Tensions between IT teams and employees working from home threaten the security of organisations, with attempts to increase or update security for remote working regularly rebuffed in the name of business continuity.
HP CISO Joanna Burkey believes security leaders must address these frictions to secure the future of the hybrid workplace. Speaking to CSO, she reflects on her experience with such issues and offers best practices for dealing with them.
IT conflicts create remote working cyber security risks
A new HP report, Rebellions & Rejections, combines data from a global YouGov online survey of 8,443 office workers who shifted to working from home due to the COVID-19 pandemic, and a global survey of 1100 IT decision makers.
It revealed that almost all (91 per cent) IT teams have felt pressure to compromise security for business continuity as remote and hybrid working has taken hold, while 76 per cent believe security has taken a back seat during the pandemic. As a result, 83 per cent of IT teams say the increase in home workers has created a “ticking time bomb” for a corporate network breach.
“This new report shows that while cyber attacks have become more sophisticated, the workforce has become less compliant, thus making it harder to defend the business,” Burkey says.
Other findings from the report further bear this out, particularly among younger workers. More than half of remote working 18- to 24-year-olds are more concerned with meeting deadlines than exposing the business to a data breach, with almost a third admitted to trying to bypass corporate security policies to get their work done.
Exacerbating matters are frictions between IT teams and the wider workforce regarding efforts to improve the security of remote working. As many as 80 per cent of IT teams admitted to experiencing pushback from users who do not like controls being put on them at home, with 67 per cent facing weekly complaints about this issue.
Setting and enforcing corporate policies around cyber security is now impossible as the lines between personal and professional lives are so blurred, say 83 per cent of IT teams. Perhaps most damningly, 80 per cent of IT teams consider ensuring security a thankless task, with 69 per cent burdened with feeling like the “bad guys” for trying to impose restrictions.
CISOs must address IT tensions to secure remote working
Burkey says it falls to security leaders to address the tensions between IT teams and remote workers to secure the future of remote and hybrid working.
“It’s vital that any tension is addressed as otherwise it’s another chink in the armor, making you more vulnerable to attack. Security leaders play a key role in addressing tensions and making security something everyone can buy into, not just something they are told to do.”
She admits that, given the difficulty and uncertainty when working alone from home, it’s understandable that security can feel frustrating for users and that IT teams can seem like the bad guys, or that compromises must be made. However, CISOs must reassess security approaches, providing teams and employees with the best security and support for the hybrid workplace.
“That means that what worked before might no longer,” Burkey says. “I believe that the organisations that best adapt to change instead of fighting the inevitable will come out on top, but this process isn’t painless, and will need strong leadership and communication to succeed.
Driving change to address tensions requires a more collaborative approach to security culture, one that sees security teams listening more to end users and understanding how policies and security technologies can impact workflows and productivity.
“Building these bridges will help spread the burden of security, with end-users taking on more accountability,” says Burkey. To build those bridges, she suggests:
- Open lines of communications with end users to help inform policy decisions.
- Make adjustments such as providing the rationale behind a security decision or seeking user input before deploying new policies. “[This] can change hearts and minds.”
- Seek out new levels of endpoint protection that offer advanced remote management while being as unobtrusive as possible to avoid end-users trying to circumvent it.
“By building collaborative security partnerships across the workforce, cyber security will start to become a cultural cornerstone,” says Burkey. If CISOs fail to turn such strained relationships between security teams and employees into partnerships that drive success, then friction and risk will only escalate, she says.
“IT teams are facing an increasing level of threat from ransomware, firmware attacks against PCs and printers, and exploited vulnerabilities now people are working from home, so it’s no wonder 83 per cent [of IT teams] believe this has created a ticking time bomb for a breach.”