Amidst major events of the last three years, risk assessments have become a critical part of leadership discussions. Hybrid and remote work, long dismissed as a threat to office “culture” and productivity, are expected job components for new employees; however, amid a multi-year pandemic, supply chain disruptions, and ongoing waves of the “great resignation,” cybersecurity has fallen low on executives’ priority lists, putting them at a growing risk of cyberattacks through their hybrid workforces. At the dawn of the pandemic, a VDC end-user survey showed that over 40% of leadership in sectors ranging from public safety to healthcare to transportation viewed strong IT infrastructure as the most important contributor to pandemic adaptability. Strong infrastructure has become increasingly harder to maintain: there are now a range of cybersecurity risks faced by companies around hardware, software, and connectivity, with the added human risks deriving from both employees and their employers.
Hardware The need to onboard many employees remotely during the pandemic opened up a new world of flexibility for workers, who had the option to use company devices at home (COPE) or to bring their own devices to the office (BYOD) as restrictions lifted. Flexibility around hardware options was welcomed by employees, but diminished the control and oversight that IT departments had pre-pandemic. Device makes and models, once determined by technology officers, have become difficult to obtain from hybrid workers, who may not report new purchases, or may use personal devices without reporting it. BYOD also increases the number of endpoints that IT departments need to monitor – some of which the department may not have full access to. A recent study found that 68% of organizations experienced one or more endpoint attacks in 2020, rising at the same time that many employees began to work from home.
As the line between work life and home life blurs for workers, so does the line between company and personal property. IT departments are facing the new challenge of needing to protect, track, and monitor devices that a company does not own to protect the data stored on them (for BYOD devices), while at the same time seeking to protect company-owned devices without encroaching on the personal property of workers that use the device outside of the work day. With over 50% of remote workers accessing customer data through a personal device and only 40% of companies reporting visibility of more than half of their assets, there is a significant gap in oversight that leaves companies exposed to attack. Workers sharing devices further increases the variables that IT departments must deal with: in 2020, the majority of leaders surveyed by VDC reported that some or all of their organizations’ devices were shared amongst mobile workers: over 80% in retail and over 70% in transportation and healthcare sectors.
Organizations practicing BYOD, COPE, or device sharing would have the greatest likelihood of mitigating cyber risk by allocating time and space for IT teams to build out onboarding processes. Doing so would enable IT leaders to achieve greater access to and supervision of all hardware, as well as influence over workplace security culture at a time when it is most needed.
Software IT departments have sought to maintain hardware oversight through software and cloud storage, both of which can come with challenges. Employees may avoid installing risk monitoring software on their devices, viewing it as a privacy invasion or time drain: about half of younger workers try to get around security protocols in an attempt to save time. Conversely, attempts to better protect or store data through the cloud may backfire: many IT leaders view the cloud as an added risk to company information. Shadow IT, referring to non-IT departments leading software purchases/developments, poses additional software risk, as IT departments have less visibility of new purchases and struggle to track them. Oomnitza, an Enterprise technology management company, notes that IT leaders may think they use 30-40 SaaS apps, but actually use over 200. The proliferation of company apps presents significant risk: 61% of malware targeted remote employees through cloud apps in 2021.
Central to tensions between hybrid workers and IT leadership lie conflicting departmental values. While IT teams see the mounting risk that organizations face as they become more flexible – and will be accountable if there is a data breach – other department heads strive to improve productivity. Adding new apps to organize and upload company data, syncing a company email account with a smartphone to check email in off hours, and downloading work projects to personal devices for the sake of finishing a task over the weekend are all examples of the productivity values system in practice…and all pose major security risks. With so much added software and cross-device access, it also becomes likely that the off-boarding process may overlook access points and leave vulnerabilities across data platforms.
Companies may take a number of approaches to mitigate software and cloud related risk. Bringing IT leaders in closer contact with other departments or creating safety/resilience task forces could help reduce risk brought on by Shadow IT. Procedurally, increasing the presence of IT departments in off-boarding processes could help identify additional software and access points of departing staff that departmental managers may miss.
Connectivity and Sharing A final area of risk lies in home networks and the employees, themselves: 71% of IT leaders report that they lack complete visibility into employees’ home networks. Hybrid and remote work both require that employees have an internet (and often cellular) connection when working away from the office. In a similar manner to new software or personal devices, companies have less information and oversight around personal networks. These networks may be less secured, or may be shared with family members, increasing the variables and risk levels for a connection-based attack. Segmentation, or splitting internet into home and work segments within a worker’s home, can help to reduce, or at least isolate, attacks.
The many emerging risks of cyberattack underscore the importance of IT spending for organizations with a remote or hybrid workforce. These new ways of working hold the promise of flexibility and may lead to more satisfied, enthusiastic employees – companies willing to invest in cybersecurity protections are likely to reap the rewards as hybrid work models become permanent. For each area of risk, companies looking to bolster their protections against cyberattack should carefully examine where time and resources are currently dedicated, and shift more investment to IT as a key preventive strategy. What this looks like depends on an organization’s size and financial outlook: organizations forecasting higher or stable profits would do well to increase their IT budget, while those weathering added logistics and inputs costs should add more IT guidance and structure to their on- and off-boarding processes. In each approach, leaders must navigate tension between HR, workers, and IT departments – continued challenges around staffing and worker tenure have shifted the power balance in favor of workers, and IT departments must avoid hampering the user experience as much as possible with any new security measures.
For more information or interest in custom research services, please e-mail info@vdcresearch.com.