A Hybrid Workplace Means New Threats and More Pressure on IT Leaders

By Tim Sadler, Co-founder, and CEO of Tessian

Events this year have changed the way we think about work indefinitely. In fact, new research from Tessian shows that only 11% of employees want to work exclusively in the office post-pandemic. Businesses must now consider whether the remote work shift brought on by COVID-19 should become permanent. But, then again, remote work isn’t accessible or preferable for every employee. Business leaders, therefore, have important decisions to make around how employees will work in the future, be it remotely, in an office, or a hybrid of the two.

Whatever the decision, cybersecurity will be a huge factor. IT teams must fortify workplace processes with an added layer of security to protect both data and individuals no matter where an employee is working. They will face more pressure from the top as cybersecurity and business continuity are prioritized.

Business leaders need to understand the new challenges IT leaders are facing, how security threats change as people work from anywhere, and how to prepare for a future hybrid working structure.

Why IT Leaders Are Concerned About Hybrid Work

Three-quarters of IT decision-makers believe the future of work will be either remote or hybrid, according to Tessian’s report.

But they do have concerns around these new ways of working, specifically around employee wellbeing. Throughout the pandemic, research has shown the negative impact remote work has had on people’s levels of stress, leading to more incidents of burnout. As well as having detrimental consequences to people’s wellbeing, increased levels of stress could also be putting companies at risk, as people tend to make more cybersecurity mistakes at work. IT leaders are also concerned that remote employees’ unsafe data practices could lead to more data breaches and security incidents.

It’s no wonder, then, that more than one-third (34%) of IT leaders are worried about their teams’ time and resources being stretched too thin. Eighty-five percent also believe their teams will be under more pressure with a permanent remote work structure. To explain, let’s look at two specific security concerns that are made more complex when some, or all, employees work outside of the office:

• Phishing: Half of the security incidents or data breaches that companies experienced between March and July 2020 were the result of phishing attacks – making it the top attack vector during this time. In fact, nearly two-thirds of US and UK employees (65%) said they received a phishing email during the remote work period. The problem is that employees are more susceptible to phishing attacks while working remotely, namely because hackers are taking advantage of the situation and it’s also harder to verify a colleague’s request when they aren’t in the same room as you. In addition, factors like distraction could cause people to miss cues and potentially click on malicious links.
• Insider threats: Data exfiltration from inside the company is also a security risk that becomes more complex with a remote or hybrid environment, even when not done maliciously. An employee could, for example, be sending documents to personal email accounts to print from their home devices. When this data leaves corporate networks and devices, though, it becomes more vulnerable to a breach and puts the company at risk of non-compliance.

Protect IT Teams’ Time by Focusing on Security and Awareness Efforts

Mitigating these risks without overburdening IT teams won’t be easy but it can be achieved by focusing on two important areas: email protection and better cybersecurity training.

Employees are more reliant on email than ever while working remotely; Tessian saw a 129% increase in email traffic from March to April 2020, compared with January to February. As people use email more and more to send data to customers and colleagues, and as hackers exploit the channel’s employees rely on most, educating people on threats like phishing attacks or accidental data loss – simply caused by someone sending an email to the wrong person – is critical to company security.

This training, however, needs to resonate. It can’t be seen as a tick-box exercise or another thing for people to add to their to-do lists, because employees just won’t engage with it. In fact, despite half of IT departments implementing more security training for their remote workers during the pandemic, nearly 1 in 5 employees said they didn’t take part.

This could be because the training gets in the way of people doing their jobs, but also because it often lacks the real-world context employees need to develop positive security behavior. Real-time educational alerts provide that context. Employees can understand, in-the-moment, why the message they received is a threat as well as the techniques hackers are using to trick or manipulate them – all learnings that they can apply to future incidents.

A human-first approach to cybersecurity has never been more important. As employees log onto corporate networks from anywhere in the world, the most important security perimeter companies must protect are their team members.

Employees have access to large amounts of sensitive information and are handling more of that data over email than ever. But it’s unreasonable to expect employees to keep data and systems secure 100% of the time – mistakes happen and many people aren’t cybersecurity experts. By focusing on a few high-impact areas, IT teams can protect employees and their business, without feeling overwhelmed by the task ahead.

About the Author

Tim is the Chief Executive Officer and co-founder of human layer security company Tessian. After a career in investment banking, Tim and his co-founders started Tessian in 2013, creating a cybersecurity solution that uses machine learning to protect people from risks on email like data exfiltration, accidental data loss, and phishing. Tim has since built the company to over 160 employees in offices in San Francisco and London, and raised over $60m from leading venture capital funds. Tim was listed on the Forbes 30 Under 30 list in technology.