As Remote Work Continues, Companies Fret Over How to Monitor Employees’ Data Handling

Workers can record meetings, copy documents, or share corporate devices with family members without employer consent

Corporate cybersecurity teams had to reconfigure how they monitor suspicious behavior on corporate networks and detect abnormal logins from employee accounts, after many workers began to work remotely this spring.

Photo: Joe Giddens/Zuma Press

Corporate cybersecurity leaders are concerned that it may be easier for employees to expose data or create openings for hackers while working remotely during the pandemic. But companies have limited capabilities to monitor certain violations of data policies.

Lockdown requirements sent employees home this spring, leaving cybersecurity teams to reconfigure how they monitor suspicious behavior on corporate networks and detect abnormal logins from employee accounts. Many companies anticipate a prolonged period of remote work or a combination of office and remote work, and security chiefs are starting to apply new data policies and technologies to weed out bad behavior.

Security teams often have no way of knowing if employees, for instance, are recording conference calls or are sharing corporate devices with family members, said Troels Oerting, chairman of the advisory board at the World Economic Forum’s Center for Cybersecurity.

香蕉视频苹果下载Another scenario: employees might take photographs of sensitive documents, he said.

“You have a risk and you can’t do anything about it,” he said.

香蕉视频苹果下载Employers worry that workers may be more likely to ignore rules or take shortcuts when they work from home and lose touch with some reminders of corporate policies.

香蕉视频苹果下载“People are very sensitive to context cues from their environment,” said Margaret Cunningham, a psychologist and principal research scientist at cybersecurity firm Forcepoint LLC.

Some employees normally work in secure rooms, she said, where they feel reminded about rules for handling especially sensitive or classified data, she said. “That has a very different feeling than walking into a living room.”

香蕉视频苹果下载“The potential [for] human error increases when you don’t have all your colleagues around you,” said Carolyn Dittmeier, who serves on the boards of Illycaffè North America Inc. and chocolate maker Ferrero International SA and is chairman of the audit committee of Italy-based insurance firm Generali Group.

香蕉视频苹果下载Distracted workers also may be more likely to fall for common scams.

At one of Ms. Dittmeier’s companies, an employee earlier this year transferred more than €1 million ($1.1 million) to a fraudulent account after someone sent an invoice impersonating a supplier and requested an overdue payment. The audit committee discussed the incident and the company started a fraud investigation. Ms. Dittmeier declined to name the company.

Employees can pose cybersecurity risks through mistakes or deliberate attempts to cause harm to a company. Forty-five percent of people working remotely said their companies provided no special training on securing devices at home, according to a survey from International Business Machines Corp. Forty-two percent said they handle personal identifiable information such as Social Security numbers or financial data in their job.

Equifax Inc.香蕉视频苹果下载 uses behavioral analytics software on employees’ devices to understand how they work and identify activity that seems abnormal, said Jamil Farshchi, its chief information security officer.

The company’s security team needed to adjust how it views normal behavior when employees started to work from home and adopt different work patterns. The security team initially received a higher volume of alerts about abnormal activity, he said.

The tool might send an alert about abnormal behavior such as if an employee typically starts work at 5:30 a.m. but logs on at 10 a.m. one day, he said.

香蕉视频苹果下载“I don’t know what standard looks like anymore. That’s the additional challenge organizations face because it’s just a lot of unknown,” Mr. Farshchi said.

Behavioral analytics tools can help companies identify problems that might create an opening for hackers, but security teams sometimes focus too much on what the technology reports and don’t consider employees’ specific roles, projects and lifestyles that affect how they use applications or browse online, said David Ferbrache, global head of the cyber futures unit that addresses emerging technologies at KPMG International.

As companies anticipate a prolonged period of remote work, they are tightening security policies, Mr. Oerting said. Some are specifying where employees can work if they aren’t at home, since Wi-Fi networks at local pubs or vacation homes may present new security risks, he said. Companies are also fine-tuning what data workers can access remotely, he said.

Security chiefs must balance surveillance with what monitoring employees will find acceptable, Mr. Oerting said.

Ohio State University is creating a system that would spot behavior that is a potential cybersecurity risk.

Photo: Matthew Hatcher/Getty Images

Ohio State University is in the process of implementing enhanced security measures for a small group of employees who handle sensitive information or could be a particular risk if they were targeted by hackers, said Chief Information Security Officer Helen Patton.

香蕉视频苹果下载The initiative could help spot behavior that might create cybersecurity risks and intervene when there are problems.

She declined to provide details on the technology but said that faculty, administrators, students and other groups were involved in the decision to use it.

香蕉视频苹果下载“Having a program like this will only work if the organization has a huge amount of trust in the security teams,” she said.

Write to Catherine Stupp at Catherine.Stupp@wsj.com

Copyright ©2020 Dow Jones & Company, Inc. All Rights Reserved. 87990cbe856818d5eddac44c7b1cdeb8