top of page
Search

Should they stay or should they go?


Preamble: The shift to remote work, accelerated by the COVID-19 pandemic, has created a fundamental transformation in how organizations operate. While the benefits of working from home, including improved work-life balance and enhanced employee well-being, are widely celebrated, the issue of security, particularly insider risk management, remains underexplored. As public and private sectors grapple with the debate over whether to mandate a return to the office, it is critical to address the security vulnerabilities inherent in a remote or hybrid work environment. This discussion is not merely about productivity or economic revitalization; it must consider the balance between employee rights and the protection of sensitive organizational data and national security. Organizations must rethink their approaches, building a security culture that adapts to the realities of modern work while safeguarding against both internal and external risks.


The COVID-19 pandemic reached Canada in January 2020 and due to health and safety concerns necessitated that, wherever possible, public and private employees should work remotely. Since then, working from home appears to have become an expected norm as it has reportedly had a beneficial effect on employee well-being. Due to greater freedom and anecdotal indications of a general enhanced quality of life, it is unsurprising that many employees balk at any return-to-office mandates. By way of example, the federal government recently updated its remote work policy to require public servants spend three days commuting to and working in the office each week. Public service unions are fighting what they call a ‘one-size-fits-all’ decision, stating that there is “no evidence or data” to support the claim that employees are more productive in the office.



While arguments (for and against) cite productivity, work-life balance, and in the case of Ottawa, revitalization of the local economy, seldom is the topic of security, in particular insider risk management cited as a consideration. In fact, nowhere in the May 2024 Treasury Board Directive on prescribed presence in the workplace is security mentioned as either an objective or guiding principle for a hybrid work model. It goes without saying that having employees work from home considerably enlarges the attack surface with additional digital (and physical) entry points into an organization. With personal networks being utilized, the attack surface area is more vulnerable and greatly availed to cybercriminals and agents of hostile foreign nation-states. This unfortunately points to another assertion that security practitioners have maintained all along – until organizations are confronted with a serious incident, insider threats will largely remain as an afterthought.


Keeping this in mind, why are the topics of security and employee reliability seldom mentioned as key drivers when discussing the efficacy of remote work? Or, have ‘pandemic-driven’ working from home policies become a vested right for employees? From a pedantic perspective, shouldn’t national security or the protection of a company’s ‘crown jewels’ trump an employee’s desire to work virtually?


One need not look far to find research cases confirming a dramatic increase in insider threat events since working-from-home became the norm. While these revealing statistics are not surprising for those of us working in insider risk management, they are often ‘big news’ to those functioning outside our domain.



While increased remote work presence does introduce additional vulnerabilities, it is the concept of employee integrity that should be lockstep with an organization’s financial and operational success. As such, it is critical that private and public organizations adopt a balanced approach towards developing a security culture wherein employees are trusted and vice-versa. Further to this point, recent research suggests positive workplace cultures build organizations that are “infused with trust” and hence reduce the circumstances that lead to insider threat.


Although it is considerably more comfortable looking outward than inward, the reality of recent cases, e.g., the conviction of RCMP intelligence ‘czar’, Cameron Ortis, demonstrates that no organization is above or immune from insider threats. Once senior executives recognize and acknowledge that the potential for theft of data or intellectual property increases with a remote workforce, this might prompt a shift to focusing on limiting opportunities for insider threat attacks by balancing positive and negative deterrence measures. Beyond the use of monitoring software or virtual meetings, ‘traditional office’ interactions and collaborations may allow supervisors and leaders to more effectively gauge the morale/personal well-being of their employees when in-person.



Granted, after several years of remote working, it is very difficult to revert to pre-pandemic employment conditions in an office. Keeping that in mind, a flexible hybrid workplan is likely the best solution for all involved but will need to be somewhat ‘prescriptive’ to the job requirements and the individual employee. In other words, if employees are permitted to work from home, their cyber vigilance and insider risk awareness must be guaranteed.


The demand for flexible remote work is not going away, yet neither are the positive security benefits derived by having employees on-site. All organizations need to strive to develop a robust plan that achieves a ‘sweet spot’ of protection from internal and external vulnerabilities with all employees remaining committed to an overall security culture within the organization.



 
 
 

Comments


Commenting on this post isn't available anymore. Contact the site owner for more info.

Become a sponsor

The benefits of sponsorship include research into an insider risk management issue relevant to your organization and developing the risk mitigation practitioners and researchers of tomorrow.

¹Our founding partners provide the CInRM CoE with dedicated annual funding to support our operations and research initiatives, in addition to being strategic advisors in establishing the wider Canadian community of practice.

²Our Tier 1 partners provide the CInRM CoE with dedicated annual funding to support our operations and research initiatives, in addition to being active collaborators on our key initiatives to develop cross-industry capabilities for the wider Canadian community of practice.

³Our Tier 2 partners provide the CInRM CoE with dedicated annual funding to support our operations and research initiatives.

⁴Our partners provide the CInRM CoE with ad-hoc:
a) facilitation of dialogue with industry stakeholders;
b) fostering awareness of the CInRM CoE;
c) in-kind support; and/or,
d) sponsorship.

⁵The Federal Advisory Committee provides support and guidance to the CInRM CoE's operations concerning:

a) academic research initiatives;

b) program development; and,

c) operations;

to enhance the quality of the CInRM CoE and promote best practices in Canadian InRM.

*The CInRM CoE encourages diverse opinions concerning the mitigation of insider threats and the fostering of critical discourse.  Points-of-view (POV) represent the perspectives of our occasional contributors and may not be representative of the CInRM CoE.

Desk

Subscribe to Our Newsletter

Thanks for submitting!

Follow Us On:

  • LinkedIn

© 2025 by Canadian Insider Risk Management Centre of Excellence | Centre d'excellence canadien pour la gestion des risques internes

bottom of page