Cybersecurity In a Work from Home Environment
Employees are starting to come back to work as countries start to ease COVID-19-caused lockdowns and lift stay-at-home rules. But as the pandemic rages on, many businesses are choosing to keep some of their employees working from home for the next 12 to 18 months, and maybe even for the rest of their lives. Facebook is allowing its employees to work from home for good. Shopify, a Canadian e-commerce platform, says it will be “digital by default.”
Organizations have moved quickly to semi-remote working arrangements, so they need to be quick to deal with the cyber risks that come with the increased “attack surfaces” that come with “work anywhere” operating models.
The cybersecurity risks of working in a virtual environment have changed, so organizations need to learn about these changes and change their strategies, training, and exercises to deal with these changes, so they can deal with the new risks. In other words, the good results of the rapid shift to “work from home” may not last in the long run.
The new normal
In the spirit of “never letting a good crisis go to waste,” organizations will and should quickly change how they work. A new, likely semi-remote work environment has cybersecurity risks because of five main factors. Organizations should think about these things when they decide how to change their cybersecurity risk programs.
- There are more and more cyberattacks. A lot more hackers have been trying to get into businesses because of the COVID-19 outbreak, as well as because COVID-19-related events have kept people from paying attention to their work. The FBI is getting 3,000 to 4,000 cybersecurity complaints a day, which is a lot more than before the pandemic. There are still a lot of hackers out there who are trying to get into industries like health care, manufacturing, financial services, and public sector organizations like the World Health Organization. Banks are now having to fight off nearly three times as many cyberattacks as they used to. Cybercriminals flood employees’ inboxes with COVID-19-related phishing emails, often attaching seemingly harmless files that are meant to fool people into downloading malware.
- Changes in attack surfaces. The move to new teleworking infrastructure and processes could lead to the unnoticed use of flaws in existing remote work tools. In both the United States and the United Kingdom, security agencies have warned that cyber criminals are getting more and more interested in targeting people and businesses with malware. There are also more cyber risks from business partners and other third parties. It’s hard enough to prepare for a semi-remote work environment on your own, but it’s even more difficult to make sure that vendors, from IT service providers to business process outsourcing firms to law firms, are ready.
- People who aren’t working. This is true for a lot of the successful cyberattacks that happen, including an estimated 90% of them in the UK this year. Cyberthreats and “social engineering” cyberattacks are becoming more common because employees are more stressed about their personal and financial lives at home. As homebound employees become less careful about their cyber hygiene, the number of successful attacks that happen because of human error may go up even more.
- Staff shortages that were not expected. There are a lot of employees who call in sick or take time off to care for their families, which makes it even more difficult for businesses and organizations to respond quickly and effectively to cyberthreats. Many people who worked from home before the pandemic now have to deal with forced isolation, loneliness, limited privacy, and new responsibilities for their children’s schooling and care at home, which makes them less productive. 11 percent of professional and office workers and 17 percent of industrial and manual service workers say they’ve been less productive since the coronavirus outbreak started, according to self-reported data in the United States. This is true across all industries.
- A lot of stress in one place. Security teams are working in a new situation where they have to deal with a lot of different problems at the same time. Each one needs a lot of attention from cybersecurity and management teams. COVID-19-related problems will be the baseline for the next few years. Organizations still have to deal with other crises and stress events, like hurricanes, forest fires, or mass protests in the United States.
Assess how your cybersecurity risk has changed over time.
It’s important to keep an eye on how cybersecurity risks change as businesses adapt to new ways of working. This way, the risks can be actively managed, prioritized, and reduced.
The number of places where attacks can happen because of workplaces that are far away is growing. Bad people can record private customer information that customer service workers share with each other when they answer service calls on their mobile phones at home, rather than in call centers that are well-protected. It’s possible that new technologies and digital products quickly deployed to meet customer needs during the pandemic could inadvertently introduce new threats. This could happen with customer service chatbots and Paycheck Protection Program apps. Remote working operations by vendors and customers who are connected to each other add to the risk of an organization. Cybersecurity teams are now forced to mobilize and coordinate teams of people from different fields from afar in order to stop threats that could be very difficult to stop.
Change your Cyber Strategy.
People who work for a company’s risk management, business, and security teams should work together to rethink cybersecurity budgets and put money where it will have the most impact.
Make changes to existing cyber risk guidelines, requirements, and controls on how employees access data and communicate with a company’s network as soon as possible, such as revising existing cyber risk guidelines, requirements, and controls. The rules for behavior analytics need to be changed to account for changes in the “normal” behavior of employees, many of whom now work outside of normal business hours. This way, security teams can better focus their investigations.
Then, look at new security tools and rules for sharing and keeping private information with vendors. Among other things, some businesses may need to put in place more robust data loss controls, traffic analysis tools, and access controls. Make sure that vendors who aren’t ready for a rise in cyberattacks agree to make plans for how to handle information or work with your network safely.
If you want to improve your technology and security infrastructure, look at what changes you can make now, even if these changes may take years to make. Some businesses may want to speed up their cloud strategies so that their IT resources can quickly meet demand spikes from a lot of remote work quickly, so that they can keep up. Investing in automation and advanced analytics, for example, can make security processes more efficient. Bringing more discipline to cyber-related data, reducing the number of monitoring and security tools, and focusing cybersecurity teams on the areas that are most at risk are also common changes.
Finally, set up ways to see how your security program changes reduce cybersecurity risks after each one is put into place. This is not a one-time thing. Organizations need to be flexible to hit a moving target.
Cyber training and exercises should be stepped up.
It’s time to rethink your cyber awareness programs so that you can better measure, track, and improve the cyber risk culture of employees, management teams, and cybersecurity professionals in the new cyber world. Everyone should be told about new cyber threats and reminded of their role in preventing, spotting and dealing with cyberattacks in a way that is effective.
Design role-based training programs and exercises to make people aware of the new and changed cyber risks that come with more people working from home. Training programs should cover new threats, rules for how to use devices and data, and how to report possible cyber incidents.
Management teams should do walk-throughs and simulations of new cyberattack scenarios armed with playbooks that give clear instructions on what to do and when to escalate decisions. In the future, cybersecurity, technology, and business teams should think about these scenarios when they play cyber war games and simulations. This will help them be ready for future large-scale crises. By doing this, teams can figure out where they need to improve in order to respond to cyberattacks effectively.
People and businesses are living in a real-life multi-stress environment as the pandemic spreads. Organizations are dealing with cyberattacks and many other COVID-19-related problems as the pandemic grows. As a result of the pandemic, many things have changed about how people work. These changes will last long after the pandemic is over. Organizations will, and should, use what they’ve learned from the current crisis to design and implement a new operating model that allows workers to work from home more often. To do that safely, businesses need to know how their cyber risk profiles have changed. They also need to change their strategies, training, and exercises to deal with threats and keep risks low.