Aside from Twitter announcing that its staff can now work from home indefinitely, post pandemic, a recent survey revealed that 84% of business decision makers will follow suit. But, one aspect of this ‘new normal’ in business operations that remains comparatively unresolved, is the place of cyber security.
An increase in attacks
Of course, cyber security has always been a staple of business technology, but, during COVID-19 the quantity of recent cyber attacks facing organisations has increased significantly. Existing levels of investment in cyber defences cannot keep up, and many businesses have been forced to cut their IT or security budgets in order to cope with financial restrictions as a result of COVID-19.
Although we must appreciate that the financial turmoil caused by the pandemic has forced many companies’ hands in cutting these budgets, the cyber threat landscape has grown to a point where it now warrants priority.
Whilst businesses struggle to remain buoyant against the COVID-19 tide, it’s been just ‘another day in the office’ for cyber criminals. The wave of remote workers has emboldened cyber attackers’ attempts as well as increasing the windows of opportunity for cyber crime. There are now millions of workers who are operating from their own home, which throws up a number of security concerns:
Lack of training
The urgency of COVID-19 meant many businesses had to implement a brand new company culture and operation initiative over a matter of days. Thus, thousands of workers were thrown in at the deep end, with no formal training or debrief on how best to translate normal working behaviour and conditions in their own home.
They may be facing a barrage of cyber scams, which, to the untrained eye, would appear completely legitimate. Similarly, safe internet practice is imperative at all times, especially in a professional capacity. However, many thousands of workers will be completely unaware of how best to remain secure when operating in a remote environment.
Home devices
A key issue when it comes to remote working, is that many employees will utilise personal devices in a professional capacity. This may be because many companies cannot afford to invest thousands in brand new devices, or because the employees themselves find it easier to operate partly on home devices, whilst in the confines of their homes.
This can be problematic. Not only are personal devices unlikely to be equipped with proper cyber security defences, and there is a high-chance that multiple people either use the device in a given household, or are aware of the password to access it. A simple mis-click or careless action could compromise an unquantifiable amount of sensitive company, client or even employee information, which could in-turn lead to drastic issues for the employee or business in question.
Furthermore, many homes in the UK are filled with smart devices and Internet of Things (IoT) gadgets, which sometimes aren’t even password protected and can be completely unsecure. It is possible for criminals to hack into these devices (ranging from baby monitors to smart cameras) and steal sensitive information such as personally identifiable details or log-in credentials. With people now working from home on a consistent basis, it could be in a cyber criminal’s interest to target IoT devices as a gateway for corporate hacking and other cyberattacks.
Unsecured home network
Possibly, the main security issue with working from home is that most employees will be using a personal network to operate online. This means they are no longer protected by an all-surrounding corporate firewall. For the most part, the next best method of securing one’s network would be with a virtual private network (VPN).
There has been a surge in demand for VPNs since the start of COVID-19, and for good reason: if a remote worker is operating from a home environment with no VPN, no firewalls, and no other form of network security, hackers could make easy work of breaking into a personal network.
Compounding the issue, recent research found that thousands of home Wi-Fi routers across the UK are still susceptible to security issues, as a result of outdated software and weak passwords, for example.
Furthermore, the popularity of cloud-sharing technology, means a breach is no longer contained to just one device. Correctly hacking the right device or obtaining the right credentials could open the doors to every single piece of information stored on a company’s server, including passwords and payment details.
The increasing risk…
Recent research from Centrify noted a significant rise in the number of cyber assaults facing organisations since the COVID-19 outbreak in the UK. We found that that nearly three-quarters of business decision makers (71%) believe that the shift to 100% remote working during the COVID-19 crisis has increased the likelihood of a cyber breach.
What’s more, the polling also revealed that 46% have already noted an increase in phishing attacks since implementing a policy of widespread remote working; business decision makers also fear that IT systems are now at increased risk, with over half (56%) saying they believe that privileged IT admin remote access is at risk of a security breach.
How to defend against it…
Multi-factor authentication
Improving password security is the first, the easiest, and the most important step in securing your data and devices. This includes using random, strong, and unique passwords for all accounts.
It also means enabling multi-factor authentication. Essentially, what this means is that access requests require additional identifying factors to be input before a user is allowed access. This will typically require a username and password, as well as inputting a code sent to a mobile device via text, using a separate hardware card or key, or even using biometrics such as facial recognition or a fingerprint scan on a smartphone.
The reason multi-factor authentication is so effective is because hackers will require much more than base-level identifying information to gain access to your information. This will reduce your chance of being hacked exponentially.
Privileged access management
With workforces spread across the country, it is harder than ever for IT managers to verify who exactly is gaining access to their company servers. With minimal security measures in place, all it would take is a stolen device or remotely hacked account for a cyber attacker to assume the guise of a legitimate remote worker and seize all the information available to them.
This is even more important when it comes to securing access for those IT administrators themselves, who often have privileged access to critical infrastructure and sensitive data, which may be outsourced or third-parties. Combatting this concern requires introducing a privileged access management (PAM) solution to ensure the accessor is verified, they are accessing from a clean source, and are only allowed the least amount of privilege and access required to do a certain task.
During remote working, and based on the above information, the only way to ensure a company remains secure, is to assume that hackers have already gained access. Organisations should adopt a posture of ‘zero trust’ which means no one is to be trusted, and every access request is to be verified. Then the task focuses on how to limit the movements of those who are already inside, provide only the very least amount of privilege, and ensure no sensitive information can be leaked.
Cyber security and training
Finally, cyber security procedures, such as introducing a private secured network, such as a VPN, alongside a personal network must be implemented for remote workers, especially if the shift to home-working is for the long-term. This network should be protected with the relevant firewalls, so that external hackers can not gain access.
Training procedures via web conferencing should also be continued, even after social distancing measures are lifted. This will ensure employees are constantly instilled with up to date security best-practice training and are aware of how to operate safely in a remote environment. This should include frequent testing, such as sending test phishing emails to employees to see who acts upon them.
Some very brief examples of this would be: never share confidential information between professional and personal devices; never follow suspicious links or input information into a website unless you are absolutely sure it is secure, and, never reveal sensitive information with colleagues via email, or over an unsecured network or conference call.
Cyber attacks will always target businesses where they can extract valuable customer or corporate data. At the moment, the cyber-threatscape is at an all-time high. However, as more employees learn and follow security procedures, and remote work becomes more secure as an extension of the traditional workplace experience, we should see the quantity of successful cyber breaches slowly diminish.
Until then, it’s essential that all employees and organisations educate themselves on how best to operate safely when working from a remote environment, and organisations put policies, processes, and solutions in place to protect what matters most: their systems and data.