Even though borderless working isn’t a new concept, Australians have never worked remotely in such vast numbers and for such a prolonged period.
According to the Australian government, 3.2 million people worked remotely in 2020, and 9 in 10 businesses invested in new platforms or solutions to support this.¹
And while this new way of working has given employees unprecedented levels of flexibility and work-life balance, it’s also exposed businesses to some fairly significant risks.
Did you know, for instance, that 69% of businesses said that they experienced an increase of 25% or more in cyber-threats or alerts once they’d shifted to borderless working?² Or that close to half of all workers actually cite ‘not being watched by IT’ as a reason for not following safe data practices?³
In fact, a staggering 52% of employees even say they believe they can get away with riskier behaviour when working from home.⁴
Importantly, this employee behaviour doesn’t just compromise a business’ security. It can also affect its governance and compliance, and if a breach occurs, have a lasting impact in terms of the business’s reputation and ability to operate.
Why can borderless working be risky?
For many organisations, the forced, and in some cases, somewhat uncontrolled push to work has meant that traditional security controls are not as relevant or adding the same value that they once did.
Traditionally, employees worked behind corporate firewalls, predominantly on laptops or desktops governed by corporate security policies and closely monitored by internal IT teams. Now, people are connecting to the corporate network with all kinds of devices, via home wi-fi and potentially insecure internet connections if they’re spending more time out of the office. This situation has exposed all kinds of security gaps that can be exploited by cybercriminals and which can compromise an organisation’s adherence to relevant compliance or governance requirements.
As the statistics that I mentioned earlier indicate, there’s also plenty of evidence to suggest that employees have a different attitude towards security when they are working from home. When physically removed from the reminders of their workplace responsibilities, employees are more likely to take risks (e.g. downloading certain applications or opening or forwarding suspect emails), than they would be if they were in the office.
While employees may feel more relaxed and cavalier when it comes to using workplace technology in their home environment, the risks for business owners can increase significantly.
How can you mitigate risk with your borderless workforce?
Focus on Identity-Based Security
Perhaps the single most important step that a business should consider is to increase identity-based security controls, rather than relying on a traditional network-centric model. Now that people are working from home as a matter of course, as well as carrying business data on phones and other portable devices, relying upon perimeter-based security is no longer viable. Network and IT teams can no longer assume a connection is safe simply because of where it came from or because the username and password were correct. Instead, we need to move to a model where we essentially put a ‘virtual firewall’ around individual users and their devices – where we authenticate each connection and transaction. Rather than allowing or blocking IP addresses and ports, we need to establish (validated) trust in people, processes and discrete systems.
Provide Training & Support
Businesses need to focus on educating their employees around data security behaviours and on providing the right levels of support so that if there is an issue, it can be managed effectively and quickly. Security needs to be part of the modern business culture, and everyone needs to take an active role in understanding and assessing the immediate risks and acting appropriately.
Upgrade Your Systems
Relying on dated systems can also be a problem when it comes to security, especially if the devices aren’t properly patched or maintained. During the pandemic, our team provided hundreds of new devices to businesses wanting to employees a borderless work solution. Every device was deployed with an automated and secure standard operating system (SOE) which can be easily maintained and updated remotely.
From a specific technology point of view, all businesses – regardless of their size – should be adopting multi-factor authentication. It is now very straightforward, relatively inexpensive and easy for people to use while offering an essential level of protection.
When COVID-19 hit, for instance, every employee here at Brennan IT already had multi-factor authentication enabled on their account. This meant we could all very easily switch to working from home, without any security risks and without any productivity downtime.
Have A Dedicated Security Person or Team
Traditionally, security has fallen into the domain of the IT team, which is typically tasked with implementing precautions and then addressing any breaches. Today, however, there’s a strong case for hiring a dedicated security resource, or an entire team in a larger business, as well as considering the outsourcing of security management to an expert provider.
Implement Both Defensive (Reactive) and Offensive (Proactive) Security
The security threat landscape is constantly changing, and organisations should deploy a combination of proactive and reactive security measures.
Proactive security is based on the old adage that prevention is better than the cure, and focuses on ensuring problems don’t happen, rather than detecting and reacting to them. This may include measures such as security awareness training, network and application penetration testing, red-team engagements, and modern monitoring platforms which can pick-up early indicators of a threat. These are all effective ways to lessen the chance of a security incident occurring by identifying and closing gaps before they’re exploited.
Defensive measures are an equally important consideration. These are the more traditional security controls like firewalls, log management and anti-malware solutions.
Along with a well-structured, communicated, and understood security incident response plan, these defensive measures can help an organisation react to a security incident when it almost inevitably occurs. This could be as simple as a misdirected email that needs management and communication, a phishing attack that results in a ransomware incident, or a full-blown breach with loss of commercially sensitive data.
Of course, to truly safeguard a remote workforce against security breaches, businesses should consider working towards implementing a strategic security plan. For example, The Essential Eight framework is widely recommended and adopted by many Australian businesses. The Essential Eight is a set of security recommendations published by the Australian Cyber Security Centre (ACSC) and is essentially a combination of technical and administrative controls – all of which are designed to work together to protect organisations from cyber attack. You can read more about our Essential Eight offering here.
If you want to learn more about how you can ensure optimal cybersecurity in your business, don’t hesitate to get in touch.
¹ Australian Government, Infrastructure Australia, [online]
² Security Centric, Secure Remote Work blog, [online]
³ HelpNetSecurity, Abandoning security when working remotely, 2020, [online]
⁴ HelpNetSecurity, Abandoning security when working remotely, 2020, [online]