What are the key security risks of agile working and how to avoid them

The days of desk-bound, 9-5 jobs are well and truly over, and the working landscape is now more fluid than ever. According to analysis from the BBC 5Live programme Wake Up To Money, the number of people working from home increased by 74% between 2008 and 2018.

This suggests that agile working is clearly far more convenient for employees, and an effective way for businesses to increase job satisfaction.

One prevailing form of flexible employment is ‘agile working’, popular due to its focus on adaptability and productivity, while still empowering employees to choose when and where they work. That all sounds great in theory, but allowing work activities to take place outside of the office also brings with it a number of security risks. Instead of waiting for disaster to strike before taking action, it’s important to take preventative measures well in advance. As noted in the most recent mobile security report from IT service management company Gartner: “The focus should be on improving overall security hygiene, rather than countering advanced malicious threats.”

Here are some of the key security risks associated with agile working, and what businesses can do to mitigate these threats.

What is agile working?

Many people believe ‘agile’ and ‘flexible’ working are one and the same, but in reality, they are two distinct policies. Both allow employees to pick their own hours and workspaces, but an agile working strategy also puts prominent focus on how the day-to-day operations of an organisation. According to Ricoh UK Insights, which helps companies work smarter using innovative technology, there are four main differences between flexible and agile working:

  • Flexible working simply means doing the same work elsewhere. Agile working ensures that employees are prepared and able to respond to any changes affecting the organisation.
  • Agile working is based around a business’s objectives and goals, while flexible working is employee-centric.
  • Flexible working is a habit change, agile working is a mindset
  • Though flexible policies often involve working in isolation and communicating digitally, agile working encourages face-to-face interaction to stimulate focus, collaboration and creativity.

What are the main security concerns around agile working?

Vulnerable mobile data

One of the most far-reaching security risks associated with agile working is the increasing reliance on unsecured mobile devices. A report from security firm Bitglass revealed that 85% of enterprises let workers use personal devices, and as mobiles are still the most popular means of internet access, agile workers will likely access corporate data through smartphones. This can be very risky for several reasons. Firstly, employees are more likely to fall for email phishing scams through their phones as the screens will be smaller than those of workplace devices like laptops and desktop computers, meaning suspicious details could be omitted. Apps are another big concern. Not only could an employee accidentally download a malicious app, but they may also grant app permissions which allow software to access message logs, microphones and other features that could compromise confidential information.

What’s more, these devices could easily be misplaced or stolen — Carphone Warehouse reported that almost 25,700 phones were lost in London between April 2017 and April 2018 alone. As well as being inconvenient for the employee, this could be disastrous for the company if the phone falls into the wrong hands.

Unreliable public Wi-Fi

Working remotely means that agile employees may choose to work in public places like coffee shops and cafés, or while they’re on the go in airports and train stations. These locations might aid their productivity, but there’s no guarantee that public Wi-Fi networks are secure. Cybercriminals often exploit vulnerabilities, such as a lack of encryption, to carry out man-in-the-middle attacks and intercept company data. Agile employees could also be lured to rogue hotspots, which are open networks impersonating legitimate sources, with names like ‘Free Airport Wi-Fi’ or ‘Starbucks Free Wi-Fi’. Workers may connect to these networks believing them to be genuine, but inadvertently allow the creator of this rogue hotspot to access their device, and possibly even remotely install malware to cause further damage.

Lack of security guidance

When employees work from their own gadgets in the location of their choice, there’s a risk that they could start to deviate from a company’s cybersecurity policy. Working in the office leaves them bound to the corporate network, and all of the security measures that come with it. However, remote working often leaves them free to their own devices. This is particularly worrying when you consider that over 50% of people don’t have passwords on their phones. A further 40% are using outdated computer operating systems that may have security gaps, and a whopping 88% of UK data breaches are caused by human error. As such, it’s difficult to monitor whether workers are following best practices outside of the office, and just one misjudged user action could potentially expose an organisation’s resources to cybercriminals.

How can businesses tackle these risks?

Enforce the use of VPNs

A virtual private network (VPN) provides employees with online anonymity by creating a private network separate from a public one. As well as establishing secure, encrypted networks that are  harder for hackers to breach, they also mask IP addresses, so agile workers’ online activities can’t be traced. There are many free VPNs available, though they might not be the most updated or secure, or offer the best bandwidth and connection speeds.

Commit to a Zero Trust security policy

A holistic Zero Trust security strategy limits access and requires identity verification to keep sensitive data secure. One part of this policy is multi-factor authentication (MFA) which requires users to confirm who they are via multiple forms of authentication, like passwords and biometrics. Another aspect is role-based access control (RBAC), granting specific access to each user depending on the resources they need to do their job. For example, someone in the marketing department would not be able to see HR content, and vice versa. This reduces the attack surface, as it means no employee is putting the whole corporate network at risk.

Introduce preventative training

It’s always safer to assume that agile workers have next to no cybersecurity knowledge. In fact, when surveyed, over 30% of employees didn’t know what phishing or malware was. This concerning statistic shows just why training is so important. Staff must learn about the different threats, how to identify and report breaches, and how to protect their device and the company data it holds. As the methods cybercriminals use grow ever more sophisticated with time, training has to be a regular occurrence in order to keep agile workers up-to-date with all the latest information. That way, employees will be more likely to work responsibly even when separated from the corporate network.