Should they stay or should they go?

Preamble: The shift to remote work, accelerated by the COVID-19 pandemic, has created a fundamental transformation in how organizations operate. While the benefits of working from home, including improved work-life balance and enhanced employee well-being, are widely celebrated, the issue of security, particularly insider risk management, remains underexplored. As public and private sectors grapple with the debate over whether to mandate a return to the office, it is critical to address the security vulnerabilities inherent in a remote or hybrid work environment. This discussion is not merely about productivity or economic revitalization; it must consider the balance between employee rights and the protection of sensitive organizational data and national security. Organizations must rethink their approaches, building a security culture that adapts to the realities of modern work while safeguarding against both internal and external risks.

The COVID-19 pandemic reached Canada in January 2020 and due to health and safety concerns necessitated that, wherever possible, public and private employees should work remotely. Since then, working from home appears to have become an expected norm as it has reportedly had a beneficial effect on employee well-being. Due to greater freedom and anecdotal indications of a general enhanced quality of life, it is unsurprising that many employees balk at any return-to-office mandates. By way of example, the federal government recently updated its remote work policy to require public servants spend three days commuting to and working in the office each week. Public service unions are fighting what they call a ‘one-size-fits-all’ decision, stating that there is “no evidence or data” to support the claim that employees are more productive in the office.

While arguments (for and against) cite productivity, work-life balance, and in the case of Ottawa, revitalization of the local economy, seldom is the topic of security, in particular insider risk management cited as a consideration. In fact, nowhere in the May 2024 Treasury Board Directive on prescribed presence in the workplace is security mentioned as either an objective or guiding principle for a hybrid work model. It goes without saying that having employees work from home considerably enlarges the attack surface with additional digital (and physical) entry points into an organization. With personal networks being utilized, the attack surface area is more vulnerable and greatly availed to cybercriminals and agents of hostile foreign nation-states. This unfortunately points to another assertion that security practitioners have maintained all along – until organizations are confronted with a serious incident, insider threats will largely remain as an afterthought.

Keeping this in mind, why are the topics of security and employee reliability seldom mentioned as key drivers when discussing the efficacy of remote work? Or, have ‘pandemic-driven’ working from home policies become a vested right for employees? From a pedantic perspective, shouldn’t national security or the protection of a company’s ‘crown jewels’ trump an employee’s desire to work virtually?

One need not look far to find research cases confirming a dramatic increase in insider threat events since working-from-home became the norm. While these revealing statistics are not surprising for those of us working in insider risk management, they are often ‘big news’ to those functioning outside our domain.

While increased remote work presence does introduce additional vulnerabilities, it is the concept of employee integrity that should be lockstep with an organization’s financial and operational success. As such, it is critical that private and public organizations adopt a balanced approach towards developing a security culture wherein employees are trusted and vice-versa. Further to this point, recent research suggests positive workplace cultures build organizations that are “infused with trust” and hence reduce the circumstances that lead to insider threat.

Although it is considerably more comfortable looking outward than inward, the reality of recent cases, e.g., the conviction of RCMP intelligence ‘czar’, Cameron Ortis, demonstrates that no organization is above or immune from insider threats. Once senior executives recognize and acknowledge that the potential for theft of data or intellectual property increases with a remote workforce, this might prompt a shift to focusing on limiting opportunities for insider threat attacks by balancing positive and negative deterrence measures. Beyond the use of monitoring software or virtual meetings, ‘traditional office’ interactions and collaborations may allow supervisors and leaders to more effectively gauge the morale/personal well-being of their employees when in-person.

Granted, after several years of remote working, it is very difficult to revert to pre-pandemic employment conditions in an office. Keeping that in mind, a flexible hybrid workplan is likely the best solution for all involved but will need to be somewhat ‘prescriptive’ to the job requirements and the individual employee. In other words, if employees are permitted to work from home, their cyber vigilance and insider risk awareness must be guaranteed.

The demand for flexible remote work is not going away, yet neither are the positive security benefits derived by having employees on-site. All organizations need to strive to develop a robust plan that achieves a ‘sweet spot’ of protection from internal and external vulnerabilities with all employees remaining committed to an overall security culture within the organization.