While organizations may have struggled initially to get their employees set-up to work securely outside of their normal office environment, by now, most have introduced new software, policies, and procedures to accommodate their new distributed teams.
Problem solved, right? Not quite. While 91% of IT leaders trust their employees to follow security best practice while out of the office, almost half (48%) of employees say they’re less likely to follow safe data practices when working remotely and a further 52% say they feel as though they can get away with riskier behavior when working from home.
In our latest research report, The State of Data Loss Prevention 2020, we explore the reasons why.
Key findings include:
Read on to learn why this matters and what you can do to promote safer security practices in your organization.
84% of IT leaders say that DLP is more challenging when employees are working remotely. It makes sense. One or two offices have become thousands of virtual offices which means maintaining visibility over data flow is more difficult than ever.
People are relying more heavily on email and other communication tools and are therefore sending data more frequently. Security and IT teams have limited control over how employees handle physical data (for example how they print, store, and dispose of documents). And there’s been a spike in inbound attacks like phishing since the outbreak of COVID-19.
This is to say that organizations are more vulnerable across email security, physical security, and network security.
While there are tools to detect and prevent incidents, data loss prevention ultimately relies on people. After all, it’s people who control our systems and data. They’re the gatekeepers of an organization’s most sensitive information.
But, despite IT leaders’ confidence and optimism (91% say they trust their employees to follow security best practice while out of the office), nearly half (48%) of employees say they’re less likely to.
The question is: Why?
Most of us have dedicated workstations in the office and have grown accustomed to certain equipment. Whether it’s multiple monitors, a desktop, a keyboard, a printer, or a trackpad, we’re comfortable working on our usual devices.
At home, not all of us are so lucky. And, while security and IT teams around the world have worked hard to get their teams set-up at home, there have been delays and even cancellations in global supply chains providing laptops, cell phones, and other technology.
What to do about it: If you’re unable to get your employees the equipment they need, you should consider BYOD policies. We’ve covered the benefits, potential security risks, and tips for employers and employees in this blog: Remote Worker’s Guide To: BYOD Policies.
You can also implement training sessions for new devices to ensure your employees feel comfortable using them. (Be sure to also train your employees on any new applications or software!)
While we can say with confidence that the average employee wants to do the right thing when it comes to security, it’s important to remember that first and foremost, they want to get their jobs done. And, if security policies, procedures, or software makes that difficult or prevents them from doing it all together, they’ll find a workaround.
In fact, 54% of employees say exactly that.
In an office environment, it’s easier for IT and security teams to maintain visibility of employee behavior. They can see if someone isn’t locking their laptop. They can see if someone is using a USB stick when they shouldn’t. They can see if someone has skipped security training.
But, IT and security teams aren’t just there to enforce rules. They’re also there to educate employees and build a strong security culture. That’s harder with distributed workforces.
What to do about it: Communicate, communicate, communicate. Whether it’s sharing information about new threats, reminding employees of security do’s and don’ts, or offering an individual or team kudos for secure behavior, you need to consistently remind your team not only that you’re there, but that you’re there to help.
But, you shouldn’t over-communicate. That means you should ensure there’s one point of contact (or source of truth) who shares updates at a regular, defined time and cadence as opposed to different people sharing updates as and when they happen.
We’re not just working from home. We’re working from home during a crisis. It’s essential that security and business leaders keep this in mind.
While most of us are trying to conduct “business as usual”, most of us are also dealing with a range of challenges. Parents have suddenly taken on the roles of teachers. Living rooms have been turned into makeshift coworking spaces for partners and roommates. Employees are navigating mass lay-offs and furlough schemes. Current social and political unrest is triggering emotional stress and anxiety.
The bottom line: There’s a lot going on.
That means people are more likely to make mistakes. They may send an email to the wrong person. They may misconfigure a firewall. They may make sensitive documents public instead of private on a Google Drive. While these are “small” mishaps, they can have big consequences. In fact, each of the above incidents has caused a data breach.
What to do about it: Start by being empathetic and compassionate. Take the mental wellbeing of your employees seriously and give them the tools, resources, and support they need to thrive. We’ve put together some tips in this blog: 3 Practical Ways to Support Mental Wellbeing in the Workplace.
Beyond that, though, you have to implement solutions that prevent human error. Why? Because it’s simply not fair (or realistic) to rely on people to do the right thing 100% of the time.
Tessian does this across three solutions:
Curious how frequently these incidents are happening in your organization? Click here for a free threat report.
Tessian turns an organization’s email data into its best defense against inbound and outbound email security threats.
Powered by machine learning, our Human Layer Security technology understands evolvong human behavior and relationships, enabling it to automatically detect and prevent anomalous and dangerous activity.
Best of all: It works silently in the background across devices. That means employees can do their job without security getting in the way and they’re protected, wherever they work. Tessian bolsters training, reinforces policies and procedures, and enables employees to do their best work.
And, with Human Layer Security Intelligence, security, IT, and compliance leaders get clear visibility into employee behavior with visualized insights and automated threat intelligence. That means detecting and preventing human error is easier than ever and organizations can continuously lower the risks of misdirected emails, data exfiltration, and impersonation attacks.
To learn more about Tessian’s solutions, book a demo. And, for more insights around data loss on email (including the most and least effective solutions) read the report: The State of Data Loss Prevention 2020.