Two years ago, employees across the country and around the world collaborated with their employers to establish ways they could perform their job duties while working from home.  Today, the urgent need for home-based workers has receded, but the popularity of this option remains high.

And while certain trends point to an actual increase in productivity, job satisfaction, and a better work-life balance from working at home, the choice does also come with a few risks, some quite disturbing and potentially very costly.

The Cost of a Data Breach Report, conducted by the Ponemon Institute and IBM Security, reports that 76% of respondents whose organizations have shifted to remote work expect that working from home could increase the time required to identify and contain a data breach.  What’s more, 70% of respondents expect remote working to increase the cost of a data breach.Those results should cause business leaders to pause, at least for a moment, to think about what remote work represents regarding risks to your organization’s cybersecurity status.  With the geopolitical upheaval emanating from Eastern Europe currently, the world is getting a first-hand lesson in the power of benign cyber systems to damage economies, influence migration of populations, even wage war.  Just imagine the wreckage a malignant cyber attack could create.Are your remote employees following strict cybersecurity protocols regarding password control?  Tracking and protecting the physical location of their laptops and smartphones?  Accessing only approved downloads and avoiding personal usage or inappropriate personal apps on company equipment?Keep in mind that three out of four business leaders have concerns about cybersecurity regarding remote work.  Being concerned is one thing.  Acting on those concerns by clearly stating acceptable and unacceptable cyber behavior, and enforcing those standards, is what can make a real difference.Contact the professionals at The Reschini Group for more information.

The Software Engineering Institute (SEI) at Carnegie Mellon University defines insider cyber threats as “the potential for an individual who has or had authorized access to an organization’s assets to use that access, either maliciously or unintentionally, to act in a way that could negatively affect the organization.”

As such, a team from SEI recently issued the sixth edition of its Common Sense Guide to Mitigating Insider Threats, where it lists the following 21 recommendations for businesses to deploy:

• Know and protect your critical assets.
• Develop a formalized insider threat program.
• Clearly document and consistently enforce policies and controls.
• Beginning with the hiring process, monitor and respond to suspicious or disruptive behavior.
• Anticipate and manage negative issues in the work environment.
• Consider threats from insiders and business partners in enterprise-wide risk assessments.
• Be especially vigilant regarding social media.
• Structure management and tasks to minimize insider stress and mistakes.
• Incorporate malicious insider threat awareness into periodic security training for all employees.
• Implement strict password and account management policies and practices.
• Institute strict access controls and monitoring policies on privileged users.
• Deploy solutions for monitoring employee actions and correlating information from multiple data sources.
• Monitor and control remote access from all end points, including mobile devices.
• Establish a baseline of normal behavior for both networks and employees.
• Enforce separation of duties and least privilege.
• Define explicit security agreements for any cloud services, especially access restrictions and monitoring capabilities.
• Institutionalize system change controls.
• Implement secure backup and recovery processes.
• Close the doors to unauthorized data exfiltration.
• Develop a comprehensive employee termination procedure.
• Adopt positive incentives to align the workforce with the organization.

Many of these guidelines appear to be just common sense business practices, but establishing them firmly, communicating them clearly, and enforcing them consistently makes the difference.  Insuring against internal cyber threats carries its own set of parameters and requirements, as well.The professionals at The Reschini Group can help your organization protect your organization against losses from internal cyber fraud.  Contact us to talk more about this important consideration.* https://resources.sei.cmu.edu/asset_files/TechnicalReport/2019_005_001_540647.pdf