Across Canada, return to office plans are in flux. While many organizations rightfully value the role that in-person working environments have for their employees and customers, remote and hybrid work are also here to stay.
Many major firms based in Canada are committing to long-term hybrid work models or entirely remote workforces, encouraged by the benefits they’ve seen during the pandemic. With flex work models growing, that means security challenges will, too.
The mass transition to remote work spurred by the pandemic created a new threat landscape and surge in cyberattacks. According to the World Economic Forum, there was an astounding 238 per cent increase in global cyberattack volume across just a three-month period last year.
When it comes to endpoint devices, like PCs and printers, there is no shortage of threats. Globally, endpoints faced 1.5 attacks every single minute in 2020 alone. Changing work styles and behaviours in our hybrid environment, such as using work devices for personal tasks, have highlighted new vulnerabilities for companies, individuals, and their data. Security risks have soared, and everyday actions like opening an attachment can have serious consequences.
IT decision-makers have been responsive in many cases, upping their security measures. However, many Canadian organizations are still underprepared. A recent KPMG report found that just two in five Canadian firms think they could detect or fend off a cyberattack. Research from RBC also found that among small businesses – which make up most of Canada’s business landscape – only 16 per cent feel prepared for a cyber incident.
There is also a new tension between IT teams and employees, including those working from home. Despite the rise in risks, security isn’t top of mind for employees. In fact, apathy – and even rebellion among employees – are on the rise.
Cyber threats are increasing, while employee diligence is not
One recent report found that despite cybercrime being a pressing threat, more than half of Canadian workers (51 per cent) say they’re not concerned about their organization being the victim of a cybersecurity breach. Troublingly, the same report found that only 40 per cent of employees are getting cybersecurity training.
Another report found that workers, especially younger generations, are feeling disengaged and apathetic about cyber security. Some of these feelings are due to a lack of communication and training around security. Close to 40 per cent of young employees were unsure of what their company’s security policy is or whether one existed.
These feelings also stem from the negative impact of security policies and tools that enable remote work. Some of these necessary upgrades have created too much friction for workers, affecting their productivity to the point that employees are rebelling against best practices. As a result, more workers are circumventing security to get work done, which presents a major challenge for organizations already facing an environment of growing cyber threats.
These increasing burdens are putting IT teams and business leaders – especially small business owners without specialized internal support – in a corner. Security teams have been left feeling pressured to help businesses perform, but also rejected by rebellious employees who resent new security restrictions being placed on them.
These challenges can have expensive consequences too, with 69 per cent of organizations paying the demands from ransomware attacks. Without visibility of devices, how they are being used and by whom, IT security teams are working with clouded vision and it is costing organizations. Attackers have been quick to identify and take advantage of these gaps, as can be seen from the rise in phishing attacks and web browser infections.
How can more organizations secure the growing hybrid workplace?
Faced with this challenging balancing act, organizations must prioritize security-related training and technology investments.
It starts with creating frictionless experiences employees want, but with built-in security. Businesses need to equip their teams with technology and tools that have been designed with security in mind, and are user friendly. Endpoints, such as PCs and printers with security built-in (rather than bolted on), provide a more seamless end-user experience, and allow for certain restrictions to be eased.
Along with the technology itself, it’s incumbent upon IT leaders to build a more collaborative security culture, too. That includes continuously engaging and educating employees about the growing cybersecurity risks organizations face. The threat landscape is constantly evolving, and training needs to evolve with it.
Employees should participate in security training when it’s offered, but businesses should also routinely remind them of good cybersecurity hygiene. By offering simple reminders around proper technology use – such as only using work devices for work-related purposes, not sharing them with family members, and accepting that some specific websites may be blocked for cybersecurity safety – businesses can significantly reduce their risks.
For their part, IT teams also must better understand how security impacts workflows and productivity. From here, security needs to be re-evaluated based on the needs of both the business and the hybrid worker.
With human behaviour increasingly driving challenges, security needs to be part of the organizational DNA. Cybersecurity should be something that everyone can buy into. IT teams are mandated to keep the business safe, but users also need to play their part.
The future of work will need to be both flexible and secure: it cannot be an either-or situation. Embedding security not only into IT policies and technology, but organizational culture, is a must. It will not only ease the burden on IT teams, but also every employee – creating more resilient organizations that are better prepared for what’s next.