Working from home: insider threat?

Working from home – the new insider threat?

Working from home can bring increased risks of the insider threat. Here, we explore how to analyse the increased risks and mitigate them, without alienating staff and undermining the great benefits working from home can bring.

In April 2020, the UK Office for National Statistics reported that nearly 50% of adults in employment were working from home – the link to the COVID-19 pandemic and the related social distancing and lock-down measures are obvious.

But interestingly data trends have been showing that since 2012 the request for flexi-time and remote working has steadily been on the increase. COVID-19 has inevitably speeded up what was a slow burning trend – but businesses have had ample time to consider both the benefits and potential security risks that more flexible working brings with it. Have they focused on the former more than the latter?

Businesses that have allowed flexi-time and remote working have reported increased benefits including office costs being reduced, staff retention increased with better staff morale and productivity and the ability to attract a wider talent pool. But they have often cherry-picked the roles that suit this type of working. COVID-19 has forced many businesses to move their entire enterprise to remote working because they are unable to meet COVID-19 regulations. Are they ready to meet these new challenges?

It is certainly time to dust off the security risk register and apply a COVID-19 lens to the contents:

•  What does the new normal for your business look like?

•  What risks have changed and why?

•  Do you have confidence that the measures you have in place are effective?

Nearly a year into this pandemic reviewing the security risk register should be a regular occurrence – how long did you plan for new security measures to be in place 3/6/9 months with the expectation that we would all be back in the office by 2021?

However, it’s not just about reviewing the security risks – it’s about understanding how the business has changed – what opportunities it has been able to take advantage of, and whether your security risks are helping to enable and support the CEO’s direction of travel.

What of the staff?

Working from home does not suit everybody – many are operating out of spare bedrooms, perched in hastily constructed desks in hallways or fighting for bandwidth in shared accommodation whilst juggling home-schooling or carer duties. Twelve months in and we can see that our staff are tired. The use of Zoom/Teams and Google hangouts is no longer a novelty as we now move from meeting to meeting as everybody knows that we will be at our desks.

Our staff are becoming isolated, despondent and bunny-hopping from one lockdown to another. They feel frustrated – and that can lead to bypassing security procedures to get a job done because they no longer see security as important, and competing business pressures are taking priority. The potential for insider risks within our business is as they say a clear and present danger.

This now more than ever is when we as security professionals need to work with our key business stakeholders – particularly our HR colleagues who hold responsibility for people management. Our line managers are the first line of defence in insider risks – knowing their staff, spotting when something has changed and then dealing with it and recording it.

HR (including welfare teams) need to know which roles have additional risks as a result of home working, security teams can help by knowing what critical assets the business holds and what roles within the business  have access to them and what the potential insider risks look like so that HR can involve security teams in high-risk areas.

Line managers need to know why, how and what to report, security can help by working with HR and Comms teams to develop appropriate awareness campaigns – or using some of the many excellent products developed by CPNI (Centre for the Protection of National Infrastructure) that are on their website.

Training teams might need to re-focus on developing on-line learning that emphasises the importance of following security and how it is there to keep the business and staff safe. Security can help by evidencing the security risks to show the consequences to staff and encourage buy-in and good security behaviours.

Managing our people risks during the pandemic should be seen as a priority – our staff are essential assets. We should see this as an opportunity for security teams to strengthen their key stakeholder relationships and work in tactical partnership with core business departments to manage the insider risk. The benefits of doing this mean that when life does return to normal your stakeholders can see the tangible benefits that security has brought to the business.

Sarah Austerberry

Director

Au Security Consulting and the Security Institute