7 minute read 2 Aug 2022
Risks of hybrid working

How security risks are impacting hybrid work models

Authors
Arpinder Singh

EY Global Markets and India Leader, Forensic & Integrity Services

Leading forensic accountant and veteran expert witness. Advising global clients on compliance, anti-corruption and corporate governance. Disruptive thinker. Technology aficionado. Author.

Harshavardhan Godugula

EY India Forensic & Integrity Services Technology & Innovation Leader

Technology leader. Advising the C-suite on building safer enterprises through cyber incident response, data governance, fraud analytics and eDiscovery services. Driven by innovation.

7 minute read 2 Aug 2022

Understanding security risks stemming from hybrid work environments can help companies adopt the requisite policies and security technologies to keep themselves safe.

In brief

  • Data privacy challenges, increased risk of cyberattacks, limited defense and response capabilities and compliance violations are top concerns.

The corporate world, as it stands today, is still contemplating the workings of what a post-pandemic future might look like. Hybrid work models that divide time between the home and the office are being viewed as a welcome change by many companies and employees worldwide. The benefits of this flexible arrangement are tremendous, but they come with their own challenges.

Remote working WFH or WFA necessitates a higher dependence on technology. This increases an organization's vulnerability to security threats, such as cyberattacks, data breaches, fraud, bribery, corruption, etc.

As per a report by EY and the Association of Certified Fraud Examiners (ACFE) Mumbai chapter, unsecure Wi-Fi networks, software vulnerabilities and a lack of cyber awareness among employees saw cybercriminals targeting organizational vulnerabilities during the pandemic. Ransomware attacks and social engineering risks increased by 53%, while 40% of organizations reported a cyber intrusion directed at their remote work environments. 

From a compliance standpoint, critical background checks and verification procedures were also bypassed whilst onboarding new third-party operators (vendors, agents, contractors, etc.). For instance, a global IT solutions company that wanted to expand operations to India and Africa to drive its next wave of growth began operating shortly after conducting initial due diligence. However, just a few months later, the firm identified concerns such as employee — vendor collusion, misconduct, bribery, and corruption. Many issues were discovered during the vulnerability assessment, including kickbacks paid by a vendor to acquire lucrative projects, the existence of ghost employee accounts, inflated work hours being charged, and bid-rigging. Furthermore, third-party background checks revealed irregular payments and the disbursement of cash bribes to employees.

In the aftermath of the pandemic, as many companies focused on building digital-ready businesses quickly, security and compliance controls took a back seat. EY’s 14th Global fraud survey revealed that one in five respondents in the emerging markets did not conduct third-party background checks as part of their forensic due diligence programs. Threat actors have been quick to identify and leverage these security gaps and monetize it for maximum gains.

Security risks in the new normal 

The hybrid model birthed by the crisis, presents both opportunities and challenges in terms of companies being able to manage their security controls. At the same time, external hackers are actively working to exploit vulnerabilities and breach company defenses for financial gain.

Organizations can strengthen compliance, utilize technology and invest in a robust, integrated suite of forensic solutions to detect and deter the security challenges of working from home.
Arpinder Singh
EY Global Markets and India Leader, Forensic & Integrity Services

Data privacy and regulatory concerns

Companies are facing numerous challenges while working toward protecting their data and complying with global and local privacy laws. According to the EY–ACFE Mumbai chapter survey, 66% said data privacy and data protection compliance concerns had increased over the last one year, while only 39% of the respondents are conducting compliance audits of third parties that handle personal data.

Increased risk of phishing and malware attacks

An employee working from home or remotely is not covered by the security umbrella of the company and may be exposed to several cybersecurity risks. The increase in the number of personal devices, unsecured networks, and software exposures have widened the attack surface and exposed employees to risks such as social engineering attacks (phishing, smishing, etc.), ransomware attacks, internet of things (IoT) attacks, and data breaches. 

WFH limits incident response capability organizations 

With an increased number of attacks being aimed at organizations today, it is imperative to have a robust incident response plan in place. But in the case of hybrid or remote work environments, where employees’ devices reside outside of an organization’s security controls, timely detection of any suspicious activities becomes difficult to monitor.

WFH device limitations, such as disabled user authentication, infrequent updates, and unbacked data, are additional factors behind security breaches and malware attacks.

Difficulty in implementing security policies 

Organizations with Bring Your Own Device (BYOD) policies are typically exposed to more security risks than others. As these are personal devices and may not be installed within an organization’s load set with security and monitoring controls, it can be difficult to enforce security and software updates on them. Without these critical updates, the devices may remain vulnerable and pose a significant risk to the entire organization.

Compliance violations

An organization’s compliance policy can be enforced in a multitude of ways. However, it can be difficult for security teams to control user activities for employees working from home. For example, IT and security teams would restrict access to certain high-risk websites through firewalls, but for a WFH employee, the policy may not cover their asset, resulting in possible exposure of the device and data to cybercriminals. 

Our experience of working with global companies shows the human element being the most common cause behind data breaches today. Employees using public or unsecure networks, discussing business-sensitive information in public places, or leaving their work devices unattended are some privacy gaps that attackers tend to exploit.
Harshavardhan Godugula
EY India Forensic & Integrity Services Technology & Innovation Leader

Instituting a secure remote work environment

To effectively combat risks, establishing a robust security framework as an interplay of people, processes, and technology becomes paramount.

C-suite involvement in aligning digital priorities, the efficacy of internal risk mitigation programs as well as the deployment of the right technological toolsets can potentially become some of the strongest weapons in a company’s arsenal.

According to the EY-ACFE survey, emerging technologies such as artificial intelligence (AI) and machine learning (ML) (37%), fraud data analytics (35%), real-time threat intelligence and endpoint security solutions (29%) are driving digital transformation within compliance, risk and legal departments. Combating risks emanating from bribery and corruption in WFH models can be addressed by implementing employee monitoring solutions, such as internet activity and email monitoring, social media and message tracking, and file transfer tracking to help track dubious employee behavior.

Moving toward a zero trust security model is another effective way to stop cyberattacks right at their source. The zero-trust model is based on the ‘trust none, verify all’ approach that helps to build a more secure environment at work. The two most critical components of this security architecture are identity authentication for access to work devices and network access control management, which can often get compromised in the regular course of working.

Companies can also consider modifying their BYOD policies to better combat risks surrounding WFH models. Employees that are allowed to use personal devices for work can be exposed to several security threats, such as malware infections, leading to data leakage and unauthorized access to data. Company-provided devices can be customized according to an organization’s security controls, while personal devices cannot be monitored at the same level. This can expose the company to a plethora of security risks.

Enabling multi-factor authentication (MFA) in all apps and accounts with confidential information is key to creating a cyber-safe work environment. MFA is an authentication system that validates user identity using two or more distinct methods, rather than just a username and password combination. It protects enterprises against identity theft, cyberattacks, and data breaches by preventing unauthorized access to apps and sensitive data.

Regular security training to employees is as important as the deployment of any technological tool or firewall. Employees are a company’s first line of defense and should be made aware of their role in safeguarding the company’s data.

Summary

The WFH model is here to stay. Companies will continue to build on this model — and this may expose them to various security risks. To manage such unforeseen threats, businesses must adapt a holistic strategy to create safe working environments.

About this article

Authors
Arpinder Singh

EY Global Markets and India Leader, Forensic & Integrity Services

Leading forensic accountant and veteran expert witness. Advising global clients on compliance, anti-corruption and corporate governance. Disruptive thinker. Technology aficionado. Author.

Harshavardhan Godugula

EY India Forensic & Integrity Services Technology & Innovation Leader

Technology leader. Advising the C-suite on building safer enterprises through cyber incident response, data governance, fraud analytics and eDiscovery services. Driven by innovation.