With many companies turning to large-scale remote workforces for the foreseeable future, employers have less oversight into how employees are using their time on a day-to-day basis. As a result, company insiders — such as employees, contractors, vendors, and suppliers — pose a greater threat to cybersecurity than in the pre-pandemic workplace.
In recent years, companies have seen a rise in security incidents caused by insiders, whether malicious or accidental. That threat may increase further in remote work environments where employers have reduced visibility over their employees’ online activity and the information they are accessing.
While remote work has many benefits for both employers and employees, it also increases the risk of cybersecurity threats from employee negligence and malicious insiders. Employees working remotely may be more easily distracted, more likely to use their computer for personal activities, and less likely to follow their employer’s information security policies, among other matters.
Insider threats in the remote workplace
Some of the most notable risks that remote workers pose to a company’s information security include the following:
Malicious insiders — Threats from bad actors within a company are generally harder to detect and prevent in a remote work environment due to the company’s reduced ability to limit access and detect unusual activity. Common motivators typically include financial gain, espionage for an outside party, and grudges held by disgruntled employees. Some companies might see increased malicious activity, as employees who are asked to accept reduced hours, lower compensation, or reduced promotion opportunities may become resentful.
Failure to follow safe computing practices — Employees may be less likely to practice safe computing when working outside the office. For example, they may leave their computer in unlocked rooms or vehicles, fail to lock the screen with a password when stepping away, neglect to update the computer’s software, allow family members to use their work computer, or transfer company data to a personal device. The stresses of work coupled with the pandemic and juggling childcare and family responsibilities may also lead to an increase in mistakes when teleworking, such as sending emails to the wrong recipient.
Failure to detect phishing scams and malware — The distractions of a remote work environment may increase the risk of employees inadvertently clicking on a phishing link, sending confidential information to a social engineer, or downloading malicious software, such as ransomware.
Failure to use a secure network connection — Telework presents a higher risk of employees using public Wi-Fi, which is unsecure and presents a significant security threat to a company’s confidential information. Additionally, most home networks are less secure than networks used in the office, especially if remote employees are using their personal devices for work.
Companies can take preventive measures to guard against the enhanced threat that employees pose to cybersecurity when working remotely. If companies haven’t done so already, they should adopt and implement a comprehensive telework policy that guides employees in how to secure their home network and protect company data. The policy should, at a minimum, cover: i) the technical requirements for accessing data, such as use of a virtual private network (VPN) or multi-factor authentication; ii) guidelines for acceptable use of company assets and data; and iii) guidelines for accessing and transmitting data with mobile devices.
Companies should also train their remote workforce on cyber-threats and how to prevent data theft and loss. By ensuring employees are aware of common cyberattacks and how to safely access, use, transfer, and store confidential information while teleworking, companies may reduce the number of data breaches that result from employee negligence.
In addition to effective policies and training, companies must be proactive in implementing internal controls that monitor employee activity on the company’s network and restrict user access to confidential information. Employees should only have access to information necessary to do their jobs. Likewise, employers should have tools in place to alert them to unusual activity, such as information leaving the company’s network and an employee’s access of confidential information not relevant to their job duties. Employers should regularly review the data access rights of all employees and terminate any access to accounts or data that is no longer needed.
With the pandemic continuing into the foreseeable future, it is important for employers to safeguard company data against the risks of a remote workforce. In addition to the steps outlined above, companies should contact legal and data-security experts to ensure they have the proper policies and protocols in place to combat potential cyber-threats and respond to any data breaches or security incidents.