Remote-work as a challenge for security
Considering people, processes, and technology when planning for remote work is important. Organizations must always put people first and see the world through their eyes to make remote-work work. Otherwise, they will run the risk of their employees undermining compliance processes and using shadow IT, simply because they cannot get their job done otherwise. A people’s perspective is hence crucial for remote work.
A people’s perspective is crucial for remote work.
It is also crucial to cover the basics of IT security, regardless of where people work: security policies must be updated to reflect processes of working remotely; Secure communication channels must extend to remote locations; access to sensitive information should be limited where possible; regular training should be in place to remind people of important compliance and security requirements; and crucially, monitoring and audit need to be updated. Companies will run high risks of data compromise without updating these processes and policies for remote work.
Lately, there is a lot of talk about Zero-Trust. Conceptually, Zero-Trust is the opposite of the walled-off castle philosophy that has dominated IT-Security for so long – my enterprise network is my castle, and I will stop all attackers at the walls. With cloud computing being common and supply chain cyberattacks on the rise, this once firmly established boundary can no longer be clearly delineated. Any system inside the network must now be considered its own stronghold, for which all appropriate security measures must be put in place. This is the paradigm shift of Zero-Trust, and this approach offers better security than a traditional model with VPN connections for remote workers.
Considering people and company culture must not be underestimated.
Again, considering people and company culture should not be underestimated. Not every company might be ready to adopt Zero-Trust. The technological shift requires time and money that might not be readily available. The most important thing for any enterprise would be to get the basics in place and to bring their workforce up to speed with compliance and security training. Besides the technical challenges, there is a cultural gap between remote work locations and the office – there simply is less social glue as opportunities to socialize in person, to observe others doing their job, and to have one’s finger on the pulse of the company are diminishing. These factors directly impact your employees’ motivation, security awareness, and security behavior. It is therefore crucial to build bridges between remote and on-site workers.
Shared responsibilities of protecting customer data
Now, all these considerations matter hugely for organizations that must protect their own and customer data in the new work era. The organization is responsible and liable for the protection of data. There are some caveats as I discuss below.
Generally speaking, the company is responsible for data protection, and that is true for the US as well as for Europe. But companies will make their employees share this responsibility to comply with local laws and sector-specific regulations. Depending on the sector and jurisdiction, companies face reporting requirements for data breaches. To comply with those and to avoid litigation, organizations will make sure their employees are aware and sign off on legislative and regulatory requirements. Businesses will hold their employees accountable for data protection compliance. That’s why many of us have to complete annual compliance trainings.
Failure to comply with company policy can have different causes and consequences. Depending on jurisdiction and the terms of employment, employees can be punished for deliberate and accidental breaches of data protection. If the breach is accidental and occurred as part of activities the employee could be reasonably expected to carry out for their job, the company will most likely be liable. While employers might be inclined to introduce financial fines and other reprimands, organizations must avoid creating a culture of fear and blame that hampers productivity.
The case is very different for employees deliberately causing data breaches. Employers are extremely likely to treat those as gross misconduct to dismiss employees without notice and pay. For example, the US Supreme Court ruled in favor of employers, stating there could be no vicarious liability for rogue employee data breaches. The situation is similar in the UK, where employees were fined by data protection authorities for intentional data breaches, such as sharing data with personal email accounts. Another example is Lithuania, where employees can be asked for compensation according to the Labor Code. Contracts can even be terminated for negligence or malicious intent.
Germany makes for a particularly interesting case study, as the country is known for its strict labor and data protection laws. Local legislation explicitly states that employees are responsible for protecting personal data on the job. Failure to comply is a violation of labor law and criminal law. In one instance, a 55-year-old woman was fired after 34 years on the job for repeatedly accessing personal information of friends without good reason (LAG Berlin-Brandenburg Az. 10 SA 192/16). Although it is the employer’s responsibility to be compliant, employees must exercise diligence and care when working with personal data.
Consequences of data breaches
As discussed above, companies are liable for compliance with legislation and regulation. Failure to comply results in hefty fines. Under the European GDPR they can face financial fines of up to 4% of annual turnover. Fines against Meta Inc. In Ireland are examples thereof. In the US, French retailer Sephora was hit with $1.2 Million fine under CCPA. Especially under GDPR, financial penalties can pose a risk to the business.
Reputational damage is another big issue. In the past, data breaches have affected to stock prices. Stock prices have recovered soon enough in most cases, and today we can observe stock prices being less and less affected by data breaches — lasting damage to the business is still possible, as the extend to which stock prices are affected depends on the kind of breach, the recurrence of breaches, the data leaked, the management of the breach, and more factors. This might be a testament to better business continuity planning and higher resilience of businesses, such that customers can be assured the company will get back on track quickly. It might also be a recognition of the inevitability of data breaches. Companies should still consider the consequences for their reputation. The long-term effects of that are difficult to measure or estimate, but once customer trust is lost, it is very difficult to regain.
Once customer trust is lost, it is very difficult to regain.
An issue often overlooked is the mental health of people inside the organization. This includes those “in the trenches” fighting the incident and employees that might have caused it. As defenders, security teams might feel like they are constantly on the back foot. A good day is one without a breach. Because of a lack of positive events and a dark outlook in the general, the long-term motivation of infosec teams becomes a challenge. Employee retention is also an issue with victims of cyberattacks such as employees who accidentally caused data breaches. It is paramount to maintain clear communication and a positive culture around reporting cyber incidents. Chances are that enterprises will be hacked in some way that involves social engineering. Good communication will put as much emphasis on what happens before an attack to avoid it happening as much as on the emotions employees go through after an attack. Preparation in that regard is key, and must also involve information on procedures that should be followed in face of a breach.
Understanding the risks involved
The risks of remote work hugely depend on an organization’s IT architecture and security maturity. With Zero-Trust the idea would be that there is hardly any difference in risk when it comes to protecting systems. In a reality without a Zero-Trust setup, employees must be forced to use VPN for work to get behind corporate firewalls. Surveys following the working-from-home shift caused by the corona crisis are concerning for security departments. Bring-your-own-device policies and out-of-date-software were some of the challenges. Employees delayed updates and stopped following policies.
There was also a very significant increase (around 270%) in social engineering attacks. As explained above, culture and environment is an important factor when it comes to motivating and fostering secure behavior. It is therefore reasonable to assume that employees are more likely to fall victim to phishing attacks when working from home. The judgment on this is still out, though.
The situation is different for physical information, which is easier protected in one central physical location that has measures and procedures in place routinely. It is good practice to prohibit physical files from being moved out of the office.
Establishing organization-wide security standards
What minimum measures must organizations cover to stay ahead of security in a remote-working world? There are a number of steps organizations should follow (similar to my recommendations for higher education):
- Ensure compliance with laws and regulations
- Implement industry standards such as ISO 27001 or the NIST framework
- Carry out regular audits and monitoring
- Empower your employees to make smart security decisions
When it comes to securing your data and protecting your customers, your employees – on-site and remote – are your biggest asset. As the last line of defense, your employees make important security decisions every day. They frequently stand between a breach and defending against an attacker.
I was also interviewed on this topic by HRO Today.