Working from home has created enormous pressure on IT and security teams, who are struggling to keep up with the demand for secure connectivity. Adding insult to injury, their efforts seem to not be appreciated: 91% of IT teams surveyed have felt pressured to compromise security, 76% have prioritized business continuity over security and 80% feel that security is a thankless task. But the problem is not just with how they feel: 83% believe that working from home is a ticking time bomb for a security breach - be it ransomware, vulnerabilities in unpatched devices, data leaks, or another type of attack. These are all the results of an alarming new HP report.
The Security Risk All Companies Are Exposed to
The survey spanned 1,100 IT decision makers in the UK, the US, Canada, Mexico, Germany, Australia, and Japan. A second data source for the report was a YouGov online survey of 8,443 remote employees from the US, the UK, Mexico, Germany, Australia, Canada, and Japan.
“Cybersecurity needs to be something that everyone can buy into. Cybersecurity teams need to keep the business safe, but users also need to play their part,” says Joanna Burkey, CISO at HP.
But what happens when users don’t play their part? With 48% of employees surveyed saying they consider security a hindrance and a waste of time, and more than a third believing security policies are too restrictive, companies need to find a way to keep security a priority while addressing employee animosity or indifference.
Otherwise, they will find themselves susceptible to attacks, as 31% of young employees have already actively tried to circumvent security. At the same time, the rise in the scope and sophistication of cyber attacks has increased the risk of attacks. IT teams foresee the following threats as most dangerous:
Ransomware (84%)
Unpatched vulnerabilities and firmware attacks on laptops (83%)
Data leakage (82%)
Account/device takeover (81%)
Targeted attacks and man-in-the-middle attacks (79%)
IoT threats (77%)
Printer firmware attacks (76%)
What Are Businesses To Do?
The survey makes clear that businesses are at risk of growing resentment between IT teams and remote employees. This could lead to an organizational culture of distrust and result in IT teams leaving companies at precisely the same time the network is becoming more vulnerable. And even if employees don't take this most dramatic step, lack of trust is still destructive for companies and could result in network architectural damage as well as decreased morale and productivity.
To contain and fix this situation, businesses have three main modus operandi:
Employee Education - Educating users about the value and importance of security. This encourages employees to operate out of a place of sensibility and understanding and will ultimately help ensure security. However, education, which should ideally be ongoing, is a resource-intensive and time-consuming process, and it will be very difficult to ensure all employees are convinced. Business continuity might be compromised as a result.
Limit and Restrict Security Policies - This “stick” part of the “carrot and stick” approach encourages doubling down on employees who create security vulnerabilities by creating more rigid policies and threatening employees who circumvent them with grave consequences. These methods hardly ever work, though they do create resentment and could result in employees leaving the company. In addition, even if policies do become stricter, the question of business continuity is still not resolved.
Make Security Easier - A “carrot” approach, encouraging users to abide by security measures because they are easy for them to follow, do not affect system performance and do not impair business agility. But is this really possible?
5 Best Practices to Make Security More User Friendly for Remote Employees
Here are five of our own tips for implementing security for remote employees while ensuring they work with and appreciate IT teams:
1. Choose a Modern Security Approach, Like Zero Trust
Legacy security solutions that are based on the castle-and-moat approach, like VPNs, create a cumbersome experience for employees, and beyond this, they are not even secure. On the other hand, zero trust continuously authorizes employees when they access apps and assets, without their having to wait to connect or install anything on their machine. This approach is not only more secure but it also provides quicker access for employees. Connectivity is as fast as your network.
2. Ask Your Cybersecurity Provider the Hard Questions
When choosing a security provider, ask how they can help ensure employees comply with security policies. For example, is their UI user-friendly? Is the set up minimal? Can users connect seamlessly to assets? Here are 7 questions questions you should ask before choosing a zero trust provider.
3. Adapt Your Security to Your Current Environment (and not the other way around)
Your traditional architecture might have consisted primarily of employees sitting in main office branches. However, with the proliferation of remote work and more employees implementing BYOD, today's network architecture is spread out globally. You may have even had to adopt cloud services to accommodate them. Is your security solution intended for this new way of work? Employees will very likely be more willing to adopt security policies if they see that an effort was made to ensure it works for them, and they’re not the ones working for it.
4. Research Recent Attacks and Share the Information
For better or worse, no amount of technology can fully mitigate the risks inherently posed by humans and our unpredictable behavior. To help your employees understand the risks and actually want to implement security measures, gather and share information about recent incidents and breaches. Then, when you surprise them with a modern and user-friendly solution, they will be thrilled to take part and help keep your company out of the headlines.
5. Understand Employees’ Business Use Cases
Talk with employees to understand their business needs. Some might be managing M&As, others might be developers who need to fix bugs. A third group could be customer-facing professionals who need access fast to answer questions. Discover when, why and how they need to connect. Instead of applying a “one-size-fits-all policy, try to find a solution that will ensure their security, while letting them continue doing their job.
What to Do Next
Many companies are facing a tipping point, and they need to decide whether they concur in being vulnerable to cyberattacks in the upcoming months and years. But contrary to what many may think, there's no need to choose between business continuity and security. Modern solutions like zero trust can provide both, while also ensuring organizational cooperation between IT and all employees. Talk to us to learn how this approach can be applied to your organization.
