As lockdown restrictions continue to ease across the UK, businesses are starting to consider a return to work — at least part time. But this will create a totally new situation for many firms: A hybrid working environment that exists between work and home, adding significant cyber security risks.
When COVID-19 lockdown first hit the UK in March, businesses had to quickly adapt at scale. But cyber-criminals also adapted to this new environment, sending targeted phishing emails and text scams en masse.
In April, Google said it saw more than 18 million daily malware and phishing emails related to COVID-19 in just one week. By May, over £800,000 had been lost to coronavirus scams, according to reports made to the National Fraud Intelligence Bureau.
Phishing is often a route to distributing ransomware — a form of malware that encrypts business data until a ransom is paid. In April, Interpol’s Cybercrime Threat Response said it had detected a “significant increase” in the number of attempted ransomware attacks against key organisations around the world.
And more recently, the alleged ransomware assault that hit tech company Garmin has shown how easily a cyber-attack can bring business operations to a halt, impacting customer perceptions and ultimately, a firm’s reputation.
During COVID-19, the reputational damage caused by a breach can be even worse. Spare a thought for beleaguered airline EasyJet, which in May, admitted it had been hacked in a “highly sophisticated cyber-attack” earlier in the year.
So, how do security leaders avoid the risks that can ultimately damage their company when the workforce exists between work and home?
Recognising the Risks
It’s first important to recognise the challenges that have already emerged in the work from home environment. With the entire population under pressure during the last few months amid the COVID-19 pandemic, businesses have not wanted to further burden employees.
This means in many cases, cyber security training has fallen by the wayside — a major problem given the phishing attacks that are all too common during COVID-19.
Meanwhile, many firms have failed to revise their policies in line with this suddenly-changed working environment, adding further risk.
Without the streamlined communication systems they are used to, employees can fall for phishing attempts and in some cases unwittingly give away valuable business credentials — or even pave the way for ransomware attacks.
Three Cyber Security Scenarios
The COVID-19 hybrid working environment adds challenges spanning three scenarios: Bring Your Own Device (BYOD), working from home, and working from the office.
The BYOD trend has been happening for years, and businesses are learning to deal with it via policies and tools such as mobile device management. But cyber security during the pandemic opens up even more avenues of risk.
Employees are taking work laptops home, or they may be using their own hardware to connect to the business network. They may, or may not, be using a virtual private network (VPN).
At the same time, companies will be encouraging the use of collaboration software to stay connected as employees exist between home and the office. This can mean employees downloading apps such as Microsoft Teams on their phones, or using unapproved apps to make themselves more efficient — all without IT’s knowledge.
Then there are other working from home risks and sociological and administrative changes to consider. There will often be more than one person working from home. People will naturally be displaying valuable business data on their screens, for anyone entering the household to see.
It’s all too common for people to walk off without locking their computer, but what if this was to accidentally display sensitive business information that could be exposed by someone else who lives at or is visiting the property?
Home routers are another challenge. They are vulnerable to multiple types of cyber-assaults that could put business data at risk, such as man-in-the-middle-attacks which see adversaries able to snoop on network traffic.
The working from the office scenario adds to complexity. For example, is the employee carrying one laptop between work and home; are they sending sensitive files to another device to work on from home?
In this new and hybrid environment, traditional security controls simply aren’t fit for purpose. The new working “normal” requires an overhauled approach including cyber security controls and tools, policies and training.
WFH is a Digital Transformation Project, not an IT Project
It’s already clear that cyber security in the COVID era requires a mindset change. 20 years ago, this new working environment wouldn’t have even been possible, because the technology wasn’t in place and employees were hardwired into internal systems. Now, meetings can happen via video conference, while cloud and apps make it easier than ever to download files, collaborate and communicate.
But given that these innovations also add cyber security risks, a sensible approach would be to view working from home as a digital transformation project, rather than an IT project.
Companies need to first look at their policies and provide clear education to employees on what to do and what not to. As part of this, it’s a good idea to play out situations: For example, “this printer is a Wi-Fi connected device, here are the risks it poses” while encouraging basic best practices such as patching.
The UK’s National Cyber Security Centre (NCSC) offers some solid advice for employees working from home. In a BYOD situation for example, the NCSC advises businesses to be aware of the risk of devices being lost or stolen. To help lessen the threat, it says, ensure devices encrypt data while at rest, and check that encryption is turned on and configured.
Meanwhile, staff should be using using a VPN at home, and it should be fully patched. Businesses may need to add more licenses, capacity or bandwidth if the company has greatly expanded its number of remote users.
It’s also important to outline how education can help to stop, for example, employees falling for phishing attacks. Staff should also know how they can report issues, including phishing attempts or lost devices, as well as how to keep their home and work software and hardware up to date.
Of course, any security overhaul will require buy-in from the board. Security leaders can use examples such as EasyJet and Garmin to demonstrate why a cyber-attack can be a danger to the business financially and reputationally, especially during a pandemic.
Overall, it requires a holistic approach involving everyone at the company, covering both work and home environments. With the landscape changing all the time as new threats emerge, cyber security needs to be a constant project, not a tick-box exercise.
Free Cyber Awareness Asset to Help Organisations Return to Work
Cyber Security Awareness for Dummies acts as an indispensable resource for implementing behavioural change and creating a culture of cyber awareness.
In this guide, you will learn:
- What Cyber Security awareness means for your organisation
- How to implement a cyber risk awareness campaign
- The critical role of policies to establish safe baselines
- How to maintain momentum and staff engagement
- 10 Cyber Security awareness best practices