Digital surveillance of remote workers may increase enterprise risk

From productivity tools to security threats, we explore how digital surveillance is forcing remote workers towards shadow IT

This article can also be found in the Premium Editorial Download: Computer Weekly: Why watching your remote workers doesn’t work

Between mid-2020 and the summer of this year, 44% of the UK’s pandemic-induced home working contingent had monitoring software installed on their work-provided devices. After a year in which business leaders and the C-suite have lost a direct view of their employees, they have seemingly turned to digitised motivation tools. But in this push for enhanced productivity, are organisations putting their long-term security at risk?

The idea of digital surveillance, at first glance, comes across as something of a panicked reaction to an enforced transition to remote working. Almost overnight, that close-knit, easily viewable and immediately accountable office dynamic was fragmented and dispersed into hundreds, or even thousands, of separate homes – many not even in the same city or country any more, let alone the same building.

In that instant, as corporate laptops and phones were provided to ensure ongoing operations and a seamless transition, it is perhaps understandable that decision-makers sought to cling on to some level of control. The installation of monitoring software that can track emails, internet and app usage, phone use, and even locations, suddenly skyrocketed.

That figure of 44% is derived from a study conducted earlier this year by global cyber security giant Kaspersky. The survey of 2,000 full-time workers in the UK – both management and employees – sought to explore the new dynamic between the two. And, for the most part, the sense of trust and appreciation at such a challenging time was promising.

Yet it was this standout statistic around digital surveillance that threatened to upset the peace, to break the trust, and to turn a productivity tool into a security danger.

The reason for this security threat is shadow IT. Almost one-third of workers also revealed they were likely to use a personal device for work purposes if they felt they were being monitored by an employer.

As the dust settles on the Covid-19 explosion and remote working is retained as something we treasure in the new world, people’s initial understanding about their bosses’ need for control is likely to wane. And if personal device usage for critical work operations proliferates as a result, businesses may soon find that their attempts to form a digital connection puts them at more cyber risk than ever.

Breaking the employer-employee equity

Delving into the statistics from Kaspersky’s study a little further, almost a quarter of those who have had surveillance software installed already, admitted to dropping themselves off the radar as a consequence.

It’s such an easy peril to walk into. As we become more accustomed to this new work-life balance, it’s no secret that many people have dropped their levels of perceived professionalism.

Do we wear a suit to the home office? Do we even have a home office? Can we not just have the TV on in the background? Why aren’t pyjamas suitable for a Zoom call? Why shouldn’t I scroll Twitter while I take a break?

And it’s this final “what if” or “why not” that brings cause for concern. Already, as we sit mere centimetres from our personal phones or computers, the distance between work and leisure is quite literally a thumb’s width. Even without an extra push, the temptation to “just reply to one email” via your personal phone, as it’s already in your hand, makes sense. Inevitably, this increases the likelihood of critical data falling into the wrong hands, storage location or inbox, exponentially.

Now, let’s add that extra push. The above scenario works under the umbrella of laziness, apathy or convenience, rather than intent. An escape from the notion of surveillance adds quite substantial intent to that situation – and it’s an intent that organisations can ill afford to encourage.

“There’s a certain irony to this situation, in that companies are falling into a trap that they’ve spent some time trying to avoid through their general cyber security training and messages,” says David Emm, principal security researcher at Kaspersky. “For so long now, the policy has been one of education, openness and reprieve, rather than based around fear.

“The reason is, if people make a mistake and then look to cover it up, then obviously that incident is likely to become more of an issue. So, instead, the aim has largely been to create a relationship between employer and employee which encourages people to come forward – an equity, if you like.

“Now, all of a sudden, we’re seeing this rise in monitoring software being installed on employees’ devices, which sends an adverse message around trust. That equity is broken to an extent, and my fear is that it would now force workers to run, hide, conceal or fall off the grid – not just in this case, but as a more general rule of thumb.”

Monitor the technology, not the human

Emm admits to being quite surprised by the results of the Kaspersky study, especially now. He notes that the use of surveillance software would perhaps have been more understandable or expected two or three years ago, while remote working was still finding its feet.

“But now, and even just before Covid, it wasn’t such an alien idea to have people working outside of an office,” he says. “I personally thought a lot of the concern and mistrust around flexible working, or working from home, had gone.

“And while Covid has obviously now been seen as this watershed moment for the trend, where we know productivity doesn’t wane, and may even improve, it then goes against that grain to introduce this kind of mistrusting software.”

In this vein, Emm’s immediate hope is that the trend is short-lived, and that the initial panicked reaction was simply, well, panic.

“There simply needs to be better communication about why decision-makers were fearful of the working-from-home trend,” he says. “It can’t just be mistrust of the person and must to some extent be around the security of their operations, data, productivity and even their devices. Maybe there was an element of wanting to make sure they were being used properly.

“And there’s a logic to that. There is absolutely a need to track internet security software, to manage updates of systems and applications, to retain control over authorisations. That all makes sense.

“But to go those extra steps and tap into documents, work patterns, cameras, locations and the like, just puts those other significant elements in harm’s way, as people veer towards shadow IT instead.”

An HR misstep en route to a security threat

Emm also dissects the human resources (HR) side of this equation. “It all seems counterproductive, with cyber security just being a significant fallout from the potentially dangerous relationship dynamic being formed,” he says. “Through this monitoring software, employers apparently want a better grasp and real-time view of what’s going on. And, as a result, they are likely to lose contact, trust and even maybe workers, as they go off-piste, or out the door.”

And this latter prediction isn’t over dramatic. A total of 31% of those surveyed, who had worked from home long-term, confirmed that they were likely to leave a current job to avoid such levels of surveillance.

Creating an HR nightmare en route to destabilising the security network is a baffling concept to both Kaspersky’s Emm and Chris Parke, CEO of Talking Talent – a coaching consultancy that helps organisations to build more inclusive, equitable, opportunity-filled work cultures.

Parke says: “I’m a firm believer that if you set really clear targets and parameters, then it doesn’t really matter how someone gets their work done. I thought, and still do think, that this was a concept that executives were coming around to as well, following the year or two we’ve had. It makes these statistics all the more surprising.”

Parke stresses that trust needs to flow both ways, and that this move creates a sizeable dam between that flow.

“It takes a long time to build, but is very easy to break,” he says. “We’ve seen so many thought leadership pieces and statistics showing that productivity is actually increasing as a result of working from home. And to then display such a level of mistrust in the face of that positive leaning, hits even harder. It’s no surprise to hear that people would see that as a definitive moment for their long-term prospects with a company.

“And that’s just one implication. In tandem with these productivity statistics, there has been so much talk about cyber threats during the pandemic. So, to put that aspect in even more jeopardy as well, makes no sense to me.”

A short-lived panic?

A Deloitte study recently revealed that more than half a million people around the world were affected by breaches between February and May 2020 alone, and the results of Kaspersky’s study hopefully reiterate that a defence against this threat should not revolve around mollycoddling, more intense scrutiny, and taking a stranglehold through digital surveillance.

“If anything, we’ve seen this is likely to have the opposite effect,” says Emm. “The risk of shadow IT is clearly increased when monitoring software, or even the threat of it, is introduced. My hope looking forward is to find that this penny has dropped and the panic around productivity was short-lived.

“Visibility into technology is different to visibility around a person. And that’s where I believe the line needs to be drawn. Optimum security is being able to track a system’s trajectory, while putting trust in your training and HR so that people can work with those systems autonomously.”

Read more on Endpoint security