X

The changing role of IT and security

Navigating remote work cyber security threats

Whilst challenging, the pandemic and the subsequent lockdowns have led to businesses re-evaluating their Cybersecurity given the potential security threats that have arisen from remote working. 

One of the lessons we have learned from the current situation is that, even during a crisis, criminal activity continues and, often, increases.  The current crisis, while devastating to many businesses and individuals alike, presents an enhanced opportunity for those with malicious intentions – and data indicates that they are taking increasing advantage of any identified weaknesses. 

The sudden and dramatic shift to remote working removes some of the controls that businesses would normally rely upon leaving new vulnerabilities which will be utilised by cyber criminals. To make things a little more complicated, there are also legal challenges to consider, in the form of the General Data Protection Regulation (GDPR), California Consumer Privacy Act (CCPA) and other regulatory policies.

It is down to CIOs and other C-Suite executives to deal with these issues every day at both a strategic and granular level. The good news is that there are solutions and strategies that are proven to help combat these challenges.

Overcoming the vulnerabilities of a remote workforce

The pandemic forced entire companies to shift to remote working almost overnight, placing an inordinate amount of pressure on IT teams to keep their colleagues working effectively and able to access the technology they require to be productive. 

One of the potential security issues which has arisen from this move is the apparent temptation faced by employees to move away from the technology products they should be using, to unknown and unauthorised products. Being able to track what technology has been adopted (potentially funded via a credit card) is a key control for IT to both protect the security of data and also ensure that any regulatory requirements are respected. 

The surge in demand for desktops and laptops by companies trying to accommodate their employees at home, came at the exact time that the supply chain was struggling due to China’s manufacturing industry having slowed down significantly months before. That has resulted in vendors and retailers being unable to keep up with demand and employees being forced to use their own computers.

On top of this, if you are allowing staff to connect from their own computers, a whole new wave of problems appears. The average personal computer does not have the security settings, the antivirus software, and all the other security applications that you would normally expect to have in an enterprise environment. You could be allowing people to introduce malware to your network or download confidential and GDPR-protected information to an unencrypted, insecure device. If an employee’s personal device or computer is compromised, the company has lost control of its data and not only face the risk of data theft but also could find the company is in breach of data regulations.

Cyber criminals are getting savvier 

One of the biggest risks right now is business email compromise (BEC) – an attack which includes the use of ransomware and phishing to extract money from a firm. There has been a notable switch in criminal strategy. They have gone from trying to install ransomware on somebody’s home computer to force a ransom, to instead targeting businesses and enterprises. There are two common approaches: taking the ransomware route to lock up the business’ systems and stop them from functioning or threatening to post confidential information on a public site. 

There has also been a spike in phishing attacks, in an attempt to take advantage of the prolonged uncertainty remote workers are dealing with. Phishing of this nature uses emails and texts to collect personal information and the start of the crisis coincided with a sixfold increase in phishing attacks

The move to remote working and the complication of multiple devices and locations is also raising the important questions related to software licensing. Are you licensed for the apps that people are using at home, or are you licensed on their computer in the office and on their computer at home? Several businesses are now having to buy thousands of additional software licenses so that employees can work on more than one computer, at a time when cost optimisation is extremely important.

One of the related threats to businesses is running afoul of regulatory data privacy protections like GDPR and CCPA, among others. Given the current state of things, it is unlikely that a regulator would currently be hunting for companies that might be improperly managing employee and customer data. It appears regulators are largely being more lenient at this stage while companies are busy just trying to survive. Whilst it is reasonably to consider that, for a time, this will continue, there will come a time when we see a return to enforcement and, in the meantime, there is no guarantee that regulators will not review issues that come up as a result of a data breach or loss. 

How to stay ahead of security threats

It’s always important to reinforce the best security practices to your workforce, but it is especially important when your employees are out of their normal routines. Here are some of the steps that companies should take to protect employees and the business from potential threat:

– Employ a zero-trust model of security to ensure every individual verifies their identity using multi-factor authentication. 

– Where at all possible, avoid employees using insecure home computers for work purposes. If this is unavoidable, ensure you have got appropriate measures and resources in place to minimise risks, such as shifting to cloud applications to avoid data being saved to personal devices. 

– Build a long-term remote working strategy with security in mind, so that if the worst happens, you’ll be prepared to react quickly. 

– Do not count on VPNs to solve your security problems. If employees use the internet while not connected to the VPN, they are reliant on the endpoint security and at that point the VPN offers no security benefit. 

– Implement phishing training for your employees with simulated phishing attacks which rather than delivering a malicious payload, deliver training. That way only those who need the training end up have to take it.  

Proactivity is crucial 

The most security aware and technologically advanced companies are implementing a number of security measures – including moving to zero-trust security models, two-factor authentication, and training employees to identify phishing scams. They are building greater visibility of what software and other technologies their employees are using, along with identifying wasted spend and potential licensing and regulatory violations they are exposing themselves to. Especially during this uncertain time, it’s essential that every organisation acknowledges their security stance and prepare for worst case cybersecurity scenarios that might only arise from a disparate office structure. It’s likely that our ‘new normal’ will include a higher percentage of remote work, which means that IT and security teams – and their colleagues across the organisation – need to remain vigilant.

Alastair Pooley