Steve Durbin is Chief Executive of Information Security Forum. He is a frequent speaker on the Board’s role in cybersecurity and technology.
The fourth industrial revolution is here, and new technologies have the potential to change how people work in ways previously hard to imagine. On one hand, organizations are shifting to permanent or hybrid remote work setups since it provides opportunities to trim operating costs and weather an uncertain economic future. On the other hand, businesses are accelerating investments in artificial intelligence (AI) to boost automation, operational efficiency and business productivity.
AI presents big opportunities along with big risks. Let’s explore potential threats that emerge from the intersection of remote working and technology advancements:
Disengagement discourages secure behavior.
By embracing remote working, the lack of in-person contact among staff can have a less-than-ideal effect on corporate culture. Disengagement between staff and their employer will no doubt have an adverse effect on their attitudes toward the company and, consequently, heighten the risk of insider threats, either by accident, judgment errors or malicious intent.
Lack of identity verification can enable impostors.
As the organization now operates more “virtually,” technologies like deepfakes allow cybercriminals to impersonate employees, the C-suite and business partners, which puts the enterprise at an increased risk of security incidents. Furthermore, if employees begin to engage AI to circumvent standard security governance practices and automate work tasks, they could undermine the organization in ways similar to shadow IT, with its resultant lack of oversight. This lack of visibility and verification enables impostors to compromise information at will.
Digital nomads leave a trail of vulnerabilities.
The introduction of new and favorable tax rules for remote employees, especially those who fancy traveling the world, encourages them to change their location on a frequent basis. Since they log in to corporate resources from various locations, organizations can’t be sure what security controls are being used and what security protocols are being followed while transiting through public places such as airports, cafes, parks and other unsecured wifi locations.
Some moonlighting microservice providers might profit from conflicts of interest.
The gig economy is giving rise to new services being offered by the hour by people who work on a freelance basis, and these workers are not always required to clear sound background checks. Based on my observations, many of gig workers are full-time employees who use their spare time and weekends to take on second jobs. Some might be working for competitors, which can be a conflict of interest and might even violate non-disclosure agreements, which puts all parties at risk.
Lack of flexibility inhibits security recruitment and retention.
From my perspective, businesses that insist on returning to the office, especially for security roles that could be hybrid or fully remote, will likely see higher rates of attrition and longer-term unfilled vacancies. Lack of skilled talent affects staff availability and makes burnout of existing staff more likely. This leads to lower security performance by harried workers and raises information risk across the board.
Breakdown in security culture raises insider threats.
Employees who are disgruntled might stop respecting security protocols and show a blatant disregard for policies. Combined with high levels of attrition and gaps in critical skills across the business, the threat of a successful attack using an employee as a vector—either through apathetic behavior, being coerced by easy money offers or being an assailant themselves—increases significantly.
Over-reliance on automation backfires.
New security technology can streamline and bolster defenses, but in my experience, it often falls short. Without human interaction and experience, these systems lack the context they need to make accurate decisions. As a result, they might generate false positives or miss real threats. Security technology is often designed to work with little or no human input, which can lead to problems when the system encounters something it doesn’t understand, such as a new type of malware or a sophisticated attack. Security systems need to be regularly updated; otherwise, they’re at risk of becoming obsolete.
Outsourcing amplifies supply chain risk.
As offices are closed, some organizations might try to reduce costs by outsourcing as many essential services and tasks as possible. While this improves flexibility, it also heightens the risk of a major disruption as businesses lose control over key infrastructure.
How can organizations be better prepared to tackle these risks?
Organizations with remote employees will have to carefully weigh how this working model affects their security posture and security culture.
• Ensure data, information and security governance functions are equipped to oversee and deal with change. Keep control frameworks up to date to ensure security basics are always in place.
• Update security awareness programs to factor in the established working model for the organization (i.e., office, hybrid or remote). Deploy culture-building exercises for remote staff, such as a combination of frequent on-site and video sessions, to create and maintain a sense of togetherness.
• Establish clear protocols on the use of outsourced suppliers and services. Mandate a certain level of assurance and oversight, both pre- and post-contract. Include suppliers in business continuity planning as well.
• Introduce systems and processes for continuous identity verification, such as regular video chats, to confirm whether employees are who they say they are. Use deepfake detection tools to identify impersonators and fake content.
• Apply encryption to all sensitive data on employees’ devices, preferably at hardware level (e.g., whole disk encryption).
• Take a strategic view of the long-term risks associated with an increasing reliance on AI and automation and how that alters risk. Deploy review processes that routinely assess the accuracy and integrity of the intelligence and data that powers AI and drives business decisions.
Technology and workplace transformations must never be done hastily. It’s important to be fully aware of the risks as well as the opportunities that exist. It is also equally important to have a well-thought-out transition plan in place before moving ahead into the unknown, because uncertainty is the only thing organizations can be certain of.
Forbes Business Council is the foremost growth and networking organization for business owners and leaders. Do I qualify?
Read the full article here
