What are the potential security risks for a hybrid workforce? Learn how to ensure hybrid working staff maintain the same level of security as fully office-based staff with this guide from myhrtoolkit CTO Kit Barker.
When thinking about the risks posed by hybrid working, it’s easy to focus on the technology side of the equation. The security of your cloud applications and security of your home workers’ hardware are undoubtedly important, but often the personal and organisational risks can be overlooked.
In this article, I’ll cover a few of the risk vectors that I believe are less well covered but equally important to ensuring your hybrid or remote workforce maintain the same level of cyber and information security as your office-based staff.
Policies and training
Anyone who has read any of my previous posts is likely to know that I do love a good policy! With any change in working patterns, it’s important to check your policies are still applicable and cover new processes. This is much more than just a box ticking or bureaucratic exercise. A good policy is key for letting people know what is expected behaviour and done well, policies are useful training tools.
For example, perhaps your policy on destruction of confidential waste may say: “After use, all printed documents should be placed in the confidential waste disposal.”
How does that work if people are working remotely? If people are printing documents at home and then bringing them into the office, how are your risks increased? Reviewing and updating your policies and, more importantly, communicating these changes to your staff is vital.
When staff are remote, monitoring adherence to policies and best practice is much harder. A quick walk around the office will show who is leaving printed documents unattended on their desk, or leaving their computer unlocked when they leave their desk. Doing this with remote workers is very tough. You therefore need to ensure your employees receive sufficient training and support to follow the behaviour you expect of them.
Well trained staff are a key element in creating a security culture in your organisation.
Home working environment
When the first UK lockdown came into force, we sent staff home and they did the best they could to create a suitable home working environment. This was a business continuity event and while we made significant effort to ensure all our staff had all the equipment they needed to set up a home office, the constraints meant that some people still ended up working for a while on a kitchen table or from a laptop on the sofa.
A year and a half later, this is not business continuity but business as usual. Ensuring your employees have a suitable home working environment is important. But what is a “suitable” working environment? The details will vary depending on the role but generally people will need:
- An ergonomic and comfortable full-sized workstation – as an employer, you still have a responsibility to ensure the health and safety of your workforce. Allowing people to work from a laptop on the sofa long-term is likely to lead to health issues.
- A space away from distractions – this includes other family members, as well as the TV!
- A secure and stable internet connection – ideally on a separate virtual network to the household.
You might be asking why the working environment is important to security, rather than just health and safety? If your employees are distracted, they’re not concentrating fully on the work task at hand. Just like when people rush, distracted people make more mistakes.
Wellbeing and mental health
We’re all aware that COVID-19 has taken a serious toll on the mental health of the entire nation and there are many ways in which this impacts security.
As with any other type of stress, people struggling with the mental health impact of COVID-19 are more vulnerable to a variety of security attacks, such as social engineering and phishing. It might be that returning to some office working causes extreme anxiety for some people; or perhaps working from home blurs the boundaries between home and work and people feel like they’re always at work.
Whatever the causes, it is important that you take extra steps to support employees and their mental health during this time. This might include:
- Formally communicating to staff that they are not expected to work or be contactable outside their working hours (helping curb the risks associated with overworking)
- Training managers to notice the early signs of anxiety and stress in their team
- Encouraging a supportive and nurturing, psychologically safe culture in which people feel able to highlight struggles or concerns
Further resources on hybrid working and security
There are a lot of excellent resources online about the various aspects of hybrid or remote working but here are a couple of noteworthy examples:
- How to manage hybrid working requests from our blog
- Planning for hybrid working from the CIPD
- Home working: preparing your organisation and staff from the National Cyber Security Centre (NCSC)
Written by Kit Barker
Kit is myhrtoolkit's Chief Technology Officer and a company director for myhrtoolkit who leads the technical team in developing the system. On our blog he shares specialist knowledge and tips around data security and company culture.