The world shifted to a remote work model in response to the COVID-19 pandemic last year. At first, that was more necessity than preference, but today some employers are not going to return to their former office mode.
However, one less obvious but nevertheless critical challenge relates to cybersecurity risks due to distributed work environment. Work-from-home employees are at much greater risk than those in offices. Firstly, cybercriminals have an easier entry into the company network, as home connections are less secure. Secondly, various online tools, solutions, and services for collaboration and productivity tend to have the minimum of the security default settings, and updates from third-party vendors can change security preferences and be easily overlooked.
The biggest threat for working from home employees is phishing and ransomware. It appeared that working at a traditional office employees showed a lower propensity to click on phishing emails.
Ransomware is also a common threat in the work-from-home model. If the workers’ connection to the organization is blocked, it is more difficult to get assistance from the right experts and authorities. Furthermore, some workers are concerned that they have “done something wrong” and so may be more reluctant to ask for help. While this risk can be addressed by regular training on digital hygiene, it cannot guarantee the outcome.
A few things about trainings increasing the cybersecurity awareness of employees. Comprehensive and frequent cybersecurity trainings can no longer be considered a ‘nice to have’ for businesses—it’s now absolutely crucial for organizations that are facing an ever-evolving array of cybersecurity threats in the current work-from-home environment. As a follow-up to training employees to detect phishing emails, organizations really need to invest in a robust, integrated suite of cybersecurity solutions that prevent, detect and mitigate ransomware attacks and other cybersecurity threats.
Authorities need to recognize three realities of cybersecurity in a distributed environment to fully address threats:
- Growth and virtualization of the workforce are accelerating events for more cyber risks.
- Cyber risk is not a problem with a defined endpoint.
- Humans (the employees) are the weakest link in any organization’s security system.
So, the first truth. The growth expands companies’ interactions with the outside world, which means new communications with unfamiliar parties and their networks, namely increasing the companies’ attack surface. Worse yet, because growth does not happen in a completely predictable way, it can be hard to manage cybersecurity.
So, cybersecurity may be seen as a holdback to rapid growth. Let’s be realistic, the shareholders are unlikely to slow down the development process for the sake of cybersecurity. Therefore, keeping balance is vitally important.
Fortunately, there are a number of ways to secure your organization without impacting productivity, such as the implementation of identity and access management solutions that include multi-factor authentication (MFA) and single sign-on (SSO) capabilities. Though MFA does involve an additional step when employees log in, SSO not only makes it easier for employees to log in to a number of key applications at once but also provides an easier way for IT administrators to adjust permissions to prevent unauthorized access.
Now the second truth is that cybersecurity is not a problem that can be finally and definitively “solved.” Cyber-criminals are always looking to hack the most secure system, because they are constantly improving their skills.
According to cybersecurity experts, problems have defined solutions, and often concrete endpoints, whereas cyber threats are not problems any more than criminality is a problem—it is an ongoing challenge you need to address constantly. Like any crime, cyber risk has neither a defined solution nor a concrete endpoint. Cyber threats have multiple objectives, such as theft, destabilization, political issues, and laying the ground for later actions. Hackers range from governments to employees and there is no any clear solution nor any fixed rules for the game.
Finally, the third truth is that humans are the weakest link in an organization’s security, so the biggest concern is how to address this problem. For many organizations defending against cyber risk is an expense or afterthought. In order to tackle these risks organizations must provide regular trainings and workshops to increase the cybersecurity awareness of all employees. Cybercrime is on the go, and your people need to be kept up to speed and educated continuously.
As we can see, work-from-home is proving to be a game-changer when it comes to corporate security, and any companies considering longer-term work-from-home or hybrid models must get more diligent in managing the work-from-home risks.
Here we outline how to mitigate some of the cybersecurity risks in remote work:
- Apply updates/patches on computers regularly; your IT department should take the lead in this effort.
- Use MFA (multi-factor authentication) whenever possible.
- Keep up-to-date on phishing/security training and awareness for all employees.
- Make sure employees are comfortable reporting it immediately when they make a mistake or suspect something goes wrong.
Keep in mind that doing even the first two significantly improves your resilience.