C is the answer

I say A B would be correct if it was a laptop instead of a desktop. They tricked us. Desktops are not a great concern as there are compensating controls like physical security, cctv, censors and so on ..

B. There is no requirement for desktops to be encrypted. Not requiring desktops to be encrypted can pose a significant risk because if a laptop or desktop computer is lost or stolen, the data stored on it can be easily accessed by unauthorized individuals. Encryption helps protect the data even if the physical device falls into the wrong hands. Without encryption, sensitive information could be exposed, potentially leading to data leakage, data breaches, and compliance violations. While the other options also present security risks, such as remote work without proper security measures (Option A), lack of security awareness training (Option C), and outdated security policies (Option D), not encrypting desktops can have more immediate and direct consequences in terms of data leakage.

A. Staff is allowed to work remotely.

B. Desktop encryption is not required. The decision to not encrypt desktops can also pose significant security risks, but it does not immediately increase the risk of a data breach compared to the ability to work remotely. Encryption is an important security measure, but remote work management may have a greater impact when balancing security measures with the flexibility of remote work.

B is correct, security awareness training can educate staff about the risks of data leakage and how to prevent it. However, failing to encrypt desktops leaves data vulnerable to theft, and this risk cannot be fully mitigated without encryption.

B is correct, this is about Data leakage

The answer should be C. I'm trying to understand how B is the answer.