Covid-19 has had a profound effect on all our lives, but one of the positive changes for many people has been the increased flexibility offered by employers in when and where they work. While some employers were already committed to supporting flexible working pre-Covid, many had a traditional office culture and expectations around working hours and the enforced move to remote working during lockdown led to a realisation that remote working was productive, effective and potentially a way to reduce carbon footprint and boost recruitment efforts.
As lockdowns have eased in the UK, many organisations have now navigated the ‘return to office’ decisions and the vast majority are now offering employees the choice to work a combination of office and remote working, often referred to as hybrid working. For security professionals, a fluid working location can pose some headaches. While many working practices, systems and processes are increasingly digitised and cloud-based, the risks posed to sensitive information are complicated and changed by hybrid working. In the context of espionage, here are three key ways we see the espionage risk changing and how to mitigate those risks effectively:
- The spread and location of sensitive assets and conversations have changed
The simple fact that employees will be working across locations can increase the risk of espionage and eavesdropping, let alone the impact of working from a home location. The risks posed by commuting and travelling have always been recognised (for example the incident of Ministry of Defence classified documents found at a bus stop in Kent) and rarely key staff can be at risk of vehicle monitoring or tracking. However, with the ongoing switch of working locations the risk of document or asset theft increases as employees potentially lose focus on strong information security protocols. Additionally, working from home poses risks as the layered physical and technical security defences of the office which have been designed to counter the threat so well cannot be replicated in private residences.
In order to best analyse the risks that hybrid working will change and create, it is recommended to revert to a strategic review and conduct a risk assessment. By mapping where your assets are now located, who now manages those assets if this has changed due to the pandemic or organisational changes, and reviewing the risks to the security of those assets, you can then verify whether the security protocols, policies and measures are sufficient, and change or implement new ones as needed. Good sources of information on this process are available from CPNI.
- Communicating effective security behaviours has become a bigger challenge
One of the challenges of remote and hybrid working is ensuring that people employ the same procedures and behaviours at home as they do at the workplace. If they are in a shared workspace, do they lock their screen as they would in an office? Is their workspace at risk of being overlooked? Are sensitive papers locked away? Are sensitive meetings conducted using secure and encrypted technology platforms? The simple fact is that many are more relaxed at home and they may behave differently. It is also more challenging to communicate and engage employees with necessary updates on how they should be working securely when they are remote. An updated policy sent over an online learning platform struggles to be as engaging as an in-person breakfast briefing.
It is important to consider when and how you communicate security behaviours. Engage with other functions and teams in your organisation to coordinate and maximise internal communication programs. Consider a range of communication tools and techniques to allow for the variety of ways in which people like to receive information and are effective for their learning behaviours. Ensure compliance and gauge your communication effectiveness by asking employees about their understanding of the protocols in place, and an audit or test exercise is never a bad thing. Again, CPNI has a vast array of resources to help manage personnel security.
- All security defence layers are still equally important
While some argue that the cyber threat has increased due to greater levels of remote working and the move to the cloud, the truth is that all security aspects are still as important as each other. The adversary only cares about identifying and exploiting vulnerabilities and increasingly they use a combination of attack techniques to achieve their goal, so holistic security protection is key. Cybersecurity is hugely important, but managing the insider threat is increasingly challenging when hostile states are targeting the recruitment of trusted insiders, so effective social and administrative controls are essential. Equally, physical security may have dropped off the agenda for some security heads during lockdown, but now buildings are occupied once more and the working environment has changed, it is important to ensure it is fit for purpose. Similarly, the technical threat remains and is more complex to manage when home working means some sensitive conversations are happening away from the office protection which is in place and is hard to replicate in private residences.
Through our Esoteric solutions, we advise organisations on the optimum holistic security defences to provide protection from the threat of espionage and eavesdropping. With a grounding specialism in TSCM, we have best-in-class services in technical, physical and personnel security controls, and regularly advise organisations, government bodies and HNW individuals on the current espionage threat landscape and how to stay secure. Contact us for further information.