In a remote world, employees and employers have an essential duty to one another—to ensure the protection of critical information.
By Zee Johnson
2021 was coined the “Year of the Breach,” and 2022 didn’t lag far behind. In 2021, there were 1862 total data compromises, affecting 293,927,708 people. Though the total number of compromises was lower last year (1802), the increase in victims was staggering, rising by 70%, or 422 million more people.
Leaders are rightfully taking heed to these figures and are focusing their attention on tightening data security. In fact, about two in five (39%) respondents in HRO Today’s Top Concerns for CHROs Report cite cyber security as their top concern this year.
There are a number of actions that can be taken to stop or diminish the chance of an attack. But who’s the first in line on the defense? Who is most responsible for guarding critical information—employer or employee?
“All too often, organizations assume that if they put the right system or technology in place, critical information will be automatically protected,” says Mike Kiser, director of strategy and standards at SailPoint. “In reality, security is a team sport; this means, making the most secure usage patterns the default, easiest choice.”
Kiser notes that the responsibility ultimately falls on the organizations and those that build data security ethos into the company’s culture will remain the safest from threats.
Haider Iqbal, director of product marketing for Thales, agrees with aligning data protection with company culture, and says it takes time, practice, and shouldn’t be a one-off exercise. “Ongoing employee training on data protection and compliance obligations is imperative as part of a shared responsibility model between employees and the company,” he says. “Employees need to understand that in their organization’s data protection arsenal, they are the first line of defense and can also be its greatest weakness. Employees are central to data protection.”
William MacMillan, senior vice president of information security at Salesforce, says in order to drive a “security-first” culture, organizations must make key investments. “As the threat landscape evolves, it is necessary for businesses to foster a security-first culture, which means investing in the proper tools, infrastructure, and ongoing training to keep cybersecurity at the top of employees’ minds,” he says. “For example, requiring multi-factor authentication (MFA) adds extra protection to the login process, such as entering a password and using an authentication app, to drastically reduce unauthorized access even if a password is stolen.”
Carmen Collins, director of IT and information security at Namecoach, says ultimately, it’s up to employers to highlight the importance of having secure functions. “The [company] should ensure there are multiple layers of protection,” she says. “Ultimately, the organization sets the tone and the culture regarding protecting company data.”
Are There Consequences?
It’s no wonder that experts recommend ingraining data security into company culture; the consequences of a breach can be immense. An IBM report discovered that on average, a data breach costs U.S. companies $9.44 million, $5.09 million more than the global average. And another survey revealed that the cost of cybercrime is predicted to hit $8 trillion this year and will grow to $10.5 trillion in the next two years.
Harrowing consequences could spell trouble for HR. In an already oscillating and often unpredictable market, having the stigma of being an unsecure organization could greatly impact the employee experience and the quantity and quality of talent a company can attract.
CEO of NetSfere, Anurag Lal, says breaches are a worst-case, costly scenario that affect some industries far more than others. “Data breaches can be detrimental to enterprises,” he says. “Healthcare and financial institutions are usually the ones most at risk of breaches because they hold the information that hackers want. Protected healthcare information (PHI), banking information, is like gold for them.”
He says that last year, there were over 700 healthcare data breaches compromising the PHI of over 6 million individuals. In fact, the IBM report found that the healthcare industry was the most targeted sector for the past 12 years and the average cost of a breach went up 42% since 2020 ($10.10 million).
Wrapped in the cost of a breach, Iqbal says, are a slew of fees and fines for violations. “Enforcement powers under the EU’s General Data Protection Regulation or GDPR are significant as violation fines can reach up to 20 million Euros or 4% of an organization’s global annual revenue, per violation, whichever is larger,” he says. “In addition, there are intangible costs such as operational disruption, rises in insurance premiums and increased cost to raise debt.”
Aside from the financial burden—and possibly more significant—is the reputational damage. “One of the most obvious consequences is that customers will not do business with the organization any longer,” says Collins says. “There could be brand damage that lasts for years because every time someone searches the internet for that organization, information about the data breach is displayed.”
These days, hacking and cybercrimes are very common. So much so, that 83% of companies can expect some kind of breach to happen. Dr. Martin J. Kraemer, a security awareness advocate at KnowBe4, knows that the consequences are high, but believes brands are more than capable of repairing damage thereafter. “In the past, data breaches have affected stock prices. Stock prices have recovered soon enough in most cases, and today we can observe stock prices being less and less affected by data breaches,” he says. “This might be a testament to better business continuity planning and higher resilience of businesses, such that customers can be assured the company will get back on track quickly. It might also be a recognition of the inevitability of data breaches.”
Does Location Matter?
There is a common consensus that remote and hybrid employees more easily subject organizations to danger. The fact of the matter is: Breaches can occur in any location, but companies that have employees working from one general location may lower their chances of an attack by having fewer digital avenues.
“Whether in person or remote, the amount of information being shared [in] the workforce will be tremendous for an organization,” Lal says. “Limiting the threats by only using approved devices in one location can lessen the probability of a breach or the severity of one.” He adds that in the event of an onsite breach or attack, having dedicated personnel, like a chief information security officer can help tame the fire before spreading.
Kiser concurs that lessening the number of tentacles an organization has better supports safety. Breaches existed in the pre-pandemic era as well, but the newly distributed nature of today’s organizations presents new challenges—especially as identity becomes the center of security strategies.”
But Iqbal notes that not all breaches have external origins. “It’s easy to assume that employees inside the physical security perimeter present a lesser risk, however, insider threats present a complex and dynamic risk to domains of organizations,” he says. “Even the most trusted employees can do harm to an organization’s resources, including personnel, facilities, information, equipment, networks, and systems.”
And for Collins, in-office employees pose an even greater threat than remote workers by displaying a level of comfort that could leave key information unguarded. “Even if you eliminate insider threats (employees with malicious behavior), people tend to let down their guard at the office. One of the easiest ways to access sensitive information is to walk up to someone’s desk and the computer is unlocked or sensitive information is not put away,” she says.
But more important than which type of employee poses a greater risk, Alyssa Miller, chief information security officer at Eqip, says is securing an organization’s framework. “Helping employees ensure their home networks, internet connectivity, and even personal devices that now share network infrastructure with the corporate assets is important. At minimum, organizations need to be committed to a comprehensive security awareness education campaign with their personnel.” She adds that helping remote and in-office employees understand best practices for securing their devices and networks and recognizing and avoiding potential attacks is key.
How Can Companies Protect?
Though some threats are inevitable, having the right protection in place can help identify the threat quickly, therefore minimizing the negative impact it will have on a company. The IBM survey found that shortening the time it takes to identify and contain a data breach to 200 days or less can save over a million dollars in costs. It also found that organizations that had a fully deployed artificial intelligence (AI) and automation program were able to identify and contain a breach 28 days faster than those that didn’t, saving $3.05 million in costs. And even the companies with a partially deployed AI and automation program did far better than those without one at all.
With this in mind, Dr. Kraemer says companies must update their processes and policies, especially for remote workers, or run the high risk of data compromise. He gives several ways to do this, including:
- only utilize secure communication channels;
- limit access to sensitive information where possible;
- host regular training to remind people of important compliance and security requirements; and
- provide regular monitoring and auditing.
Since nearly 95% of cybersecurity breaches are a result of human error, another line of defense is having a well-educated team that understands how to identify threats and risks and knows what to do in the event of a breach. “I suggest organizations educate and train their workforce often on the risks they face and the protocols in place to help them avoid cyberattacks,” Lal says. “Next, executives need to make an investment in secure workplace communication platforms that are fully encrypted and don’t allow data to be tracked and give IT teams or CISOs account control.”
Lal also recommends simple measures, including:
- implement virtual private networks (VPNs);
- limit the number of personal devices that are being used with remote employees to discuss company matters; and
- implement two-factor authentications to ensure remote employees aren’t putting sensitive and private data at risk.
A Zero Trust model is another avenue to pursue, becoming somewhat of a standard in workforce security in recent year. According to Iqbal, there are three approaches to building an effective Zero Trust security architecture.
- Identity-centric. This approach places the identity of users, services, and devices at the heart of policy creation. In order to access corporate resources, privileges are determined by user, service, or device.
- Network-centric. Corporate resources are protected by a gateway security component, like routers, next generation firewalls or software defined networks.
- Combination approaches. A cloud-based access management solution protects the identities of cloud and a gateway security component protects on-premise resources.
Salesforce’s MacMillan looks at a Zero Trust model as the ultimate “home” security. “Implementing a Zero Trust architecture, where employees are only given access to the devices, applications, and systems they need to do their job, allows a business to put guardrails around the already-security-conscious workforce to even further reduce the chances of sensitive data being compromised,” he says. “Think of it like allowing someone into your home — just because you let them in the door doesn’t mean they need to go through all your bedrooms and cabinets.”
Dr. Kraemer says a Zero Trust approach replaces old unsecure methods that ran rampant during the pandemic and that made many organizations more vulnerable. “Surveys following the working-from-home shift caused by the COVID-19 pandemic crisis are concerning for security departments. Bring-your-own-device policies and out-of-date-software were some of the challenges,” he says. “Without a Zero Trust setup, employees must be forced to use VPN for work to get behind corporate firewalls.”
What Does the Future Look Like?
Businesses can install and implement all the new software and programs that they please, but it’s imperative that regular examination is performed to identify the differences new processes are making.
“IT teams and CISOs should do routine checkups of their systems to make sure there aren’t any weak points leaving them vulnerable,” Lal says. “Hackers are continually becoming more sophisticated and stealthier with their attacks. It is an organization’s job to remain diligent in its protections.”
Miller says that collaborating with cybersecurity experts is one of the best ways to verify an organization’s security posture as it pertains to systems, processes, and procedures.
She lists some verification practices to employ, like:
security program assessments; and/or
- bug bounties (for companies with more advanced systems)
Businesses can also place themselves on a path to more secure systems by asking simple questions like the following.
- Is there a secure VPN?
- Does access require two-factor authentication?
- Is the system compliant with today’s standards?
- When was the last time the staff was trained in phishing scams?
- Where is the company most vulnerable?
In the end, each organization will have different needs, but one thing will be consistent across the board—the need to remain agile and secure at all times. “The proper protection is often subjective: what are the proper controls for this particular set of data, at this particular time, for these particular identities,” Kiser says. “Rather than a static concept, protections must be dynamic, responding to the changing environment.”