The Future of Work is Remote: How to Prepare for the Security Challenges

The fourth industrial revolution is here and is changing the way people work in ways that are still hard to believe. On the one hand, organizations are shifting to permanent or hybrid remote work setups since they provide opportunities to trim operating costs and weather an uncertain economic future. On the other hand, organizations are fighting against remote work culture, which they believe adversely impacts their effectiveness. At the same time, many businesses are accelerating investments in artificial intelligence to boost automation, operational efficiency and business productivity.

Let’s explore the potential threats that emerge from the intersection of hybrid working and technology advancements:

AWS Builder Community Hub

Disengagement Discourages Secure Behavior and Lack of Flexibility Inhibits Recruitment and Retention

When embracing hybrid or remote work, the lack of in-person contact among staff may have a less-than-ideal effect on corporate culture. For those “forced back” to the office, disgruntlement will breed resentment. In both cases, disengagement between staff and their employer will have an adverse effect on their attitudes toward the company and, consequently, heighten the risk of insider threats, either by accident, judgment errors or malicious intent.

Businesses that insist on returning to the office, especially for security roles that could be hybrid or fully remote, see higher rates of attrition and longer-term unfilled vacancies. Lack of skilled talent affects staff availability, making burnout of existing staff more likely. This leads to lower security performance by harried workers and raises information security risk across the board.

Digital Nomads Leave a Trail of Vulnerabilities and the Lack of Identity Verification Enables Impostors

The introduction of new and favorable tax rules for remote employees, especially those who fancy traveling the world, encourages them to change their location on a frequent basis. Since they log in to corporate resources from various locations, organizations are never sure what security controls are being used and what security protocols are being followed while transiting through public places such as airports, cafes, parks and other unsecured Wi-Fi locations.

As the organization operates more “virtually,” AI technologies like deep fakes allow cybercriminals to impersonate employees, C-suite executives and business partners, putting the enterprise at an increased risk of security incidents. Furthermore, employees begin to engage AI to circumvent standard security governance practices and automate work tasks, which could undermine the organization in ways similar to shadow IT, with its resultant lack of oversight. This lack of visibility and verification enables impostors to compromise information at will.

Moonlighting Microservice Providers Profit From Conflicts of Interest and the Breakdown in Security Culture Raises Insider Threats

The gig economy is giving rise to new services being offered by the hour by people who work on a freelance basis and do not require background checks. Many of these gig workers are full-time employees who use their spare time and weekends to take on second jobs, sometimes working for competitors, which ends up being a conflict of interest and a direct violation of NDAs, putting all parties at risk.

Employees who are disgruntled may stop respecting security protocols and show a blatant disregard for policies. Combined with high levels of attrition and gaps in critical skills across the business, the threat of a successful attack using an employee as a vector—either through apathetic behavior, being coerced by money or being an assailant themselves—increases significantly.

Over-Reliance on Automation Backfires and Outsourcing Amplifies Supply Chain Risk

New security technology can streamline and bolster defenses but often falls short. Without human interaction and experience, these systems lack the context to make accurate decisions. As a result, they may generate false positives or miss real threats. Security technology is often designed to work with little or no human input, which can lead to problems when the system encounters something it doesn’t understand; for example, a new type of malware or a sophisticated attack. Security systems need to be regularly updated otherwise, they’re at risk of becoming obsolete.

As offices are closed, organizations reduce costs by outsourcing as many essential services and tasks as possible. While this improves flexibility, it also heightens the risk of a major disruption as businesses lose control over key infrastructure without implementing oversight policies.

How Organizations Can Tackle These Risks

Organizations will have to carefully weigh how these new working models affect their security posture and security culture.

● Ensure that data, information and security governance functions are equipped to oversee and deal with change. Keep control frameworks updated, ensuring that security basics are always in place.
● Update security awareness programs to factor in the established working model for the organization (i.e., office, hybrid, or remote). Deploy culture-building exercises for remote staff, such as a combination of frequent on-site and video sessions, to create and maintain a sense of togetherness. Communicate frequently and with relevance.
● Upskill managers to deal effectively with new hybrid work environments that are no longer suited to former ways of working.
● Establish clear protocols on the use of outsourced suppliers and services. Mandate a certain level of assurance and oversight, both pre- and post-contract. Include suppliers in business continuity planning as well.
● Introduce systems and processes for continuous identity verification, such as regular video chats, to confirm whether employees are who they say they are. Use deepfake detection tools to identify impersonators and fake content.
● Apply encryption to all sensitive data on employees’ devices, preferably at the hardware level (e.g., whole disk encryption).
● Take a strategic view of the long-term risks associated with an increasing reliance on AI and automation and how that alters risk. Deploy review processes that routinely assess the accuracy and integrity of the intelligence and data that power AI and drive business decisions.

Technology and workplace transformations must never be done in haste. It’s important to be fully aware of the risks as well as the opportunities that exist. It is also equally important to have a well-thought-out transition plan in place before moving ahead into the unknown because uncertainty is the only thing organizations can be certain of.

Avatar photo

Steve Durbin

Steve Durbin is CEO of the Information Security Forum, an independent, not-for-profit dedicated to investigating, clarifying and resolving key issues in information security and risk management by developing best practice methodologies, processes and solutions that meet the business needs of its members. ISF membership comprises the Fortune 500 and Forbes 2000.

steve-durbin has 3 posts and counting.See all posts by steve-durbin