Security, not technology, will make or break hybrid working

Combined home and office working will become ingrained as a long-term model over the coming year. Doing this securely and sustainably demands a major culture shift; every employee must be accountable for protecting corporate and personal data. In an ideal world IT teams would have visibility across the whole, now distributed, environment: who’s accessing systems, networks and applications, from where, and using which devices. With entire workforces ‘out in the wild’, however, this just isn’t possible, so greater responsibility for security needs to be devolved onto the individual. 

Ongoing awareness and education programmes are essential to ensure disparate teams follow information security best practice and comply with regulations such as GDPR. However, a lack of employee education was singled out as the biggest cybersecurity weakness in lockdown by almost a third of respondents to a recent Twitter poll conducted by Apricorn. More than 40 per cent admitted they weren’t fully prepared to work at home securely and productively, with 16 per cent not even sure how to.  

If employees are to become guardians of their company’s data, organisations must ensure they’re aware of the security risks associated with hybrid working, and provide comprehensive, up-to-date guidance on how to manage them.

The policies

Any holes in security policy will create unacceptable risk. It’s important to review, update and improve policies for remote and mobile working, and implement rules that govern the use of personal and company-provisioned equipment. Specific policies should be created around the necessary steps to comply with all regulatory requirements the company is subject to. 

These policies need to be communicated directly to employees, with clear instructions on how to adhere to them. 

The technology

According to research carried out by Apricorn in 2020, employees unintentionally putting data at risk remains the leading cause of a data breach, with lost devices the second biggest cause.

Organisations are increasingly turning towards encryption as a straightforward way of protecting data in the new working environment, which virtually eradicates human error and can enable employees to use their own devices securely – a key safeguard as smartphones, tablets and even voice assistants are proliferating across enterprise networks. Encryption is specifically recommended in GDPR Article 32 as a means of protecting personal data, making it a key part of the compliance toolkit. 

Deploying corporate approved removable storage devices with built-in hardware encryption across the workforce ensures that data can be stored or moved around safely offline – for instance, when it’s being moved from office to home – even if the device ends up in the wrong hands.

Hardware encryption offers much greater security than software encryption – particularly when users access the device via a PIN pad. All authentication and encryption processes take place within the device itself, so critical security parameters are never shared with the host. This defends against malware attacks such as keylogging. Even if the device is lost or stolen, the information will be unintelligible to anyone not authorised to access it. 

As part of the cybersecurity education programme, employees will need to be trained in applying encryption techniques, as well as the correct use of any encrypted devices.

Best practice

Every employee must be grounded in the foundations of basic security hygiene. Experts are predicting a rise in criminal attacks in 2021, as hackers take advantage of continued remote working – in particular through ransomware, malware and phishing.

It’s easy to let good habits slip when you’re moving between workspaces and devices, getting the hang of new working models, and striving to be productive. All employees should receive ongoing training in the basics of security hygiene – such as the need to change home wifi and device passwords, the risks of sharing files using consumer apps, and how to recognise common attacks.  

A culture of accountability

Training employees in the ‘what’ and ‘how’ won’t be enough to build a culture of information security across the entire dispersed workforce. This isn’t something that can be done by enforcing policies; employees need to be engaged with it. The most effective education programmes will also cover the ‘why’: the reasons data protection is important, and the specific risks and consequences to their company of a breach. This will ensure everyone understands their specific role in keeping information and the business safe in the hybrid working environment. 

Employees have a critical role to play in executing their organisation’s cyber security strategy, from recognising threats, to correctly applying policies. At present, it’s questionable whether they’re ready to fulfil this role. As the volume of data being moved and shared outside the office security perimeter continues to surge, education will play an increasingly important role in improving the security posture and preventing internal and external data breaches.

Jon Fielding is managing director EMEA at Apricorn