Years on from the widespread shift to remote working instigated by the pandemic, related security issues continue to cause headaches for CISOs.
According to Rob Kneller, director of both the cyber security consultancy KIT365 and the East Midland Cyber Security Cluster, remote working is definitely a liability – and arguably an even bigger one than before.
“While remote work is more widespread and socially accepted now, that hasn’t meant the industry has fully adapted its security practices to match,” he explains. “If anything, the risks have grown because more people are working from home, often on networks that aren’t secure.
“Many questions remain. Where are your employees working? What networks are they joining? Are their devices locked securely? Even from a trust perspective, companies are placing more faith in their people than ever, but without the same level of monitoring or control as a traditional office environment.”
What makes remote working insecure
Remote working creates a wider attack landscape, allowing for increased vulnerabilities as employees access networks from a range of locations and devices. These are often less secure than their corporate counterparts, making them prime targets for phishing, malware, and ransomware, notes Professor Kevin Curran, IEEE senior member and professor of cyber security at Ulster University.
Threat actors take advantage of these weaknesses, adapting their techniques to exploit remote workers. Even as stricter return to office mandates come into place, those who continue to work remotely or adopt a hybrid approach could still be at risk.
But whether they permit remote working or not, companies need to account for it in policies, says Steven Furnell, IEEE senior member and professor of cybersecurity at the University of Nottingham.
“The latest Cybersecurity Breaches Survey shows that two thirds of businesses and charities have a policy on remote and mobile working – which in turn suggests that a third of organizations don’t have a formal position that’s being clearly articulated to staff.”
But even those companies with strong security policies on paper face heightened risks by accepting remote working, as those safeguards often rely on individual users following them correctly.
“For example, sensitive data can be more easily exposed when people work in public spaces like trains or cafes,” notes Kneller. “Who can see or access your screen?” Another major risk is untrusted networks, he adds, noting that when employees join public or poorly-secured Wi-Fi you have no control over who else is on that network, or whether someone could intercept sensitive information.
“Employees often adopt unsanctioned productivity solutions, creating major blind spots for IT and security teams,” adds Madelein van der Hout, senior analyst at Forrester. “This usually stems from organizations not reacting quickly enough to change. For example, when ChatGPT became available, many employees started using it without proper guidance on what was allowed or what the risks were. If not properly secured, any tool can expose organizations to data leakage or unauthorized access.”
Do the benefits outweigh the risks?
We’re all aware of the benefits of remote working: it can increase accessibility to work and offer companies a way to reduce their running costs by removing the need for office space. In addition, many would agree that remote work’s productivity and talent retention benefits at least partially offset its cybersecurity burden. That said, it shouldn’t be an either-or situation. Remote work can be secure, says Kneller, but only when the right mix of people, processes and technology is in place.
Many enterprises have invested in zero trust architecture, cloud-based endpoint protection and identity and access management to support remote working, but this can be more challenging for SMEs, which may lack the expertise or funds for implementation.
In order to minimize risk, he advises companies to integrate secure-by-design platforms with encryption and access controls, citing the Mayo Clinic as a good example of remote working security practices.
“It provided encrypted, company-issued devices instead of relying on bring your own device (BYOD). This avoids vulnerabilities from unpatched personal devices. This is paired with multi-factor authentication (MFA) and human risk management.”
Companies must ensure they’re investing enough in training staff and embedding a genuine culture of cybersecurity. “Even the best tools and policies in the world won’t protect you if your people don’t understand how to spot risk or follow secure practices,” Kneller says. “The balance should be about making remote work sustainable and safe, and building productivity and talent retention on a strong security foundation, not treating it as an afterthought.”
Will AI save the day?
AI and automation may play a growing role in securing remote work environments.
“AI-powered endpoint detection and response tools can detect anomalies in real-time, such as unusual logins or data transfers on platforms like Microsoft Teams, countering phishing and insider threats often underestimated by SMEs,” says Curran. “Automated patch management ensures timely software updates across distributed devices, addressing vulnerabilities in BYOD setups, while AI-driven user and entity behavioral analytics can flag unauthorized activities such as file-sharing in Google Drive.
“AI can also automate API security scans, tackling misconfigurations, while AI-tailored phishing simulations and training can reduce human error without overwhelming employees – addressing a key SME weakness.”
Getting the board onboard
Any CISO worth their salt has a solid understanding of the risks linked to remote access and home working, says Kneller – the bigger question is whether the rest of the business truly listens.
The reality is that balancing security against convenience and usability against protection is rarely a technical decision alone; it’s a board-level conversation about risk appetite and commercial priorities, he says.
“A good CISO will clearly communicate the risks and what’s needed to manage them, but ultimately, it’s the business leadership that decides how far to go. Many organizations lean towards what’s most cost-effective and convenient in the short term without always fully weighing up the potential fallout of a major cyber breach.
“Put simply: any cost benefit of working from home quickly disappears if an attack shuts the business down. That’s the trade-off boards must face and CISOs can only keep advising, educating and pushing for security to stay high on the agenda.”
