Work from home, which was once an early-pandemic precaution, is becoming a norm across industries. It is likely that the pandemic has shifted how people work forever, with half of employees expecting to work predominantly from home or in a hybrid home-and-office system going forward.
However, just as in the early days of the pandemic, cybersecurity while working from home is still a concern for IT departments around the world. Businesses must take this into account as they pivot their cybersecurity stances to meet today’s threats.
As employees gain more flexibility in a work-anywhere business culture, data will do the same. Writes Chris Reffkin, CISO of Fortra, of data security in 2022, “As the lifeblood of the business, data will be more disparate, mobile, and accessible than ever, which has enormous implications for the security teams tasked with protecting this environment.”
Related Reading: Increased Home Working is Recognized by CISOs as the Cybersecurity Threat with the Potential to Cause the Most Damage
Making matters more complicated, employees have taken to using personal devices for work and using employer-supplied devices for personal usage. But is this flexible usage sustainable for cybersecurity?
What is BYOD?
Bring your own device, BYOD, is a practice that allows employees to use personal devices for work. This is relatively common, with a Bitglass study finding that 69 percent of organizations allow this practice. However, it can lead to a lack of visibility into business-related apps (think enterprise messaging tools and file-sharing applications) that is difficult to combat.
To simplify the transition to work-from-home employees and BYOD systems, several security-focused organizations, including the National Cyber Security Center (NCSC), have released guidance to help companies create robust internal policies for this new IT setup. However, Luna R, an NCSC Senior Platforms Researcher, argues that “you cannot do all your organization’s functions securely with just BYOD, no matter how well your solution may be configured.” Work devices tend to have the most protections, and the greater the proportion of secure devices, the less risk your organization runs.
Is BYOD a Security Nightmare?
It can be. BYOD is nothing new and has been common for employees to access corporate networks using personal devices for years. But that unguarded access is what makes security complicated.
Part of the difficulty of BYOD is how little control it gives IT over security on employees’ personal devices. Workarounds like multi-factor authentication for work-related applications and websites, VPN (Virtual Private Network), regular cybersecurity training, and security software can boost even the most private employee’s cell security. But they are not the end-all-be-all.
Another complication with BYOD and WFH is that employees are accessing more company data more frequently, and more frequently from unsecure devices. Says Ian Pratt, Global Head of Security at HP, “IT decision makers have seen evidence of compromised personal PCs being used to access company and customer data.”
To further the risk, those who work from home tend to both access company data more frequently from home than they did pre-pandemic, and tend to use their work-provided devices as personal computers. In fact, 46 percent of employees say they think of their work laptop as a personal device, per an HP study.
Attackers are relying on this shift. They have started setting traps for WFH employees: dedicated malware exploiting social engineering. And with IT trying to protect both work and personal devices, it is getting easier for attackers to break through.
BYOD vs. Business Devices for Personal Work
The lines between work and personal life have been blurred due to working from home, admit three-quarters of employees. It is the opposite of BYOD: with company laptops in their homes, employees say they use work devices for personal use, and vice versa.
With that habit comes some behavior that might not occur in a cubicle: downloading media and files, opening personal email attachments, watching online streaming services, and more. While not inherently dangerous, hackers have accessed internal systems with less. IKEA learned this the hard way when an attack was initiated via a malicious Microsoft Excel document that an unsuspecting user downloaded. Once editing was enabled, the malicious payload was downloaded, too.
Insecure practices keep putting enterprises at risk. It is not all due to employees, however. Threat actors have amped up their attacks, putting already at-risk processes in further danger.
The Risks of Distributed Data and Workforce
The average cost of a data breach increased by 10 percent year-over-year in 2021, as did the number of data breaches as a whole. Unfortunately, remote work played a role in raising both numbers: data breaches that involved remote work cost an average of $1.07 million more than those that did not.
It is not only remote workers who are targeted or the weak point; attackers are opportunistic, and during the tumult of the last couple years, they have been taking advantage of security gaps on all fronts. While this includes the distributed workforce, Reffkin adds that, “The new business ecosystem is emerging against a backdrop of more diverse, persistent, and disruptive threats to data and operations. These threats target every layer of the organization – from software systems and infrastructure to employees and the supply chain.”
The majority of IT decision makers agree, and report higher numbers of attacks, including phishing attacks and web-browser-related infections.
To stay ahead of these threats and others, organizations must stay committed to engaging and educating employees on the growing ingenuity of hackers, as well as identifying security gaps in their systems and processes and discovering new safeguards they can implement.
Related Reading: The Top 10 Cybersecurity Trends
BYOD and Work from Home – Safely
Says Reffkin, “In terms of remote working, we hope to see a greater emphasis on good security fundamentals as opposed to adding potentially unnecessary tools to the security stack.” These essentials include – but are not limited to – the following:
- Securing your devices and network with robust cybersecurity solutions
- Using common-sense practices (like locking your home, not leaving devices in your car, and using only trusted hardware and accessories)
- Use MFA, controlled access, and VPN
- Ensuring that employees know what tech solutions are available for business use, and how to use them (to avoid shadow IT)
- Keep your data safe throughout the data security lifecycle
- Continually educate employees throughout the organization on new and existing threats, and how to spot and avoid them
- Create a work-from-home cybersecurity policy
Your Data Security is Only as Strong as Your Processes
Your data is only as secure as the processes you have in place. When you layer robust security solutions, you are taking steps to ensure that your data is protected from start to finish. With Fortra’ suite of data security solutions, you can fill any existing gaps in your organization’s data protection needs, improve upon your existing processes, and ultimately strengthen your data security from end to end.
