A recent study, commissioned by Tenable and conducted by Forrester Consulting, has highlighted the risks introduced from employees when working remotely. The data is drawn from ‘Beyond Boundaries: The Future of Cybersecurity in the New World of Work,’ a commissioned study of more than 1,300 security leaders, business executives and remote employees, including 104 respondents in the Kingdom of Saudi Arabia.
When asked how confident security leaders and business executives were that employees were taking adequate measures to protect the organisation’s data 47% said they were very or completely confident. However, speaking with remote employees showed a different picture.
When asked what was important to them, 85% of remote employees said protecting customer data was somewhat or very important. However, 54% of remote employees reported using a personal device to access this information. It’s a similar situation with protecting the organisation’s intellectual property as 68% of remote employees said it was important while 20% will use a personal device to access it. In fact, just 47% of remote employees said they consistently follow measures to protect their organisation’s data, intellectual property and systems when working from home.
Digging deeper, just 11% of remote employees strictly follow their organizations’ mandates restricting access to data and systems via personal devices. Perhaps most worrying is that 34% of employees said they will ignore or circumvent their organisation’s cybersecurity policies, while 21% said one of the challenges they faced is that their organisation’s security policies and practices weren’t clear.
“Employees want the flexibility to work from anywhere. The challenge is how they do that securely,“ explains David Cummins, VP of EMEA at Tenable. “This study confirms what we already suspect — remote employees are connecting to sensitive corporate information from personal devices on insecure consumer-grade home networks, whether they should or not. Security teams need to accept this reality and change their perception of risk. They require visibility of their entire threat landscape, with the intelligence to predict which cyberthreats will have the greatest business impact on the organization. In tandem, they need to implement adaptive user risk profiles in order to continuously monitor and verify every attempt to access corporate data with the ability to decline requests that fail to meet the rules set.”