Remote Work Brings a Significant Challenge to Cybersecurity

During the Covid-19 pandemic, businesses around the world switched from a congregated, in-person model to a hybrid or entirely remote model to ensure they could keep working and move the economy along, rather than letting it fall entirely stagnant. The Mobile Security Index 2022 makes challenging reading for those businesses – especially if they’re also concerned about the cybersecurity profile of their enterprise.

There are a handful of headlines from the Index, and not one of them is encouraging for businesses that went hybrid or remote to avoid spreading the virus and endangering life, as it seems evident that there’s a cybersecurity price to pay for that workplace flexibility.

• Major cybersecurity attacks are on the rise, with 45% of the companies surveyed suffering a cybersecurity compromise in the past 12 months.
• That’s an increase of 22% in just one year of emergence from the pandemic.
• A full 79% of respondents said the shift to hybrid or remote working had negatively affected their organization’s cybersecurity. That means if your organization hasn’t been negatively affected by remote working, you’re in a very significant one-fifth minority.
• Importantly, 52% of respondents reported that when choosing between cybersecurity on their mobile devices and the urgency of deadlines and the need to get the job done, they had chosen to prioritize urgency over cybersecurity. That indicates a human trend that can be replicated in any pressurized work environment anywhere, irrespective of how good the company’s cybersecurity protocols may be. If remote working staff have the option to adhere to those protocols or not, and are then put under deadline pressure, more than half the time they will leave systems open to infiltration in the urge to get their daily work done.
• That statistic is made even more depressing when 85% of companies report having budget dedicated to ensuring mobile security. None of which matters if 52% of the time, remote workers will prioritize urgency over cybersecurity.

Open House

There’s a certain unavoidable logic to the statistics. Any cybersecurity strategy depends on access control to devices that are connected to the central system. A remote laptop, tablet, or even smartphone is a potential access point, and so should be subject to strict rules on its use, its connectivity, and the network it uses to access central systems. The Index reports 85% of surveyed companies allowing connection through home Wi-Fi and cellular networks or hotspots. What’s more, 68% allow (or have no policy against the use of) public wi-fi to access company systems from remote devices. The only thing missing from that scenario is the sign saying “Our company welcomes careful hackers.”

It is to be hoped that the Index will act as a wake-up call to corporate culture, since the number of companies suffering a cybersecurity attack in the previous year have practically doubled in the last twelve months, as remote working continues to be a thing, but domestic lockdowns have eased, meaning remote working can more frequently be carried out in public spaced. That has to tell companies something about the way remote working is currently working, and what needs to happen to make it safer.

Deadlines Vs. Security

There’s some evidence the lesson may be learned – 64% of respondents said that public awareness of cybersecurity risks will increase in the future. In particular though, that has to match up with the statistics on the number of remote workers who, when choosing between urgency and cybersecurity, take the easier route for the sake of getting the job done. A tweak to corporate culture, which rewards, rather than penalizes, staff who take the time and care to maintain the cybersecurity framework of the organization rather than buckling under deadline pressure, is indicated – and it’s likely that companies who make the importance of cybersecurity clear to their remote staff, irrespective of deadline pressure, may well see a positive reduction in the number of cybersecurity attacks they encounter next year.

The Index is not just a litany of doom and cybergloom, though. As well as sounding the alarm for companies to get their remote working house in order, it provides advice on how to safeguard against cyber-attacks.

Establishing a “zero trust network access” (ZTNA) model and a secure access service edge (SASE) architecture, designed for a mobile-first and cloud-first world, will help to reduce the vulnerability of a company’s systems to cyber-attack from the devices of remote workers, it says. That should help reduce the incidences of mobile security compromise.

Gratifyingly, only 23% of companies surveyed said they’d encountered this kind of cyber-attack in the last year – but of those who had, 74% said the impact was major, and 34% said the attack had had long-lasting repercussions, so it’s a gateway worth shutting down for most companies, besides being good practice for all companies with a remote or hybrid workforce going forward.

That’s especially true given that 70% of companies said they expected increased mobile use would be vital to their continued relevance to consumers.

The Mobile Security Index 2022 both sounds a warning bell to companies that did not foresee the cybersecurity weaknesses inherent in a mass shift to hybrid or remote working, and gives reasonable, practical advice to those companies for action to take (both technological and in terms of training remote staff not to compromise the company’s cybersecurity for the sake of deadlines) within the next 12 months. How successful it is in these objectives will be revealed in the 2023 edition of the MSI.