With the removal of most of the Covid restrictions in England, many hoped that business life would start to return to something approaching the pre-pandemic normal. But, and it’s a big but, it’s not obvious how the authorities now expect us to behave. With ministers concerned about rising hospitalisations, we are seeing a massive fudge, with the government saying it wants us to go back to work “cautiously.” Even though it’s no longer a legal requirement, it expects us to wear masks anywhere that’s crowded, including shops, while also suggesting that vaccine passports are going to be required for entry into quite a few places.
Although many company owners were hopeful that their staff would be able to return en masse to the office, there is clearly a huge divergence of opinion. On the one hand, we have Tui telling its employees that one day a month is sufficient, while on the other JP Morgan expects that its staff will turn up to the office every day. At the other extreme, more pessimistic souls even think that the combination of global warming and WFH means our cities are being left to die
Leaving the politics on one side (do I hear sighs of relief?), while it’s great for some, WFH is clearly not a universal get-out-of-jail-free card. The mental health problems are well documented, but perhaps less attention is being paid to the potential risks to business security.
Over the course of the pandemic, as we all hunkered down and got used to the intermittency of Zoom and Teams, CSOs across the world were getting increasingly worried. Not for nothing has Covid been described as the biggest threat to cyber security that we’re seen. Interpol, who you would think know what they are talking about, sum it up well, telling us, “Cybercriminals are attacking the computer networks and systems of individuals, businesses and even global organizations at a time when cyber defences might be lowered due to the shift of focus to the health crisis.”
The move to remote work has had major implications for those in charge of cyber security. For many, it involved unplanned cloud migrations and swift procurement of IT products and services to accommodate the newly remote landscape. Unfortunately, in the effort to keep their business operations running, many companies rushed things or even side-stepped them entirely, creating new levels of vulnerability and risk. As work was distributed far and wide, into kitchens, garden sheds, living rooms and bedrooms, employees working from home became a much greater security risk than they had been when all working together in their offices.
Obviously, home connections are generally less secure. Removed from the immediate context of an office, threats such as phishing and ransomware can more easily evade corporate defences, or even just the simple question of a colleague, “can you have a look at this please, it seems a bit dodgy.” A recent report suggests that phishing emails have increased by 600% since February this year.
Then there is the proliferation of online tools, “solutions,” and services for collaboration and productivity. These tend to have the bare minimum of security default settings, while updates from third-party vendors can change security preferences and easily be overlooked.
For those of us working from home, the major problems have been actually getting on with our work. It’s no surprise, therefore, that according to a report by Velocity Smart Technology 70% of remote workers say they have experienced IT issues related to WFH, with 54% waiting up to three hours to get their problem resolved. Herein lies a large part of the problem. The toxic mix of anger and confusion at the user’s end, combined with variable standards and knowledge, weakens our defences. Any software your company operates is only as good as its weakest link and frequently those links are human ones. Meanwhile, the cybercriminals are circling this morass of unsecure and easily accessed software like vultures spotting an enormous herd of dehydrated cattle.
In response, senior management must recognise the three realities of cybersecurity in a distributed environment, namely:
a) the growth and virtualisation of the workforce (i.e. WFH) are opening more and more doors for cyber criminals.
b) cyber risk does not have a defined endpoint – the criminals are always one step ahead.
c) as noted above, human beings are the weakest link in any organisation’s security.
Just a couple of examples illustrate some of the dangers. Before the pandemic, any test phishing message was often ignored by managers because they were aware that corporate IT was ramping up fraud detection. Today, however, the same employees working remotely show a higher propensity to click on phishing emails. Similarly, ransomware more easily evades your defences in a WFH setting, because when employees find their connection to the company is blocked they find it more difficult to get hold of IT support for help. With trust levels generally lower while WFH, it just takes one employee to think he or she has done something wrong, be reluctant to seek help and then make a fatal error, letting in the crooks.
To make matters worse, CISCO’s Benchmark Report 2020 suggests that companies struggle to manage remote workers’ business use of their own smart phones and mobile devices, with 52% of respondents saying mobile devices are a major challenge when it comes to cyber security. By blurring the lines between personal and professional life, there is yet another avenue by which sensitive information might fall into an insecure environment.
As we move into the new, fudged “normal,” with thousands still working remotely, at least part of the time, a first-class CSO (Chief Security Officer) and up-to-date security training are no longer a “nice to have” for businesses. And in addition to hiring that CSO and training employees to spot phishing emails, scareware and other threats, companies need to invest in a robust, integrated suite of cybersecurity solutions that prevent, detect and mitigate ransomware and other cybersecurity threats. It’s not easy, but it is vital. Your company’s future will depend on IT.
Adam Bahadur, Director, Cedar Cyber