The pandemic sent most office workers home to transform their living environments into makeshift workspaces. This has radically transformed how people now think about the office. When the time came for people to return to in-office work, many bucked at the idea. A number of leading companies have created hybrid models that facilitate more at-home work for their employees. The question of home versus office as a work location continues to generate a lot of debate with studies looking at productivity, costs, and many other factors. One question that has come from the information technology (IT) side has to do with cybersecurity and whether remote work introduces potential new threats to a company’s digital assets.
Which is More Secure: Home or Office?
During the pandemic, incidents of data breaches also increased rapidly. Hackers are more active than ever before in terms of looking for weaknesses they can exploit. Unfortunately, emerging technologies, like artificial intelligence, create new vulnerabilities for companies. Many IT professionals believe their employees developed bad cybersecurity habits during their months working from home and have also invited more attacks through lax practices. However, research has shown the greatest risks to cybersecurity actually exist in the office despite fears that remote work would make systems more vulnerable. While this may be surprising to read at first, it makes sense when you consider how employees in each setting approach cybersecurity.
One study from the Farmer School of Business showed that remote workers actually took more security-related precautions than in-office workers and demonstrated a greater awareness of cybersecurity risks. This finding may be explained by the Peltzman Effect, which is a sort of complacency framework. Remote workers feel a deeper sense of responsibility when it comes to cybersecurity since it is intimately connects to the security of their own network. However, in the office, people become complacent and trust the IT professionals at their company to handle any sort of cybersecurity threat for them. Thus, they take less of an interest in keeping their work secure and may inadvertently introduce risks while in the office.
The False Feeling of Safety in the Office Environment
Employees in the office often perceive themselves to be safe because they have the protection of the company’s cybersecurity. Thus, these individuals may not follow best practices at all times and may become quite lax in regards to taking precautions. Prior research has shown that corporate employees trust their organizations to develop and maintain appropriate security measures to reduce risk. As a result, these employees are not mindful of security threats and may make decisions that put the organization at risk. On the contrary, remote workers recognize they need to remain vigilant because they do not have the corporate protection afforded by the office environment. Thus, remote workers tend to take on more security precautions and keep assets safer.
Researchers have also found that greater security correlates with a deeper understanding of information security policy and potential threats to asset security. In other words, when companies take the time to engage their employees around the topic of cybersecurity and potential threats, their employees are more likely to take the proper precautions. This is true for both in-office and at-home workers. Since at-home workers are especially vigilant about cybersecurity, companies may be able to tackle security issues more effectively by keeping their employees remote, or at least by implementing a hybrid system, provided they have a robust training program for cybersecurity.
Developing Effective Cybersecurity Training Programs
The most effective training programs for cybersecurity at a company are those that actively engage employees, which means getting their feedback on perceived threats or attempts to steal data. Involving employees in this way helps combat two of the biases that can lead to lax habits. The first of these is the status quo bias, which is the tendency to prefer the current situation to something different, even if the change could be an improvement. In the context of cybersecurity, this speaks to an employee’s belief that the IT department has the matter handled. By involving employees and their experiences, it is easier to show everyone that cyberthreats are an evolving challenge requiring a degree of personal responsibility.
The second issue that often arises among employees when it comes to cybersecurity is the optimism bias. Employees tend to underestimate the likelihood of a cyberattack and overestimate the likelihood of a positive outcome should one happen. When people are able to learn from each other’s experiences at the same company, they become more aware of how probable such an attack is and, importantly, learn how they can react in a way that is proactive and protective whether they are at home or in the office. This approach helps everyone buy into cybersecurity regardless of their location, which is ultimately what companies need to keep their digital assets protected.