New Ways of Working, New Ways of Getting Attacked
Organizational Cyber Awareness Defends Against Remote And Hybrid Working Vulnerabilities.
- The COVID-19 pandemic accelerated remote and hybrid work arrangements already underway with the global growth of non-standard contracted and temp employees.
- Cybercriminals exploit these new ways of working; though the technology is changing, the human factor remains the point of vulnerability.
- The best defense is promotion of cybersecurity awareness that begins at the corporate board and senior leadership levels.
While work from home arrangements were in place before COVID-19, due in part to the growing reliance on contract and other temporary workers, the expansion of remote and hybrid working models are likely to continue post-pandemic. Given the uncertainty organizations face on when to encourage workers safely back into the office, combined with some workers’ hesitation to go back to the office at all, at least not full-time, the new ways of working remotely are here to stay.
What’s also here to stay is cybercriminals’ opportunity in this new way of working, not just to exploit the very technology that ties everyone together virtually, but to continue to exploit what is central to the use of whatever technology is deployed—the human factor.
That’s one of the key findings in a new Economist Impact report sponsored by Mimecast, Signals and Noise: The New Normal in Cybersecurity. The benefits of greater organizational efficiencies and flexibilities of new working models are tempered by an expanded attack surface. Human frailty has always been the chief target; the increased vulnerabilities of remote working from both technical and psychological perspectives make that target all the more inviting.
Consequently, organizations need to recognize that the threat landscape is ever-evolving. While technologies such as artificial intelligence (AI) and cloud computing offer better defenses against cyberattack, one of the best defenses continues to lie in the hands of the end users.
And what lies in the hands of users in many cases is not just the company laptop.
The Danger of Device Proliferation
The new model of work means more devices connected to corporate networks. Not just the laptop or BYOD cell phone and maybe a tablet as well, but also non-work devices. A gaming console maybe, because what’s the harm, and of course the spouse or roommate as well as any children or guests who all use the same wi-fi as the employee even if not connected to the corporate VPN.
This is all exacerbated by distractions at home, particularly for people accustomed to working from the office. The personal tends to interact with the work much more often at home than in the office, even for people who worked remotely before the pandemic. But for people who were forced to work from home, the adjustment, not to mention the isolation from colleagues and normal at-work routines, is more disorienting. And disoriented workers are much more susceptible to cyberattack.
As Jenny Radcliffe, founder and Director of Human Factor Security, points out in the Economist Impact report, “When people are subject to huge, imposed change, there are major psychological implications. The main reason people give for doing things like clicking on phishing emails or bad links, or opening attachments, or when they fall for scams and cons of any kind—the main reason they give is distraction. From a work at home environment, many people find it a lot more distracting, and that makes them more vulnerable to an attack. Attackers know that.”
Cybersecurity Isn’t Just an IT Issue
Work at home as the “new normal” has accelerated the transition of cybersecurity from an IT responsibility to an organization-wide responsibility. And it begins at the top. Leadership not only needs to establish robust cyber resilience strategies, but actively promote awareness of these strategies.
Easier said than done, however. As Michelle Price, CEO of AustCyber, observes in the Economist Impact report, “When you go into the less regulated sectors, and for small- and medium enterprises (SMEs), we see a very rapid drop off in the consistency of awareness across both the leadership and broader employee base when it comes to cyber security.” This is particularly surprising considering that, according to a 2021 survey from ENISA (European Union Agency for Cybersecurity), 85 percent of SMEs agree that cybersecurity issues have potentially serious detrimental impact on their businesses.
Adds Emily Mossburg, Global Cyber Leader for Deloitte, “We’re not nearly as far along as we need to be. It's a huge change management issue, and it requires asking a broad set of questions about the potential vulnerability and risk associated with business and innovation.”
Why the disconnect? Perhaps it is because during the pandemic we all feel stressed, top leadership even more so, and there are so many fires to put out, leaving less free time for proactive cyber resilience strategy development. Regardless, as Leo Simonovich, VP and Global Head of Industrial Cyber and Digital Security for Siemens Energy, emphasizes in the Economic Report, it is vital for leadership to “put security at the forefront of their agenda.”
There is a sense of inevitability that it is no longer a question of if an organization will be the victim of a cyberattack, but when. Which explains why many companies are investing in cyber insurance, which is expected to grow from about $4 billion (US) in 2018 to more than $20 billion (US) in 2030. The good news here is that adoption of cyber insurance actually promotes greater cybersecurity practices. The only way to qualify for cyber insurance is to have sound cybersecurity policies and practices in place.
Yet, experts caution not to lean too heavily on insurance. As Kerissa Varma, Chief Information Security Officer of Old Mutual Bank notes in the Economic Impact report, “Cyber insurance has its place in risk mitigation strategy, but you still need the strong controls. Cybersecurity is all about people.”
Power to the People
The Economic Impact report emphasizes that people are at the core of the cybersecurity challenge for the new ways of working. New technologies are critical for improving cyber resilience, but no technology is perfect. People remain the weakest link, which is why promoting cyber awareness during this new way of working is often referred to as the “holy grail” of improved cybersecurity.
Elements of that holy grail include providing:
- Cybersecurity awareness training to all employees and contractors tailored to their working situation and industry-related concerns
- Information on cybersecurity practices in short, digestible, easily-understandable formats
- Accessible resources such as quick checklists for spotting phishing attempts
- Training tailored to the level of the individual’s technology-expertise; there is no one-size fits all approach
- Treatment of employees as allies in protecting themselves as well as the organization; certain policies, such as two-factor authorization, might seem a hindrance to doing work rather than a part of doing work safely if not positioned correctly
Above all, as the Economic Impact report notes, “Buy-in from top leadership is an important first step towards raising awareness among employees and identifying potential solutions. Though it has become a time-worn, and even trite suggestion for improving corporate cybersecurity, awareness is more important than ever as remote and hybrid working models gain in popularity.”
The Bottom Line
The Economic Impact report concludes that while people are the biggest problem for cybersecurity, they are also the best solution. Give people training, and give them as little as possible to do to stay safe online, and make it easy for them. And know your people better than the bad guys.
To find out more, read the full report.
Subscribe to Cyber Resilience Insights for more articles like these
Get all the latest news and cybersecurity industry analysis delivered right to your inbox
Sign up successful
Thank you for signing up to receive updates from our blog
We will be in touch!