The COVID-19 pandemic has forever changed the way we work. Even before the new Delta variant pushed some U.S. cities and states into a fourth and fifth wave, America’s workforce made it very clear that they would stay remote in at least some capacity post-pandemic. This development drove some of the world’s biggest enterprises — like Facebook and Atlassian — to introduce permanent work-from-home options, and others like Amazon and Microsoft to institute new hybrid work strategies.
In fact, according to new data from Morphisec, 35% of traditionally office-based employees say they will continue working from home two to three days per week going forward, while an additional 12% note they’ll remain remote full-time and 11% plan to work primarily from home long-term. Indeed, employees’ reception to remote work has created a massive shift for organizations across the globe – one that has opened up new opportunities for productivity alongside a better work-life balance.
Unfortunately, it has also contributed to an unrelenting cybersecurity emergency. The rate of attacks targeting American businesses has skyrocketed since the spring of 2020, with the damage done hitting levels that we’ve never seen before. Cybercriminals are exploiting severe gaps in companies’ remote work environments as the pandemic has rendered their perimeter security strategies irrelevant. And, despite it being more than 18 months since the pandemic began and employees took to their makeshift home offices, it’s clear there’s still a lot of lessons to be learned from companies’ response to the new remote work frontier.
Here are three cybersecurity lessons from the pandemic that every organization should learn as they prepare for the future of hybrid work.
1. It’s time to graduate from vulnerable, personal devices
The types of devices that WFH employees use since they transitioned to working remotely undoubtedly contribute to the severe cyber threat-filled landscape. Despite pleas from groups like the Cybersecurity and Infrastructure Security Agency (CISA) to prohibit their staff from using personal devices for work, a strong proportion of Americans have been doing just that since the pandemic began. As a result, companies have opened up yet another avenue for cybercriminals to seamlessly infiltrate their network infrastructures and steal sensitive data, all thanks to their use of non-hardened devices.
To underscore the danger, CISA recently released an analysis of several successful attacks against various organizations’ cloud services. CISA said the attacks occurred when employees worked remotely using a mixture of corporate laptops and personal devices to access their respective clouds. As organizations prepare for a future where remote work remains a key component of their business models, it’s vital that they provide their employees with hardened devices that enable them to work confidently from secure networks.
2. Employee training has become non-negotiable
Despite more than 70% of companies surveyed by Malwarebytes last year scoring themselves high on their preparedness to transition employees to work from home, nearly half admitted that they did not even provide their staff with cybersecurity training. Yet, as cybercriminals continue to alter their strategies to better target vulnerable remote employees, the human factor of cybersecurity has never been more in focus.
The dramatic rise in phishing attacks, for instance, is perfect evidence of this with threat actors increasingly deploying social engineering to dupe victims. Even targeted phishing attacks, which attackers use to target specific victims within companies, have quickly become the most common breach method reported in the past year. Cybersecurity firm KnowBe4 revealed recently that 57% of enterprises say they experience such spear-phishing weekly or even daily.
With the financial fallout of a cyberattack dramatically rising – and studies showing that an overwhelming majority of cyber breaches are caused by human error — it’s clear that employee training has become a non-negotiable investment.
3. Lax antivirus protection must be improved
The new era for remote work brings with it the need for a new generation of security protection, policies, and protocols. After all, as McKinsey asserts, every business is now a digital business, making cybersecurity an important part of their value proposition, customer experience, and supply chain configuration. Yet, enterprises remain stubbornly lax when it comes to their security hygiene.
In fact, Morphisec’s 2021 WFH Employee Cybersecurity Threat Index recently found that 88% of remote workers do not disable remote access when they’re not using their computer for work, nor do 22% use enterprise-grade passwords. Considering the recent wave of attacks on several water treatment facilities in the U.S. in which attackers successfully gained remote control of networks using old remote login credentials, this is a particularly concerning statistic that’s leaving enterprises especially vulnerable.
But what’s perhaps most perturbing is the fact that 42% of U.S. WFH employees say they don’t have antivirus installed on the device they use most for work. The truth is, this is concerning not because they’re forfeiting a high level of protection, but because they’re neglecting the most basic step in their cybersecurity roadmap. If enterprises and their employees don’t even leverage these tools which are so readily available to them – and often free – it’s a worrying indication for the future.
Of course, in reality, cybercriminals’ attack techniques have evolved to a point where they’re easily bypassing next-gen antivirus products. But they’re important for businesses as a baseline of security. For example, when coupled with a zero-trust security posture, they can be far more effective. Zero trust is a model that requires businesses to treat anything inside or outside their systems’ perimeters as a potential intruder, which is absolutely critical for enterprises operating within this full-on war environment where they’re constantly under attack.
Protecting employees in the modern workplace
Indeed, as Americans continue to shift between remote and in-office work, and threat actors continue to prowl for ill-prepared organizations, zero trust has become the best policy for protection. Something that’s especially true when you consider enterprises’ increasing reliance on third-party vendors who have become a highly popular route for cybercriminals to target more businesses at once. So while this growing era for hybrid work is opening up new opportunities for companies to be productive and grow the employee experience, it’s vital that organizations working from home in any capacity account for these considerable cybersecurity risks.
They must invest in hardened company-provided work devices, educate their employees on the evolving threat landscape and what to look for, and replace their lax security hygiene with one that’s capable of preventing the attacks that have crippled too many organizations in the past 18 months. To put it simply, the repercussions of not doing so are detrimental, between the hefty financial costs, the loss of customers, and the hit to reputation. Which is why these lessons are critical for businesses of all sizes operating in this unique environment.