Can Cybersecurity Work From Home?
Can Cybersecurity Work From Home?
By Mark Gibson, Managing Director of Capito Ltd
Our MD Mark Gibson discusses the security risks of flexible working and how they can be addressed - we would love to hear your feedback.
18 months after the onset of the pandemic, organisations are increasingly exposed to unnecessary security risks compounded in some cases by a new behavioural ‘complacency’ around data security.
This risk is further compounded with the prospect of sloppy practices around information and device management being ‘imported’ back into the working environment, with hybrid working becoming the new norm.
Last year’s overnight mass exodus from the workplace with little warning resulted in many companies sending staff home with poor training around data security, access to core systems and a ‘make do and carry on’ attitude to communicating with customer, partners, and colleagues. Ill-prepared and often without appropriate supporting systems, corners were cut and this was often compounded with reduced investment in training, software security patches, and acceptance of the enhanced threat from increasingly sophisticated Ransomware attacks.
Specifically, many employees working at home for the first time believed they could ‘get away with’ much riskier behaviour away from the direct eyes of “the IT guys”.
As a result, we have seen further data breaches and cyber incidents which have been exacerbated by remote working. Many companies – irrespective of size – have updated business continuity plans which has resulted in investments in mobile technology, back-up systems and training. However, many have not, either unaware or choosing to turn a blind eye to the increased exposure. Whilst the there are many well publicised ‘hacks’ that have crippled big businesses and government agencies such as the SEPA Ransomware attack last Christmas, SMEs are particularly vulnerable and exposed and often easy target. The emergence of widespread home working morphing into hybrid working means the control and logistics of enterprise device management, deployment and security are much harder than when a business only has to focus on controlling a physical work environment.
But it’s much more than just having a robust anti-virus solution. Changing behaviour is key, as is preparing for the potential business continuity impact if a breach does occur (including an incident response partner) on a “not if but when” basis. Home and Hybrid working require employees to rely on technology and this can expose them to an phalanx of attacks and makes it easier for cyber criminals to exploit insecure devices or trick a naive employee to take uninformed actions with potential catastrophic consequences. This is the new norm and we can expect new threats such as IoT (Internet of Things) access points and home networks increasingly being the focus of targeting employees.
More recently a lot of the coverage of the transition to remote work has been focused on the cultural and behavioural changes, mental health and lifestyle impacts. Whilst Cyber Risks might be less ‘sexy’, it has never been more critical to invest in technology, training and cybersecurity. For the new permanent Hybrid worker needs to consider Data Security and ‘End of Life Management’ also – how to safely remove data from retired, damaged or returned devices with the most common data breaches or incidents still largely being facilitated by human error, poor training or failure to follow process. The same applies to leavers and joiners, which means that other areas of the business, such as HR, should be challenged to take a lead – it’s not just IT who need to be custodians.
Finally, legacy technology is often the least glamorous but most overlooked threat to come to the forefront during this period. Aging machines, including in the home environment, often stay active 5 or 10 years past their ‘sell by date’. They are never built with current day security threats in mind and often the security team is ill-prepared to support them, or in many cases unaware they are being actively used. The typical UK home network is a comparatively easy target to a wide range of attacks that would make it easy for ‘bad actors’ to gain access to corporate data.
Only this week, in a new report on remote working from HP titled ‘Blurred Lines & Blindspots’, 70% of surveyed workers admitted to using their work devices for personal tasks and 69% are using their personal laptops or printers for work. The survey also confirmed that many employees see security as a hindrance and bypass security technologies when they can, particularly when WFH and particularly 18 to 24-year-olds.
And even when the risks are known and accepted, the challenge in front of us is huge – a corresponding survey of UK workers announced in the same week from BluFort Security disappointingly revealed that despite being aware of the escalating cybersecurity challenges faced by an employer - particularly when it relates to hybrid working - many happily continue with high risk behaviour. Indeed, 33% of office workers surveyed said that they would not taking any measures or extra precautions when transporting devices with access to company data and more than 1 in 10 said that nothing would make them take cybersecurity more seriously!
There are many fantastic benefits to flexible and hybrid working – such as a greater work/life balance for employees and cost savings on office space for employers – but these should not come at the cost of exposing your business to risk. Now is the time to develop your cybersecurity strategy, invest in risk awareness training and fit-for-purpose equipment for your staff, and ensure that you have appropriate monitoring and detection tools in place.
The future of work is flexible but it also must be cyber-secure.