When worldwide lockdowns were imposed almost overnight in March, most employees thought they were leaving their desks behind for just a few weeks. Very few employers and employees would have predicted that six months later they would still be working from home.
Remote working may have been a sudden response which organizations scrambled to organize overnight. However, it looks as though it’s here to stay, with office-based employees likely to be remote working in some form for the foreseeable future. For some, it will be permanent.
As remote working shifts from a temporary solution to a common practice, businesses need to rethink and revisit their cyber risks. Policies and protocols introduced when companies switched to remote working may have sufficed in the short-term, but questions now need to be asked as to whether these are fit for purpose for the long-term.
Work from Wherever?
As lockdown restrictions ease, employees are no longer confined to their homes. Not prepared to commute back into their office just yet, many employees are looking to break the monotony of home working by basing themselves in communal areas such as coffee shops and hotels.
Both private and secure, home WiFi networks haven’t given employers too much cause for concern over the lockdown period. However, if increasing numbers of employees decide to start setting up shop for the day in public spaces, this could create a new set of risks. With open and unsecured networks, coffee shop and hotel public networks are hot spots for hackers. Criminals are able to exploit the unsecured and unencrypted nature of these networks to access sensitive and confidential data.
The risks presented by public spaces are not limited to the internet. While cyber criminals are typically leveraging increasingly sophisticated tactics and technology, “old fashioned” approaches such as eavesdropping remain and can still prove effective. Business calls taken in communal environments can therefore pose a significant risk to data security and privacy, exposing potentially commercial sensitive information to those within earshot.
Remote working doesn’t have to be confined to the home. However, for those employees opting to base themselves in a public environment from time to time, this needs to come with a recognition of the additional risks this poses. While some public spaces might feel like a home away from home, employees shouldn’t treat them as such. Educating staff on the increased risks of public networks and the importance of subtlety is key if employees are to be entrusted to work from a location of their choice.
Left to Their Own Devices
Bring Your Own Device (BYOD) policies are already known to be somewhat unwieldy to establish and implement, however lockdown has exacerbated the issue. As millions of employees switched to home working, many also decided to make a switch to their home devices for day to day work.
There’s an increased comfort level when it comes to personal phones, laptops and tablets. After all, they are devices we’ve chosen to purchase, use on a more frequent basis, and can often come without the cumbersome security protocols inbuilt into many work devices. However, it’s the absence of these security protocols that makes them a cyber risk. If these devices are compromised, they can provide hackers with an open door into a corporate’s network and data which can be accessed and exploited without IT even noticing.
If employees continue to work from home and rely on personal devices for the foreseeable future, then more robust BYOD policies need to be put in place. Rather than a blanket ban on personal devices, dummy terminals and secure apps can be installed enabling employees to access company data without compromising security. IT can also mandate employees install the latest software on their personal device to patch any bugs or software vulnerabilities that can be exploited by hackers.
A Cultural Void?
To date, discussions around cyber security have predominantly focused on infrastructure, and the risks that software and hardware can pose to businesses. However, the lockdown is forcing businesses to reflect on the “softer,” less tangible risks pose to their business, such as their corporate culture.
Absense of corporate culture during lockdown isn’t just a threat to retention or motivation, it can also pose a threat to cyber security. With employees no longer tethered to the office, there’s an increasing sense of detachment between employees and employers which can be exploited by hackers.
Cyber criminals have been quick off the mark, introducing new phishing scams to capitalize on this detachment, with the Internet Crime Complaint Center at the FBI reporting a 75% increase in daily digital crime since the start of lockdown, according to an article published in August 2020 in the Economist, titled “During the pandemic a digital crimewave has flooded the internet.”
Cyber criminals recognize that formerly in the “old days” of office working, employees could easily ask a colleague for a second pair of eyes on a suspicious email or link. However, now employees are far more independent about trusting their own instincts, which will inevitably lead to some lapses in judgment.
Furthermore, the longer remote working continues, the more new employees are joining organizations with no in-person interaction. How can new employees assess the credibility of emails supposedly sent from finance, IT or teams when the identity of many of these colleagues remain a mystery to new staff?
The need to provide training and communicate with employees over potential security threats is therefore even greater when employees are out of the office. A heightened level of training is also necessary to ensure both new and existing employees are well versed in cyber risks, recognizing that just because you’re out of the office the risks are still present, if not greater.
While all employees should participate in regular cyber-security training, this should go hand in hand with specific training tailored to the needs of individual teams and departments as different areas of the workforce will be subject to varying cyber risks. HR and finance for example sit on a wealth of personal employee data which is frequently the target of email phishing scams. Continued training of critical staff is therefore crucial to educate on the heightened risk now that employees are working remotely and ensure cyber risks remain front of mind while outside the office.
The security of businesses has always been built around the notion of people working together, in the same building, using the same infrastructure. With remote working now set to stay for the mid if not long-term, cyber security needs a fundamental rethink and reshape.
The transition to remote working was sharp and sudden, with many anticipating it lasting just a few weeks, perhaps months at a stretch. However, as we settle into this new environment, now is the time for firms to revisit their cyber security protocols and consider whether any elements were forgotten in the sudden overnight transition to remote working. Businesses should also be looking forwards, considering what the new emerging risks might be as remote working becomes engrained in modern working practices.
Cyber criminals are no doubt devising innovative ways to exploit this new way of working, developing new malware and phishing attempts to directly capitalize on the vulnerabilities and oversights likely to emerge as a result of this shift. Thanks to this constant innovation, the job is never finished when it comes to bolstering cyber security. In this climate, businesses need to ensure they’re constantly anticipating and adapting to the new threats posed by cyber criminals.
Article By: Jeff Norton
Source: Insurance Journal