Overconfidence and disillusionment

Jon Fielding at Apricorn asks: Are we too trusting of remote employees?

 

The age-old mantra is that humans are the weakest link in the security chain but the assumption has always been that this is because of insufficient training or support rather than indifference.

 

According to the latest findings of the Apricorn annual survey, however, it appears that many of the best efforts being made by employers are being undermined and scuppered by their employees. 

 

The survey of 604 IT and security decision makers from across the UK and the US found trust in employees is dwindling. Most of those questioned (63%) admitted that they fully expect their mobile and remote workers to expose the business to a data breach. It’s a figure that seems justified given that 55% of those in the UK said their remote and mobile workers had knowingly put data at risk (up from 48% the year before) and 43% even went so far as to say that they believed these workers didn’t care about security.

 

Overconfident

However, there’s also evidence to suggest that employers are placing too much confidence in the abilities of their staff. The vast majority (95%) said their mobile/remote workers were aware of IT security risks and practices and followed the required policies to protect the data they work with at all times.

 

But in reality, 74% of remote employees in the UK were reported as lacking the skills and technology needed to keep data safe, up from 55% in 2023, even though they were willing to follow the necessary procedures.

 

The findings indicate a widening chasm between what IT and security leaders believe to be the case and the actual abilities of their employees when it comes to working securely away from the office. And while employees might be guilty of being ambivalent about security, their employers are equally too resigned to this risk.  

 

That’s not to say that they don’t have controls in place. Over half of those questioned (54%) have policies that allow employees to use their own devices remotely and the number requiring software to be installed to control access to systems and data is up by a third compared to 2023.

 

But such measures appear to be being undermined either deliberately or inadvertently by employees, with user error in the UK up from 22% in 2023 to 30% in 2024.

 

Addressing disillusionment on both sides

So, what should organisations be doing to mitigate the risk of remote/mobile employees? Firstly, be realistic. The statistics reveal an erosion of trust in staff but also an inflated belief in their technical capabilities.

 

This means that while measures may be in place, staff do not feel confident in using them. Consequently, they’re more likely to resort to workarounds when logging on remotely. It therefore pays to take a critical look at which controls and processes are working and which are creating barriers to the userbase. 

 

Investing in comprehensive training programs is also vital for staff to understand the rhyme and reason behind these controls but the business also needs to step up and equip these employees with the necessary technology.

 

It’s clear that IT and security leaders are aware of the lack of compliance by their staff but they’re not doing enough to rein in the risk and assumptions are being made that access controls, for example, are sufficient when the organisation needs to look at how data is protected in all its states.

 

Encryption as an enabler

Employees need to be able to securely store data whether at rest or on the move. This might be in the form of removable media such as USBs and hard drives which offer ease of use but it’s essential that these automatically encrypt all data written to them so that in the event they are misplaced or lost the data remains unintelligible. 

 

The most secure method is to offer devices with hardware-based encryption, eliminating the need for software to be installed or updated and preventing the possibility of the device succumbing to a brute force or credential stuffing attack. But software-based encryption also has its place, enabling laptops and mobile devices to be protected and encryption to be rolled out company-wide.

 

Remote and mobile employees have undoubtedly become more lax in their attitude to data security but it’s down to their employers to recognise this fact and address it.  If your staff don’t care about the security of your data, that’s down to a failure to communicate the importance of that data and their role in handling it.

 

Business leaders need to overcome their sense of disillusionment and step up their efforts by providing training and policy enforcement on the one hand and more robust security solutions on the other.

 

In many respects, it’s not their employees they need to be able to put their trust in, but the mechanisms their workers use which can then keep them on track.

 

---

 

Jon Fielding is Managing Director, EMEA at Apricorn

 

Main image courtesy of iStockPhoto.com and mixetto