New Dangers Of Working From Home: Cybersecurity Risks
One less obvious but nevertheless critical challenge relates to new security threats as a result of this distributed work environment. Companies have had to get better at cybersecurity in our digital age, but cybersecurity threats have grown significantly with distributed work. Work-from-home employees are at much greater risk than those in offices. Since home connections are less secure, cybercriminals have an easier entry into the company network. Furthermore, the explosion of various online tools, solutions, and services for collaboration and productivity tend to have the bare minimum of security default setting, and updates from third-party vendors can change security preferences and be easily overlooked.
Group Head of Cyber Governance at FWD Insurance in Singapore, Pritish Purohit, notes that without the immediate context of an office, threats such as phishing and ransomware can more easily evade corporate defenses. “In a traditional office setting, there’s a natural defense against phishing when workers can easily query adjoining co-workers.” Indeed, such checking may be harder to replicate when working from home, especially for less tech-savvy employees or those who are not wired into the @security channels on Slack or Teams (if the company even has those). Before the pandemic a test phishing message was appropriately ignored by managers who were aware that corporate security was ramping up fraud detection; but the same employees working remotely showed a higher propensity to click on phishing emails because they were not in the loop.
Ransomware also enjoys an advantage in the work-from-home model. If their connection to the company is blocked, it is more difficult for workers to get assistance from the right experts and authorities. And since trust levels are lower when working from home, some workers will be concerned that they have “done something wrong” and so may be more reluctant to seek help. While this risk can be addressed by increased training, as well as messaging that vigilance and involving corporate IT will be rewarded, it can still be an uphill battle.
As Fred Voccola, CEO of Kaseya, the IT software management company observes, “comprehensive and frequent cybersecurity training can no longer be considered a ‘nice to have’ for businesses—it’s now absolutely crucial for organizations that are facing an ever-evolving array of cybersecurity threats in the current work-from-home environment. In addition to training employees to spot phishing emails, organizations really need to invest in a robust, integrated suite of cybersecurity solutions that prevent, detect and mitigate ransomware and other cybersecurity threats.”
- Growth and virtualization of the workforce are the precipitating events for much cyber risk.
- Cyber risk is not a problem with a defined endpoint.
- Humans (i.e., the employees) are the weakest link in any organization’s security.
If any of the above three statements comes as a surprise, then perhaps some further understanding of these risks is worthwhile.
The first reality is that growth expands your company’s interactions with the outside world, which means new communications with less-familiar parties and their networks. In other words, the “attack surface” of your company gets larger. Worse yet, because growth does not happen in completely predictable ways or in uniform areas, it can be hard to regiment cybersecurity. So, while cybersecurity is important, it may be seen as a direct offset to rapid growth. The same cost/benefit to security during the status quo may not apply if your shareholders value growth. Revenue growth expert Rob Docters, a partner at AbbeyRoad Consulting, notes that particularly during the initial growth phases, when ownership of markets is being shaped, attempts to regulate expansion can be fatal. He notes, for instance, pioneers of pop culture exhibitions like Comicon have found their growth constrained by corporate oversight which can cramp deal-making and creativity.
That said, cybersecurity improvements don’t necessarily have to hinder productivity. “New cybersecurity processes may add additional steps to certain tasks, but there are a number of ways to secure your organization without impacting productivity,” notes Voccola. “One example is the implementation of identity and access management solutions that include multi-factor authentication (MFA) and single sign-on (SSO) capabilities. Though MFA does involve an additional step when employees log in, SSO not only makes it easier for employees to log in to a number of key applications at once but also provides an easier way for IT administrators to adjust permissions to prevent unauthorized access. The small extra step is worth the additional security benefits it provides.”
Moving on to the second reality, cybersecurity is not a problem that can be finally and definitively “solved.” Cyber-criminals and pranksters are always looking to defy the next better mousetrap. According to Chadi Hantouche, cybersecurity expert and partner leading Wavestone’s Asia Pacific practice, “problems have defined solutions, and often concrete end points. Cyber threats are not problems any more than criminality is a problem—it is an ongoing challenge you need to address constantly.” Like any crime, cyber risk will have neither a defined solution nor a concrete endpoint. Hantouche notes that cyber threats have multiple objectives, such as theft, destabilization, political agendas, and setting the stage for later actions. Hacking parties range from governments to employees. There is no simple solution nor any fixed game plan. What senior management needs to do is develop corporate skills and capabilities—just as it does for marketing or other functions.
Purohit parallels this view. “Increasingly, threats are not just individual hackers, they are governments. Therefore, there is a need for coordinated industry action. What is a sign of the severity of the problem is that major breaches have existed in some cases for six months or more without being detected by the target entity.” A stunning recent example is the cyberattack that shut down Colonial Pipeline, the largest gasoline pipeline in the United States—despite the breach, there were no immediately obvious ill effects.
Finally, the third and most compelling reality is that humans are the weakest link in an organization’s security, so the biggest concern is how to address that reality. Cyber security and Tech Content writer Maram Al Aradi notes that too many organizations treat defending against cyber risk as an expense or afterthought. In order to address these risks effectively, organizations must provide regular training and workshop sessions for all employees. Cybercrime evolves quickly, and your people need to be kept up to speed and educated continuously. “Like humans doing health checkups,” Al Aradi advises, “organizations must do so as well. That means understanding and identifying all possible endpoints internally and externally so they can be monitored effectively. No small effort in a distributed work environment with so many new tools and software solutions being adopted so quickly!”
Overall, work-from-home is proving to be a game-changer when it comes to corporate security, and any companies considering longer-term work-from-home or hybrid models must get more diligent in managing the work-from-home risks. In conclusion, here’s some great advice from Dan Timpson, Chief Technology officer at Kaseya, on how to mitigate some of the cybersecurity risk in remote work:
- Apply updates/patches on computers regularly; your IT department should spearhead this effort.
- Use MFA (multi-factor authentication, such as Passly) whenever possible.
- Keep up-to-date on phishing/security training and awareness for all employees.
- Make sure employees are comfortable reporting it immediately when they make a mistake or suspect something is wrong.
Just doing the first two significantly improves your security posture against bad actors.