If 2020 has shown us anything, it’s that organisations need to be ready to face challenges beyond what they’ve considered in their risk assessments. The coronavirus pandemic has presented businesses with a challenge – adapt or fail.
As we’ve seen with several famous High Street retailers, the pandemic has exacerbated problems that businesses have been struggling with for years. Suddenly, that digital transformation project that was years in the making needed to be fast-tracked, as businesses watched their digitally-savvy and digital-native competitors thrive. And when push came to shove, they succeeded, when before it would have ended in debate.
Alongside this has been a long-held reluctance to embrace virtual working. How can teams collaborate when people work from home? How do you manage a remote team? And how do you do all this securely? When challenged, the key was to send everyone home as quickly as possible, as efficiently as possible – but we forgot to say as securely as possible.
Cybersecurity threats during the pandemic
Cybersecurity has been the biggest challenge in this new world. Our research has found that half of businesses we asked have seen an increase in cyber-attacks and data fraud since the start of the pandemic.
Worryingly, according to the Unisys Security 2020 Index, people in the UK were less worried about online threats such as viruses and hacking in 2020 than they were in 2019 (41% in 2019, to 31% in 2020). Perhaps their priorities changed this year, but that opens a door to cybercriminals.
Unisys identified three kinds of cyber-attacks that spiked in 2020. We’re more vulnerable to both large-scale phishing and spear-phishing now that so many of us work from home, and the line between home and work is blurred. Vishing – where attackers use voice or video to provide ‘proof’ that their fraud attempt is, in fact, genuine – is also becoming more of a problem now that many of us rely on these tools to communicate with our colleagues and friends.
Naturally, coronavirus-themed attacks have been on the rise. Back in May, Google said it was blocking more than 240 million COVID-19-related spam messages a day.
While lockdowns have seen governments try to reduce R0 of the disease, organisations have found their digital R0 rising as cyber threats and infection numbers rise.
The risks to corporate security
Most employees won’t have the same level of IT security at home as they did in the office. For now, the new way of working has created a vulnerable point that hackers can exploit. Employees need to start thinking of their homes as an extension of their offices, at least in security terms.
Simple steps like changing the default home network password and regular software and patch updates – things that fall outside of corporate control when an employee works from home – will significantly help. Even things like rebooting a home router every 30 or so days is a step towards a more secure home IT setup.
Both businesses and individuals need to know their IT weak points. VPNs, for example, aren’t always properly secured or the most secure form of connection to the corporate network. The innovators use microsegmented zero trust solutions. Then there’s home wifi, inherently less secure than a work system. Easy-to-crack passwords, shared computers and unprotected smart devices create headaches for the IT team. How many people at home realise, for example, that a device connecting to the network might store their network password in plain text?
Human error has long-been the biggest risk to corporate IT security, and it gets far worse we’re working from home. Our guard is down, making it easier for scammers to trick us, and it’s harder when you’re sitting on your own at home to ask for advice.
How can businesses mitigate the risk?
Organisations can help reduce the risk that virtual working poses in a number of ways. For example, ensure employees use secure SDP connections to access and the corporate network.
Firewalls and antivirus protection are a must for home users, but also increase the company’s security level to high and enable logging for employees in areas with known security issues.
Businesses in high-risk industries should implement data loss prevention (DLP) at a wide range, especially for the most sensitive data, and encrypt all sensitive data (including emails) at rest and in transit.
Tell employees to avoid using public wifi and to turn off the “auto-connect” function to avoid the risk of using unsecured networks. It’s equally important to educate employees about the importance of protecting company assets like laptops and hotspots. Lastly, instruct employees, contractors and suppliers to use a shorter-than-normal timeframe on their device screen locks and to avoid leaving logged-in devices unattended.
These simple steps will go a long way to mitigating the cybersecurity risks of working from home.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.