Over the past few months, the world has had to get used to a new normal. Offices are now largely ghost towns and employees have been settling into a working-from-home lifestyle. However, while they may feel more relaxed with their line managers no longer breathing down their necks, many seem to have thrown caution to the wind in terms of cybersecurity.
Businesses have had to trust their employees to focus on their work and be able to manage their daily meetings while keeping their kids from tearing the house to pieces. Online security is a major aspect that businesses have had to place faith in their workforce, as they simply cannot monitor what the employee is doing from home. But when the watchful eyes of their IT departments are away, employees are not being as cautious.
A recent report from cybersecurity company Tessian stated that 52% of people working from home believe they can be more lenient with their cybersecurity. For instance, remote workers are more likely to share confidential files through email instead of via more trusted mechanisms. A major reason for this is simply down to the fact they are not being overshadowed by their IT department.
IBM Security recently completed a study of 2,000 US professionals and found that 80% had never or rarely worked from home and 50% stated they worried about cyber threats. Even more worryingly, 52% said they were using their personal laptop to work remotely, often with no added security software installed, and 45% said that they had not had any training to work remotely securely.
This is a similar situation in the UK. Promon, an app security company, conducted a survey of 2,000 remote workers and it found that 66% of UK remote workers haven’t been given any form of cybersecurity training in the past 12 months. There are multiple reports coming out, all of which are painting quite a gloomy picture for cybersecurity.
It appears that many businesses were not prepared for the current remote working situation. It’s understandable. The coronavirus pandemic and the measures taken to curb the spread are unprecedented and no-one could have foreseen them. But, you would think businesses would have in place contingencies for a similar scenario or issued company-wide guidance on cybersecurity and the importance of not letting standards slip.
CyberCube head of cybersecurity strategy Darren Thomson said, “Increases in home working have been proven to lead to the relaxation of standards when it comes to “which” devices are used to conduct company business. Many of our homes are now littered with endpoint devices, any of which could potentially be used for work. The failure of a mobile phone or a laptop can force workers to look for quick alternatives and the alternatives (e.g. a personal iPad) most often will not have been configured with corporate security in mind.”
He went on to explain that communication networks, even when companies require the use of virtual private networks for accessing resources remotely, are relatively unsecure. With poorly configured WiFi networks also adding to the problem. Employees are faced with a lot more cyber risks while they work from home, compared with when they are in the office. Companies have firewalls and generally tighter security measures to weed out attacks and plug up vulnerabilities. However, when at home, employees simply do not have access to the same safeguards, meaning even the simplest cyber attacks are much more likely to be successful.
Thomson added, “This can lead to “man in the middle” attacks, theft of sensitive data, poor network quality (affecting productivity) and huge exposure to cybercrime involving the infection of home routers.” An example of a man in the middle attack is where a victim receives an email which appears to be from their bank asking to log in and confirm contact information; however, it is from an attacker. The criminal would have made the email look legitimate and created a website similar to the indicated bank. Another similar attack could involve a hijacked email chain, where an attacker intercepts an email before it reaches a client and changes the link details or personal information.
Without IT departments, companies need to explore new ways to keep their staff safe and ensure information is not being leaked. An investigation from data discovery software platform Exonar found that 24% of remote workers rarely or never consider data protection policies or regulations when they share information with colleagues as part of their work. If they are not being careful when sending information amongst colleagues, there is a big opening for man in the middle attacks or other types of attacks which result in data theft.
Thomson said, “One of the most important things that a business should be doing, through good governance, to help minimise cyber risk as it pertains to home working starts with their people. Often referred to as the “weakest link” in cyber security whereas, in reality and when well-educated and engaged, staff can form a strong part of cyber defence posture. They should create custom-built cyber security training that is engaging, competitive, fun and specifically tuned to the home-working environment. For example, use videos, role-play, league tables and awards. Engage third-party specialists in this area, if necessary.”
Due to the coronavirus and the lockdown coming rather suddenly, it has left a lot of employees and companies seeking new tools and services quickly. Cloud systems have become one of the best saviours, enabling better connectivity in times of distance as well as the ability to access important documents while at home. However, Thomson believes, “Very likely, the applications adopted will have fallen outside of what an employer would deem secure and reliable.”
Zoom is one of the best examples of this he stated. The video conferencing platform has been a godsend for a lot of companies. Whether it has been as a replacement for conducting business meetings, team catch-ups or similar use cases, businesses have been able to maintain some level of interaction with staff and clients. But Zoom has not been the most secure platform and has potentially left many businesses open to security issues.
One of the security issues is known as Zoom-bombing, in which an uninvited guest joins a call and is able to harass or disrupt business meetings. Another vulnerability even made it possible for a hacker to take control of devices, a report from Forbes claimed. The article also explained that the data privacy terms and conditions of the video conferencing app are a little worrying. The application reserves the right to collect all of the information supplied through the app, including audio, instant messages and documents, and it can use this content for targeted advertising or used for other means. Finally, the company announced its end-to-end encryption for calls will only be available for paid members.
Companies will need to better train their staff to work safer online and also ensure the services they are using are still meeting the same level of standard they would if they were in the office. Once the pandemic is over, not only will companies be using a lot more cloud services than they were going into the lockdown, they will also need to re-establish their security standards assessments and testing, Thomson stated. “Changes will not simply need to be “tweaks” to existing practices so as to simply “allow” for cloud-usage, flexible working hours and remote working. Fundamental changes to security strategy will need to be implemented.”
Copyright © 2018 RegTech Analyst