5 security lessons from 18 months of working from home

5 security lessons from 18 months of working from home

A little more than 20 months ago, many people around the world were asked or instructed to work from home to help slow the spread of COVID-19. It caused a seismic change to the way we all do business.

Now, our latest research reveals how IT decision makers’ security concerns have been changed by enduring from home for so long; how they’ve adapted with new tools and training; and how confident they now are in their remote employees’ approach to security.

It also sounds a warning: That while employees care about getting security right, many are also suffering from “fear fatigue”. Adrenaline-fuelled anxiety and adaptation have left them feeling jaded or overwhelmed, making them vulnerable to simple security mistakes.

The story so far

The novel coronavirus outbreak of 2019 was declared a pandemic on 12 March 2020, and by April half the world’s population had been asked or ordered to stay at home. We have since learned that breaking transmission between co-workers—by asking them to work from home—is an effective way to slow the spread of the virus. As such, it has become a mainstay of our collective response to outbreaks and looks set to be a feature of working life for the foreseeable future.

What was once a novelty for many organizations has now become decidedly normal. The initial period of rapid, violent change forced businesses to implement expedient solutions, which created enormous headaches for IT and security teams, and new opportunities for attackers. Since then, the businesses that have survived the slings and arrows of the pandemic have had some time to take stock and look for better ways to work from home.

So, in the summer of 2021 we decided to survey 200 IT decision makers to find out how 18 months of working from home during a pandemic has changed the way organizations think about security, and how they have had to adapt.

This is what we learned:

1. IT has changed

Working from home has changed the devices and applications that employees use to get work done. Most obviously, home work requires communication and collaboration tools where employees can work together. They are the bricks and mortar of the virtual shared spaces that have replaced offices.

Unsurprisingly, more than 70% of our respondents told us their organizations now make greater use of video conferencing platforms like Zoom, use more cloud storage, and rely more heavily on instant messaging solutions, like Slack.

That’s important, because when employees change the way they use their computers, it changes the IT and security functions they rely on.

2. Security concerns have changed

Changes in where and how work is done have altered the risks that organizations care about. Chief among their concerns are how to control company data in the dispersed, cloud-dependent world of remote work.

63% of the IT decision makers we surveyed listed “exposing data or information accidentally” as one of their greatest cybersecurity concerns, while 52% listed the difficulty in off-boarding remote employees to prevent unauthorized future access.

A change in security concerns calls for a change in the way security is practiced, and it’s clear there have been significant changes here too.

3. Security measures have changed

When security concerns change, it’s only right that the way we practice security changes too. 74% of the IT decision makers we spoke to told us they’d responded to changing conditions by implementing new tools to enhance security, while 71% have rolled out new forms of training.

Our research reveals a reported increase in the use of cybersecurity and antivirus tools, password managers, Virtual Private Networks (VPNs), and two-factor authentication (2FA) among businesses working from home.

However, that work appears unfinished. Despite this investment in tools and training, decision makers also told us that finding the right cybersecurity tools and training to support remote work are still among their biggest challenges. In fact the only thing that ranked higher was the challenge of working with limited IT resources.

Those challenges notwithstanding, progress appears to have been made—in some organizations at least.

4. Businesses have adapted

April 2020 and the months that followed were a time of enormous, acute upheaval, and the eighteen months from then until we conducted our research continued to pose significant challenges for businesses. Nevertheless, some appear to have made progress towards a safer form of remote work.

62% of the decision makers we surveyed told us that their employees were either “very” or “acutely” aware of the security best practices they need to follow. And they aren’t simply passive observers: 83% want to do the right thing, and care about their security responsibilities. Overall, 56% of our respondents said their organizations had become slightly or significantly more secure since they began working from home, although it is worth noting that one quarter believe they are still less secure.

Overall, our decision makers appear to believe their employees know and care about security. However, our research also hints that, unmanaged, that caring could itself become a problem.

5. Adaptation has a human cost

Stress is an overused and undervalued word. It is a normal, physiological response to being threatened or feeling pressure, and if it’s sustained over a lengthy period of time it can lead to exhaustion and burnout. After 18 months of the COVID-19 pandemic, almost 80% of our survey respondents reported some level of jadedness or “fear fatigue” in their organization.

This should not be a surprise—the threat of the novel coronavirus, and everything that made up the response to it, provided no end of potential sources of stress. Among them is the need to keep remote employees appraised of the increased cyberthreats they now face, and informed about how to deal with them. Alarmingly, a quarter of our decision makers reported that employees seemed “overwhelmed” by threats and jaded by security procedures.

It is a warning shot: It is good, imperative even, that remote employees care about the security threats they face and know what to do when they meet them. But the pandemic is far from over, and organizations need to tread a fine line between equipping their employees and overwhelming them.

To learn more about how the world of work is adapting to cyberthreats in the age of remote work, and how to deal with the looming threat of fear fatigue, read our report Still Enduring from Home.