How to get started and maintain a powerful ZTNA architecture
Remote work offers benefits across the workplace. For employees, it provides greater efficiency and lower stress levels: 82 percent of telecommuters reported less stress and 30 percent said it allowed them to accomplish more work in less time.
In addition to driving greater employee efficiency, remote work enables enterprise leaders to decrease overhead expenses that come with maintaining a fully in-person workforce. The average business could save $11,000 per remote worker per year.
The catch? With so many employees out of physical reach of leadership — potentially working on public Wifi and personal devices — there’s a lot of room for new security vulnerabilities. OpenVPN surveyed 250 IT leaders, from the manager level through the C-suite, to understand their views on the potential of remote work and the quality of their organization’s security policies surrounding remote workers.
While IT leaders see the benefits of remote work and understand that it’s here to stay, they still fear that organizations leave themselves vulnerable to many risks. Their take? Organizations that haven’t taken the right steps to secure their remote workers need to do so soon, especially since workplace embrace of remote work is moving faster than ever.
IT understands both the risk and the reward of remote work
Overwhelmingly, IT professionals understand that remote work is here to stay, even if they’re adamant that remote workers create risk. When asked whether the benefits of remote work outweigh the risks, 92 percent said they believe they do.
But their endorsement of remote work overall comes with some significant caveats. Ninety percent of respondents believe remote workers pose a security risk in general, and more than half (54 percent) believe that remote employees pose a greater security risk than onsite employees.
Executives are particularly concerned about the risk remote workers pose, as nearly three-quarters (73 percent) of VP and C-suite IT leaders believe remote workers pose a greater risk than onsite employees, compared to 48 percent of IT managers and 45 percent of IT directors.
Despite their overall endorsement, IT professionals’ wariness of the state of security for remote workers is clear. While they acknowledge that employers are trying to secure against the risks of a telecommuting workforce, key vulnerabilities remain.
Good intentions, poor execution
Organizations are taking clear steps to mitigate the risks of remote work, but they’re missing the mark in some crucial areas.
Securing remote work should start with a formalized policy that applies specifically to remote workers. Impressively, 93 percent of organizations have one in place already. These policies should dictate what technology remote workers should and should not use.
For example, tools such as VPNs and password managers prevent remote workers from carelessly using dangerous public Wifi networks or relying on the same simple password for every account and device. (We know from a previous OpenVPN survey that 25 percent of employees use the same password for everything.)
By the same token, prohibiting workers from using their personal laptops for work prevents the spreading of sensitive company information to devices not controlled by the organization’s security measures.
What elements make up organizations’ remote work security policies? | |
Require VPNs | 74% |
Require sensitive data to be encrypted | 69% |
Prohibit work-related data on personal devices | 68% |
Require security training for employees | 66% |
Require use of password manager | 56% |
Prohibit BYOD (bring your own device) | 38% |
In addition to formalizing a detailed remote worker security policy, holding continuous cybersecurity education sessions for remote workers is a must. With remote workers out of sight of leadership, it can be too easy to leave them out of meetings and trainings. But organizations seem to grasp the importance — 90 percent say their organization requires that remote workers take part in cybersecurity training. For many, however, the level of frequency or effectiveness isn’t ideal.
How often do organizations require remote workers to partake in cybersecurity trainings? | |
More than twice per year | 23% |
Twice per year | 32% |
Annually | 25% |
During employee onboarding only | 8% |
We have an e-learning platform offering courses for employees to take as they desire | 11% |
Organizations’ embrace of security policies and trainings for remote workers is proactive at face value, but looking a bit closer, some cracks emerge in their strategies. For one, more than one-third of organizations (36 percent) have experienced a security incident because of a remote worker’s actions.
When we examine who’s leading the development of remote worker security policies, we uncover the importance of trusting IT to directly oversee the initiative. IT departments led security policy development for well over half (57 percent) of organizations that hadn't experienced a remote worker-caused breach. By contrast, only 49 percent of IT departments led security planning for companies that had experienced a remote worker-caused breach.
For the sake of your organization’s security, it’s crucial to not only loop IT into the development of remote work security initiatives, but to have them own the process. Plus, of those who have suffered a security incident due to a remote worker, 68 percent have experienced one within the last year — a strong suggestion that cybercriminals’ tactics are becoming more potent all the time.
Actionable steps to take down remote work vulnerabilities
As organizations everywhere tap into the benefits of remote work, they will also face security challenges. Cyberthreats are increasing rapidly — both in terms of volume and sophistication — and leaders need to get their security measures under control quickly. Here are three steps organizations can take to better handle remote worker security.
- Ditch the “set-it-and-forget-it” approach – Organizations are prone to developing a policy and then considering the initiative complete. They don’t make an effort to revisit it routinely, and yet the cybersecurity space becomes riskier all the time. In fact, nearly a quarter of organizations (24 percent) haven’t updated their remote work security policy in more than a year. Your security policy deserves a regular slot on quarterly meeting agendas among C-suite executives so that the organization can hold itself accountable at the highest level for continuous security improvement.
- Focus on enforcing your policy – Nearly half (49 percent) of IT leaders say they only somewhat agree that remote employees adhere to remote work policies. Any deviation from the policy puts the organization at risk, so make it impossible for your remote workers to work around the security policy with elements like VPNs and denied access for personal devices. As new measures are rolled out, IT representatives should hold live meetings with remote workers to illustrate how they can meet the requirements. Education also plays a strong role in increased employee adherence. Make sure that remote workers aren’t left out of regular security training and that they take required courses at least biannually.
- Let IT lead – Forty-four percent of organizations do not let IT teams take the lead role in developing the remote work security policy, but why let anyone besides your resident security experts steer the initiative? While it’s tempting to simply “loop in” IT and tell yourself that means security is prioritized, no one approaches things from a truly security-first perspective like IT. If security is an initiative’s main point, as it is with a remote work security strategy, IT should be heading the effort.
There’s no stopping the embrace of remote work. The modern work trend offers many benefits to organizations, such as greater access to talent and increased employee engagement. But it also creates unique security challenges — which organizations across the board aren’t yet equipped to handle. Remote work’s rise isn’t slowing for anyone, so organizations must prioritize the refining of their policies sooner rather than later.