Exclusive: How remote working is causing major security gaps
UK organisations are facing a growing cybersecurity challenge as remote and hybrid working become standard practice. The number and severity of data breaches continue to rise, revealing major cracks in how British businesses secure sensitive data in less controlled, decentralised environments.
According to Jon Fielding, Managing Director EMEA at Apricorn, this worsening threat landscape isn't just due to a rise in cyberattacks - it's also tied to changes in regulation and an increasing readiness among UK companies to self-report incidents.
"There's definitely a large increase in the number of attacks," Fielding told TechDay. "But as GDPR has played out over the years, there is more awareness of an organisation's obligations within that framework to report breaches."
Fielding observed a notable shift in behaviour: self-reporting has gone up, while third-party reports have declined. This signals growing internal accountability across UK organisations, but it doesn't address the underlying weaknesses - many of which stem from human error and security policies that struggle to keep pace with remote work.
Apricorn's latest UK report paints a worrying picture. Nearly half of UK remote workers surveyed admitted to knowingly putting corporate data at risk. Fielding doesn't believe this is malicious. "People that don't work from home on a regular basis will have a slightly lower security threshold, or security awareness threshold," he explained, "and they're in more relaxed environments."
Compounding this is what Fielding refers to as user friction. When security protocols disrupt productivity, staff often bypass them. "If there are processes in place that actually make working more difficult, people will try and find a way around that," he said. "They want to streamline their workflow."
The report also confirmed that phishing and human error remain the most common breach causes among UK firms. This has prompted many organisations to revisit their training strategies - but Fielding warned that training alone is not enough.
"It's critical to explain not only what employees need to do, but why they need to do it," he said. Without context, engagement suffers. Even with advanced simulations, Fielding acknowledged how convincing some scams can be. "There have been a couple of times where I've almost fallen for something myself."
That's why Fielding insists that technical support must underpin any awareness effort. UK firms must go beyond tick-box training and reinforce it with intelligent safeguards.
The Apricorn study, based on responses from senior UK security professionals, uncovered basic shortcomings.
"58% of respondents said their employees lack the tools or skills to secure data properly," Fielding noted. He argued that simplicity is key: "If a solution is too complicated, staff just won't use it."
To reduce this risk, automation is essential. "If you can take the decision away from the end user and enforce it in technology, that's the best way forward," he said. A prime example: locking USB ports to accept only approved, encrypted devices.
As hybrid models become entrenched across the UK, Bring Your Own Device (BYOD) continues to pose a challenge. Organisations must choose between providing secure company-issued hardware - which comes with a cost - or securing personal devices, often at the expense of user experience.
"It can't be a trusted endpoint unless you do something with it," Fielding said. He cited VPNs and browser-based platforms as common solutions, though they tend to offer limited functionality. He offered an alternative: Apricorn's hardware-encrypted USB devices, which can host a full Windows desktop. "You can boot and run from our device, keeping the local hard drive - and any malware on it - completely offline."
Despite the risks, only 19% of UK organisations in the study require corporate-issued devices with full endpoint controls. Fielding believes cost, complexity, and legacy procurement decisions are holding companies back.
More alarming still, over a third of UK organisations cannot confidently say where their data is stored. "You can't protect what you don't know you have," Fielding warned. "The only way to protect data is to know what data you need to protect - and where it lives."
He advocates for comprehensive data discovery and, ideally, universal encryption. "If you can't protect everything, identify the most critical datasets. But globally, I'd say: protect it all. Then nothing falls through the cracks."
This must go hand in hand with simplification. Fragmented systems and disjointed databases are particularly problematic in the UK's often legacy-heavy tech environments. "If you've got five different products with five different databases that don't talk to each other, you've got a complexity issue," Fielding said. "And complexity creates gaps."
He recommends UK organisations seek interoperable solutions and lean on value-added resellers to streamline their infrastructure. Policies, too, need enforcing - not just writing.
"Having a policy on paper is one thing. Automating and locking it down through technology is what gives you real confidence," he added.
Fielding closed with a reminder that most breaches in the UK are still preventable. Regular patching, changing default passwords, and raising employee awareness go a long way - but encryption remains the last line of defence.
"Wherever you can, encrypt data," he said. "If it gets breached but is properly encrypted, the attacker can't use it."
Finally, he urged UK businesses to take backup seriously. "Keep at least three copies, on two different types of media, with one offline. And yes - those backups should also be encrypted."