The sudden and forced migration of staff from office working to home working caused by the COVID pandemic is often touted as a success. This is true. It was a logistical success. But the cybersecurity ramifications are only just unfolding; and they need to be tackled.
The cyberthreat to working from home is well understood. Security teams are suddenly faced with hundreds and often thousands of new endpoints that are beyond the protection of the office system, and outside the reach of their visibility.
While there are technological answers to this problem, new research from HP Wolf Security indicates that implementing those solutions may suffer from the resurgence of an old problem: user resistance. By combining the results from two separate surveys and research from KuppingerCole, HP Wolf Security concludes that securing work from home suffers from friction between staff and security teams, and security teams and senior management.
The two surveys were an online YouGov survey of 8,443 adults in the US, the UK, Mexico, Germany, Australia, Canada, and Japan who used to be office workers but now work from home or in a hybrid environment; and a Toluna survey of 1,100 IT decision makers in the UK, the US, Canada, Mexico, Germany, Australia, and Japan. The KuppingerCole research was conducted in March 2021 analyzing the changing landscape evolving through 2020. It looked at both the business practices and the activities of malicious actors responding to this changing context. For example, it cited an EU study that found 40% of home workers had experienced security issues during 2020.
The surveys show a return of the user friction and resistance to security controls that existed in the office 20 to 25 years ago and are now translated to the home. For example, nearly half (48%) of workers believe that security policies are a hindrance that results in a lot of wasted time. And nearly a third of workers in the 18 to 24 age range have tried to circumvent these controls.
For these reasons alone, security teams are waiting for an inevitable breach. “Eighty-three percent of IT teams surveyed,” says the HP Wolf Security report titled Rebellions and Rejections (PDF), “believed home working has become a ‘ticking time bomb’ that might lead to a corporate network breach.”
But the problem isn’t limited to rebellious home workers. The security teams are feeling pressure from both sides– from both workers and senior management. The business needed to sanction the move to home or hybrid working to protect the business during the worst economic crisis that has hit for many years. Senior management’s priority has, and still is, business continuity above all else.
Seventy-six percent of the IT teams surveyed claim that security has taken a back seat to continuity during the pandemic – and a colossal 91% have felt pressure to compromise security for this end. The same number have done what they can by updating policies to account for home working, but this just results in problems with the users. Eighty percent of the IT teams surveyed have experienced pushback from users and feel that IT security has become a thankless task, while 69% say they have been made to feel like the bad guys of the situation.
This is a perilous situation. With rising malicious activity against home workers, with home workers disgruntled with and bypassing security policies, with a senior management prioritizing continuity over security, and an unhappy and pressured security team caught in the middle, there is no happy outcome. And, as usual, it falls on the CISO to find a solution. Yes, there are technology solutions that can increase visibility into computers used at home, and improve the security of them – if senior management sanctions or provides budget for them. But that alone will not change the underlying failure in the relationship between security and users.
In recent years, CISOs have been exhorted to improve their communication skills with the board. This is still necessary, but now they must do an about-face and communicate with the user as well (something that has not been so important for well over a decade now). But communicating with and educating a remote workforce cannot be done in the same way as it has been done in the office. CISOs will have to design a new message and use new technology to deliver it.
Something like Zoom could be used to deliver visually-aided training messages to groups of staff – and the CISO should perhaps recruit the skills of the company’s professional story-tellers – the marketing department– to help craft the most compelling presentations.
Ongoing discussions with staff at home could be held via products like Slack. This could even herald the return of the ‘security champion’ where individuals could raise questions or problems with a fellow member of staff in the ‘safety’ of a closed group.
But, however the problem is solved, it must be tackled. Left untended, it could get worse. Overstressed security teams might leave, and ‘rebellious’ users could find new and more dangerous ways to bypass security controls. This will inevitably lead to more breaches.
HP’s own CISO, Joanna Burkey, is not entirely discouraged. “This is just another evolutionary step in cybersecurity. It’s not the first and it won’t be the last,” she told SecurityWeek. “If we can unite around why we’re doing what we’re doing, and we can have an open dialogue, iteratively and constantly with the user, then we can make it work. We must explain why we are doing something. When we engage rather than just deliver mandates that must be obeyed, we can get really good cooperation from the user.”