Best behaviour: How to do hybrid working securely
This article was first published in Global Banking and Finance Review
Staff are returning to the office and it looks like hybrid working is the new normal
Almost 18 months since the start of the Coronavirus pandemic, many organisations are now beginning to return their people to the office in some capacity. However, the need to maintain a level of social distancing, coupled with the recognition that office space is costly and not always essential, has meant that thinking has moved on.
Many organisations have revisited their office footprint and as a result, hybrid working (splitting time between office and home) is fast becoming the new normal. Employers want the efficiency that it offers whilst employees are keen to retain the flexibility that they have grown accustomed to. A recent survey of 30,000 staff at Microsoft supports this, with 73% saying that they want flexible remote working options to stay.
We’ve picked up some bad cyber security habits whilst working from home
The problem is that we’ve picked up some bad security habits whilst working from home, that expose organisations to heightened risk if they continue into hybrid working practices.
The shift from office to home working was sudden. Many of us were faced with genuine challenges around how to make the model work, against the backdrop of a global pandemic that grew far faster than most of us were expecting. We faced pressing personal challenges like how we supported our kids’ learning whilst their schools were shut, or how elderly relatives got their groceries. Cyber security just wasn’t high enough on the agenda, and because of that, it suffered.
Laptops were left unlocked a little longer than they should have been. Response rates to phishing emails went up as we absent-mindedly followed interesting sounding links from email addresses that we didn’t recognise. Corporate laptops started being used by family members sharing the same Amazon Prime account. A recent research survey conducted by AT&T on workers in the UK and Germany found that 54% of employees are using corporate devices for personal reasons, with many admitting connecting to anything from smart TVs to fitness equipment.
Part of this behavioural change is linked to changing perceptions around work, and how we view the rules associated with it – when there isn’t that defined spatial separation between work and home. As we move further away from the closed corporate office environment, we feel less of a desire to comply with the rule sets that are associated with them. Put simply, the difference between working from the office and working from home is that we relax a little. From a cyber security perspective, this is risky.
Overlaying this change in behaviour with the fact that hybrid working is harder to secure (e.g. more locations, more devices and more varied working patterns) means a significant increase in cyber-attack risk. If we don’t address that change and correct it, that risk will persist.
We need to build on the things we have learned and raise our game
A lot of good has come from the changes to ways of working we have seen since the pandemic hit. Collaborative technology platforms like Teams or Zoom have massively increased the ability for remote colleagues to engage creatively, and we have all learned to be more flexible and supportive in how we work with each other.
We need to carry those things forward into the hybrid working world, but we need to do that on sound security foundations.
We need to remind ourselves of the commitments that we made when we signed up. That means dusting off IT policies that cover things like personal versus professional laptop use, and the security precautions that we need to take. If you can’t remember whether visiting home shopping sites or emailing friends is allowed, now is probably a good time to check with your technology or HR departments on authorised usage. If you are sharing the same password across multiple accounts, now would be a good time to stop.
Thinking about hybrid working, and what that means, is important too. Look at the relationship between personal devices (your phone, your computer or even your smart speaker) and data belonging to the organisation you work for, because in the main it is best if they are kept separate. If you aren’t used to taking your laptop home with you, think about how safe your personal bag is if it is ever left alone – and treat your work equipment with the same level of care. Try and avoid the temptation of emailing your Gmail account too, no matter how much you prefer your home PC.
Consider also where your information might be vulnerable and how an attacker might take advantage. The volume of phishing emails that purported to be from corporate helpdesks increased massively at the start of the pandemic, as attackers took advantage of the fact that end users were coming to grips with their new working arrangements and looking for help. Think carefully when an external email lands in your inbox. Has it been structured to arouse your attention or provoke fear or sympathy? Pause for a moment and reflect. Is the author trying to get you to do something you probably shouldn’t? Many of the phishing emails that are sent contain obvious spelling mistakes and grammatical errors, but they are getting better and we need to be ready for them.
Hybrid working is here, and it is here to stay. As we make the transition from home to hybrid, we should set ourselves up to take advantage of every opportunity that it offers, whilst at the same time ensuring that we do so safely.