Briefing: Cybersecurity – BSI urges caution over hybrid working

20 Oct 2021

As Cybersecurity Awareness Month continues, the importance of having secure IT systems and effective cybersecurity practices in place for organisations developing a hybrid working programme is thrown into sharp relief. In this briefing, standards body BSI discusses the cybersecurity concerns employers need to consider in moving towards hybrid working.

Over the past 18 months, many have wondered what the next normal would look like once organisations began allowing employees to return to the office in the post-pandemic era. However, as many societies have successfully begun to manage the spread of COVID-19, it has become the case that where an employee spends their working hours can largely depend on the approach preferred by their employer. For example, tech and telecoms companies have unsurprisingly been found to be more in favour of remote or hybrid working than their counterparts in more traditional sectors such as financial services. Employees are now even beginning to leave their jobs to find an employer willing to allow them to adopt a more flexible approach to working. This trend of wide swathes of the workforce leaving for other opportunities has been dubbed the “Great Resignation” and is becoming more prevalent in countries across the globe. In fact, a recent survey found that over a third of respondents would quit their job if forced to work from an office full-time again.

While remote or hybrid working allows for a better work-life balance and increased productivity levels in many cases, it also adds to the risks and vulnerabilities that organisations must consider when designing and adapting their organisation’s cybersecurity measures. Hybrid working has made IT systems and networks even more challenging to secure. For example, in a recent survey conducted by Exonar, over a third (36%) of homeworkers have admitted to downloading unapproved software onto computers to communicate with colleagues during homeworking. This, combined with the added difficulty of understanding global data governance and compliance laws has substantially increased the number of opportunities for network breaches and security infringements to occur. In fact, less than half (39%) of those working from home claim to have a high level of understanding around their company’s data protection policies. This is especially worrying given that data breaches can result in hefty fines – up to 4% of annual turnover by the UK’s GDPR.

Even if employees spend only half of their working hours in their home offices moving forward, it presents a situation ripe with serious cybersecurity issues. Organisations adopting such hybrid models should be continuously monitoring and analysing systems for vulnerabilities to ensure that none of a network’s components fall behind on patching and update management. Moreover, if employees are bringing their own devices into the office after using them when working at home, organisations will need to consider the reduced state of security that characterises most home networks and devices. Systems will need to be devised for device testing and sanitisation procedures should be established before allowing unvetted devices to access a corporate network. As well as testing their devices, organisations should be testing their employees too – phishing attacks remain an easy route into corporate networks, which makes employee awareness training pivotal in helping employees to spot these attacks and other types of malicious cyber activities that could potentially lead to ransomware attacks, data breaches and system failures within their organisation.

The move to hybrid ways of working is not the only reason organisations now need to adopt more robust cybersecurity strategies. The frequency, severity and sophistication of cyber-attacks have all increased substantially since the beginning of the pandemic. Given today’s cyber threat landscape and the emergence of new technologies, it is imperative that organisations have the correct protocols, policies and procedures in place to keep their information safe, data secure, infrastructure robust and ultimately, make them resilient. BSI is at the cornerstone of shaping such resilience, sharing and embedding best practice for organisations across the globe.

Says Mark Brown, Managing Director, Cybersecurity and Information Resilience at BSI:

“With more than 20 years of expertise in cybersecurity, data privacy and business resilience consultancy, I’ve seen many different ways in which a weak approach to cybersecurity leads to difficulties and disruption, and most of these situations have stemmed from a lack of awareness. The advantages of working from home are just as appreciated by those looking to take advantage of a lack of cybersecurity in personal office environments. Educating the people that make up corporations is ultimately the best course of action and has become so much more important due to these new working models. That’s why we’re increasing what we can offer for organisations that work in this hybrid way, and why introducing and educating through our expansive portfolio of cybersecurity and information resilience services is so crucial.”

The new hybrid working model has many benefits and moving back to a full five-day office-based work environment so soon post-pandemic certainly has its potential pitfalls. But with the right contingencies and fail-safes, new approaches to hybrid ways of working can become a more effective and more secure way of working for organisations looking to the future.