With only specific industry exceptions, the days of your entire staff sitting in the same office—or in boardrooms taking meetings—at once, are largely gone. Nowadays, knowledge-economy workforces are becoming increasingly mobile, as employees continue to seek greater flexibility to work from home (or wherever they choose). The tacit agreement is that even though their hours may fluctuate, employees’ work will be done and delivered according to specifications. In many cases organizations are beginning to do away with formal hourly work expectations altogether.
Indeed, remote working—also known as telecommuting—has become commonplace across industries, save those where employees must be physically present in a work environment to do their jobs, such as manufacturing or retail. Many leading employers, in particular technology firms, have leveraged flex-time and remote work to attract, retain and engage top talent. They really had no choice. As the likes of Facebook, Google, Apple, WeWork and other Millennial-friendly employers changed the labour landscape over the past two decades, even small and medium-sized organizations found themselves needing to match benefits and perks to compete
Then they began to understand the security issues that emerge when employees are essentially given the reins to manage their own IT risk, but in most cases without the training and expertise needed to do it properly.
Security data tells a tale
An Ipsos poll for data security firm Shred-It released last year underscores the challenges facing organizations that seek to provide worker flexibility, while also trying to mitigate escalating security risk. Fully 82 per cent of the C-suite executives at enterprise-sized organizations and 63 per cent of small and medium-sized enterprise (SME) owners polled felt greater exposure to a data breach when employees work off-site. The majority of large organizations (89 per cent) and SMEs (50 per cent) report offering workplace mobility, and most executives and business owners feel that that offering the option to work remotely is becoming increasingly important.
Still, slightly more than half of SMEs say they have formalized data-management policies for off-site employees, while only 27 per cent train their employees on key data protection concerns such as public Wi-Fi usage. Just 38 per cent say they have protocols to govern the handling of confidential information. That compares to large organizations, 93 per cent of which report having formal security policies for off-site employees, while just fewer than half say they train employees on the use of public Wi-Fi—a major data-management vulnerability. Fifty-three per cent of off-site employees working for large companies say they allow friends and family to use company-issued electronic devices, and the same number say their devices could face interference at home or in public spaces. That’s shocking when you consider that some of these employees could be handling everything from sensitive industrial information to customer financial data. Regardless, it means many are exposed to hackers or other cyber malfeasants looking to cause trouble.
One of the greatest challenges that organizations face in allowing members of their team to work remotely is a lack of control. As the Shred-It survey underscores, when anyone in a household has wide open access to sensitive information when a laptop is simply left unattended, that’s a major problem. And that’s just one of many potentially troublesome scenarios.
Wi-Fi a major risk exposure
Far more likely are Wi-Fi-related security incidents stemming from the use of unsecured networks at coffee shops or in other public places. While many of us assume that no one would bother to attempt to peer into our devices while we sip a latte and surf the Net, the reality is that an open Wi-Fi network is essentially an open door to an unprotected device.
Let’s not forget that phishing scams or outright hacking are also major sources of risk that are too often ignored. In many cases, we find that some employees will be less vigilant while working off-site, often letting down their guard and engaging in risky online behaviour. Why? Because we’re all human, and when we don’t think we’re being watched by the boss, we’ll sometimes cut corners and ignore protocols.
That underscores the argument for providing employees with VPN (virtual private network) access when working off-site, and requiring them to use it when logging on to their device. The problem, of course, is that enforcement becomes a challenge when employees are out of sight. Many use their personal electronic devices to conduct work business, and don’t password protect them (or at least not adequately). That leaves both personal and business data at risk of exposure which, again, is amplified when using free Wi-Fi networks.
Why employee training and policies matter
Ultimately, the onus is on organizations to have policies in their workplace manuals that address data security and management, while providing (and enforcing) protocols that must be followed at all times. Rules should state clearly that any breach of these policies could be cause for discipline or termination. Employees also need to be properly trained to understand and identify potential security risks, and in using the security tools they’ve been provided. I’m not only referring to safeguarding phones and laptops. Many employees also use USBs or portable hard drives, or even travel with hard copies of sensitive data, that can just as easily be stolen.
Every employer wants to provide greater flexibility and work-life balance to their staff. But it has to be clear that remote working arrangements are a privilege, while company-wide security is a shared responsibility—not to mention an essential element of its long-term survival and success. It’s only when security becomes part of an organization’s culture that it can be consistently and effectively enforced.
Winston Stewart, President and CEO