Across all industries, remote and hybrid working have quickly established themselves as key pillars of a positive employee experience for existing staff, and as an effective means of widening the available talent pool for employers. When work isn’t tied to a single, physical office, businesses can cast a recruitment net beyond a specific geography.
However, remote working by its nature increases an organization’s cyber-risk profile and can significantly grow its attack surface unless it’s backed by the right security protocols and best practices.
Within the Business Process Outsourcing (BPO) industry, remote and hybrid working are well-established operations. A floating secure network of remote agents has been a key element of effective resource deployment and effective customer experience delivery for many years. And, as the war for talent intensifies, organizations within our industry that are yet to develop a robust, saleable work-from-home approach risk being left behind.
But beyond BPO, many businesses are yet to achieve this level of maturity. In 2023, an organization faced average costs of $4.45 million following a security breach. However, that average cost increased to $4.65 million for organizations where remote working was a factor in the breach.
In many cases, the increased vulnerability is due to maturity. A huge number of organizations only developed their initial approach to remote working in 2020 at the height of a global health emergency, meaning that they’re still identifying or addressing vulnerabilities and moving towards best practices.
We need to remember that even at the beginning of 2020, working from home was the exception rather than the rule. Four years ago, just 12% of U.S. full-time employees officially worked off-site more than once a month and 3% worked from home more than once a week.
Today, that exception is now an expectation shared by most existing and potential employees. The flexibility of a remote or hybrid working arrangement is a critical point of differentiation when it comes to attracting or retaining talent.
And this is why, rather than reduce risks by ending any remote working arrangements, organizations are working on improving existing security. In every year since 2021, the difference in average cost between breaches where remote working was, or was not a factor is shrinking. In 2023, the difference is $173,000 yet in 2022, it was $640,000.
The steps needed to close this gap faster will differ from business to business and industry to industry and will be further dictated in part by the territories in which operations take place and the types of tasks being undertaken off-site.
However, based on our own experience, there are actions all businesses can take to mitigate much of the risk associated with remote work, starting with having a clear and clearly communicated work-from-home policy that covers procedures and offers guidance on topics including the accessing, handling and disposing of business or personal data.
The employee-facing aspect of any policy or approach should enforce the use of strong passwords, multifactor authentication, have account timeouts and lockouts in place, and eliminate remote access to Windows administrative tools.
Work from home security checklist
Have all employees permitted to work remotely undergone cybersecurity training? Can they demonstrate they understand how to use tools, applications and follow processes that enhance security and know the steps to take for reporting an incident?
How are employees going to connect to the organization’s network and which devices are they using to do so? Clearly, a VPN is the best way to create a secure, remote connection but only if it is correctly configured and up to date. How will your organization ensure this? Likewise, with devices, are employees using their own computers or equipment provided by the organization and therefore, correctly set up?
Are virtual collaboration, communication and productivity tools secure and do they provide end-to-end encryption? Are employees barred from using other applications or software, such as personal email addresses and messaging services to reduce the risk of transferring or sharing sensitive data outside of the organization’s network?
How is data being stored and protected, and how is information on employee devices being backed up and kept secure? Cloud storage can be an ideal solution to keeping documents and data safe, but how is that solution configured and protected and how is access controlled?
How are you managing employee authentication? Are passwords strong, regularly updated and supported by multifactor or hard token authentication? Are devices running up-to-date anti-virus software and are access privileges adequately controlled?
Reducing risk can start with something as simple as a checklist, but for security to be a sustainable aspect of your business — whether your people are working on- or off-site — it needs to be embedded in the wider business culture. The most effective means of mitigating cyber risk is through individual and collective responsibility for keeping the organization safe. To learn more about how our operations are committed to providing excellent security standards, visit us here.