Remote and hybrid working has exploded since the pandemic, with the Office for National Statistics reporting that in the UK 51% work from home some or all of the time, while only 34% were not able to do so (June 2024). Across Europe, workers now have the right to request to work flexibly, including on a remote basis, although the decision over whether to allow an employee to work remotely still rests with the employer.
Notably, The Work Where You Want amendment to the Flexible Working Act in the Netherlands, which would have provided employees with more rights to work from home, was rejected back in October as it was seen as unnecessary. But we’ve also seen similar plans put forward in the UK which would make flexible working the default from day one under the Employment Rights Bill.
Expectation versus reality
What this means for the security sector is that remote working is here to stay. While many of the measures deployed in haste in 2020 have now been bolstered, there remains the thorny issue of trust. Security policies may be in place outlining acceptable use and connectivity requirements but it’s essentially down to the worker to abide by them and not to seek to circumvent controls. However, recent research suggests that trust is being sorely tested.
The Apricorn annual survey of IT and security decision makers found the majority (63%) expect remote and mobile workers to expose the business to a breach through their actions. It also found that for 55% of the respondents, their workers have knowingly put data at risk, up from 48% the year before, suggesting those fears are well founded. Even more worryingly, 43% in the UK said these workers ‘don’t care about security’, indicating that there is no real sense of personal responsibility or appreciation of the consequences of a negligent approach.
A widening gap
It’s not that these workers aren’t aware of the risks, however, with 95% saying this was the case and that policies are followed with respect to the protection of data. The issue seems to be that they lack the requisite skills and technology. This implies there is a very real gap between the trust businesses have placed in their employees versus their ability to live up to those expectations. In fact, organisations may well be letting down their employees in this regard, as 55% reported they did not feel equipped to comply with security measures despite being willing to do so in 2023 versus 74% in 2024.
In terms of controls, organisations are clearly taking steps to address this gap, however. There’s also widespread recognition that end users want to be able to use their own devices, with 47% of businesses now having an information security policy that covers BYOD for remote working. The survey also found a third more are now controlling access to systems and data by installing software on end user devices.
So how can organisations ensure that employees don’t scupper these efforts through their actions?
Countering the threat
Investing in comprehensive security awareness training that is specifically geared towards remote working is a must and this should include guidance for what to do in the event they become frustrated and need help or suspect they may have breached policy guidelines. But it’s also important that businesses don’t, quite literally, leave employees to their own devices. Where possible, provide employees with removable USBs and hard drives that automatically encrypt the data written to them. This then ensures that data is securely stored whether at rest or on the move and remains inaccessible in the event the device is lost or stolen, which will significantly lessen the prospect of employees knowingly putting data at risk.
Looking ahead, there’s still work to be done in ensuring people are able to work from home securely. Improvements have been made in terms of access, but many clearly don’t feel they have the knowledge or support needed to be able to protect corporate data. The trust that’s been placed in them should go both ways, so IT and security team leaders will need to step up, empower those employees and encourage closer cooperation. But if things do go wrong, it also pays to have invested in the right tools to ensure that data is shielded from harm.
Jon Fielding is the Managing Director of Apricorn in EMEA and has extensive experience in growing companies in the EMEA market. Jon is responsible for the sales & operations strategy, driving revenue growth and establishing the channel network in the region.
Jon is CISSP certified and has been focused on Information Security for the past 26 years, working with a variety of organisations from IBM to security start-ups such as Valicert and Tumbleweed.
Jon joined Apricorn from IronKey where he worked exclusively in the secure USB market having established the Ironkey office in EMEA 8 years ago as the first in the region. During his tenure, Ironkey was acquired by Imation and then by Kingston.