Cyber resilience in the age of remote work

Working from home (WFH) started out as a stop-gap measure during the quarantine days but has grown into an enduring global shift.
As well as limiting the spread of COVID, remote work allowed many workers to skip their daily commute and log on in their trackies. That way of working has become so normalised that many workers swear they'll never go back to the office full-time.

WFH is here to stay

Some forward-thinking organisations were encouraging staff to work from home even before COVID struck. The pandemic only supercharged the trend. The Australian Institute of Family Studies found that while 42% of people surveyed worked from home at least some of the time before COVID, that figure had risen to 67% by the middle of 2021.

And employees are taking a firm stance on WFH. Over a third of Australian employees said they would rather quit than give up remote working, while a survey of Kiwis during lockdown suggested 89% would like to keep working remotely at least some of the time.

But remote work hasn’t just been good for employees: it’s proved to be a money-making bonanza for cybercriminals. The remote work model increases organisations’ attack surface by introducing more devices, endpoints and opportunities for hackers to slip round conventional defences.

Criminals love remote work as much as employees

The Australian Cyber Security Centre (ACSC) notes that businesses deployed remote networking and cloud solutions at speed as the pandemic surged, “sometimes to the detriment of their cybersecurity”. Key threats that surged:

1. business email compromise (BEC) attacks became more lucrative as fraudsters exploited this new environment, with the average loss rising 50% to $50,600 in 2021.
2. distributed denial of service (DDoS) attacks hit businesses that are ever more reliant on online networks
3. Ransomware actors moved to strike at a perimeter that extended beyond office blocks into houses, apartments and neighbourhood cafes

An alarming 72% of businesses told Mimecast that they were hit by their lack of cyber preparedness in 2021.

While some businesses would like nothing more than to turn back the clock and wish away WFH altogether, the reality is that remote work is already an integral part of the business world today. Hybrid work models, where workers work onsite some days and remotely on others, are quickly becoming the norm and will only become more prevalent in the future. Fortunately, organisations don’t have to take on unnecessary cyber risk to make it work.

Setting up your org for success in the age of hybrid work

Many organisations remodelled their workspaces and processes as remote work became the new normal. Some saved overheads by shrinking their office space, while others embraced hybrid working models. But organisations must also understand that while significant savings may be possible in some areas, cybersecurity should definitely not be one of them. Breaches can be catastrophic, and security needs investment if it is to be fit for purpose. A multi-layered cyber strategy that increases awareness across the board, while limiting data access, patching frequently and backing up critical data is essential if you are to reap the benefits of hybrid working.

Stick to the basics, and do them well

With a little bit of forward planning, organisations can embrace hybrid work without compromising on security. And you don’t need all the bells and whistles of cutting-edge cybersecurity technology either. Focus on the basics first. That means using a firewall, monitoring your networks, scanning for vulnerabilities and ensuring software and patches are up-to-date. System updates should be automatic or regularly scheduled on everything from customer-facing apps to IoT devices and back-end computers. Critical patches must be prioritised.

With workers spread more widely, spotting any unusual staff behaviour online is also important. Employee management tools can help you stay on top of both general patterns of use and individual incidents. The use of shadow IT such as unofficial devices and apps should be a particular focus.

Obviously, some organisations need to go further. Progressive organisations are reshaping the roles of senior staff to give the business a clearer focus on cloud technology, oversee remote work and ensure consistency across digital platforms. Cybersecurity should be at the heart of this shift, coded into responsibilities and workflows from the get-go.

Protect your working environment

Securing a single security perimeter is now a doomed project. In a world of distributed work, it’s simply not possible. Instead, establish clear policies for governing company devices and data. The use of company and personal devices should be dictated by well-researched guidelines and a list of approved apps and services.

Multi-factor authentication (MFA) and better password policies (long, random, unique passphrases are best) will help limit unauthorised access. Virtual private networks (VPNs) and the more secure software-defined wide area networks (SD-WANs) make data harder to intercept, and cloud services increasingly integrate network connectivity and security in a single Secure Access Service Edge (SASE) framework.

Securing data is a must

Ransomware reports rose 15% through 2021 in Australia, underlining the importance of securing data. Backups should be frequent and complete to limit your risk. But backups won’t save you from extortionware.

The safest approach to data security? Don’t trust anyone. Limiting certain drives or parts of the network (with no exceptions, even for the C-suite) will limit your risk. Network segmentation limits the amount of data individuals can access, and zero-trust models go one step further by interrogating and validating every transaction. Zero trust makes it far harder for threat actors to move across your network and can limit the extent of incursions.

Get people on board

The greatest vulnerability in cybersecurity is human error. Limiting who can access data will go a long way to mitigating risk, but it should come on top of, not instead of, awareness training. Sessions should be tailored towards specific teams and use language and scenarios they can relate to. Gamifying training may keep it fresh, and making training frequent is essential – both to hammer home your message and to alert employees to new threats.

You should also work to encourage a positive cyber culture, in which staff are confident in reporting suspicious emails or network activities. Sharing relevant threat alerts and encouraging dialogue can help build a collaborative culture right through your organisation, which is key to cyber resilience.

Stay safe in the new world of work

Some of the pandemic’s changes are here to stay. The rise of remote work has benefited many workers and companies, but it has also brought opportunities for criminals. The companies that prosper in this environment will use remote and hybrid working intelligently, and will safeguard their staff and data via the right data protection, software and training. Change is coming faster than ever, and your security policies must move with the times.