Several businesses are introducing perks to employees in the summer. Research has found that 58% of employees report that their workplace offers more flexibility during this period, including increased work-from-home or work-from-anywhere options (so-termed “workations”).
Despite these measures, aimed at boosting employee morale, Andrius Buinovskis, a cybersecurity expert at NordLayer, cautions companies to carefully consider the cybersecurity risks before adopting this trend and offering more flexibility.
Buinovskis highlights that employees could be exposed to many cyber risks while working remotely, all stemming from poor cybersecurity practices, such as disabling VPN, connecting to public Wi-Fi, or being less cautious around phishing scams due to other distractions.
When employees swap the office for a more relaxing setting, it can expose enterprises to additional cybersecurity risks — and, without proper measures, increase the likelihood of a data breach.
To illustrate this, a survey by DayForce has found that 41% of employees feel they’re less productive in the summer, and 58% stated that their employer offers some type of flexibility during this time, including increased work-from-home or work-from-anywhere options.
Andrius Buinovskis, while employees might appreciate the added benefits, enterprises must not underestimate the risks behind such perks:
“Many companies offer mixed working models, such as remote or hybrid working. Work from anywhere or ‘workations’ allowing employees to work from abroad have also gained popularity. This additional flexibility is a great bonus for employees. However, businesses mustn’t offer it to employees without knowing the risks. Remote work opens the door for an array of security vulnerabilities, which, if exploited, can lead to devastating data breaches, resulting in reputational and financial loss.”
The main cybersecurity risks
Buinovskis explains that the most common threat from remote work comes from using unsecured public networks. Cybercriminals can intercept Wi-Fi to steal employee credentials, install malware, or hijack accounts.
“Employees that change their routines are more likely to reduce VPN usage due to distractions. Due to their unfamiliarity with the environment, they’re also an attractive target for scammers, and their lack of vigilance can make them more likely to fall for phishing scams in general,” says Buinovskis.
“Additionally, employees may be asked to share more personal data in countries with fewer GDPR restrictions, increasing the risk of misuse. Another major concern is that if they use personal devices, those devices lack centralized security, may run outdated software, and are more vulnerable to attacks.”
He emphasizes that personal devices offer less physical security than company-issued hardware since friends and family members can access them. While travelling, work devices are also at a greater risk, as they may be lost or stolen.
If that happens, the information stored on these devices could be misused, and according to Buinovskis, just one compromised device or account is enough to trigger a significant data breach.
How to ensure cybersecurity while maintaining flexibility
Even though remote work models come with cybersecurity challenges, it doesn’t mean that businesses should abandon these perks altogether.
According to Buinovskis, the main cybersecurity measures companies should implement to ensure that their data is protected include:
- Strong network encryption. It secures data in transit, transforming it into an unreadable format and safeguarding it from potential attackers.
- Password management policies. Hackers can easily target and compromise accounts protected by weak, reused, or easy-to-access passwords. Enforcing strict password management policies requiring unique, long, and complex passwords, and educating employees on how to store them securely minimizes the possibility of falling victim to cybercriminals.
- Multi-factor authentication. Access controls, like multi-factor authentication, make it more difficult for cybercriminals to access accounts with stolen credentials, adding a layer of protection.
- Zero trust architecture. The constant verification process of all devices and users trying to access the network significantly reduces the possibility of a hacker successfully infiltrating the business.
- Network segmentation. If a bad actor does manage to infiltrate the network, ensuring it’s segmented helps to minimize the potential damage. Not granting all employees access to the whole network and limiting it to the parts essential for their work helps reduce the scope of the data an infiltrator can access.
“High observability into employee activity and centralized security are crucial for defending against remote work-related cyber threats, especially because personal devices and unauthorized applications greatly expand a company’s attack surface,” Buinovskis observes. “Given the real risk of data breaches and the financial and reputational damage they could potentially cause, overlooking security gaps is a serious gamble that isn’t worth taking.”
Buinovskis also emphasizes that employees are often the weakest link in a company’s cybersecurity. Cybersecurity awareness training is essential to minimize the risk of data breaches — regardless of the work model. This training should cover how to recognize phishing scams, the risks of using public Wi-Fi, and effective password management practices.
