
Another robust method of staying secure in the age of BYOD is to develop incident-response playbooks, outlining procedures for mitigating and responding to data breaches once they happen.
In addition, Geary stressed the importance of testing those playbooks with rehearsals and practice runs. Many companies have the playbooks, but few consistently test them.
Remote work won’t go anywhere, Geary said, and companies will have to adapt to this new normal.
“The pandemic propelled remote work forward and accelerated that move,” Geary said. “Now, we’re all trying to find the balance.”