Work from home has quickly taken over in many enterprises due to the recent crisis. For some organizations, it has come as a blessing because they can reduce fixed capital costs in segments like office real estate. In addition, it has allowed these companies to source the best talent without having to worry about geographical constraints.
However, some major problems have also arisen. This is because a majority of enterprises were forced into the remote work paradigm. In addition, these enterprises were unprepared at an infrastructural, policy, and cultural level. For example, only 38% of businesses had a cyber security policy in place and of this segment, 33% did not have any policies relating to remote work.
This has, in turn, created a situation where these newly remote enterprises are an easier attack opportunity due to the new network scenarios that remote work has produced. For example, approximately 25% of organizations saw a doubling of cyber attack attempts. In addition, malicious email attacks targetting remote employees rose by 400%.
This article will focus on the cybersecurity issues facing newly remote companies and it will also offer some potential solutions to the aforementioned issues.
Lack of planning
One of the biggest reasons for cybersecurity breaches for companies with remote employees is a lack of planning. This problem affects all facets of the business. From the types of tools that are needed to what policies or cultural directives the organization should have in place.
Due to how quickly the pandemic spread and the physical distancing/quarantines requirements that were put in place, a lot of companies were caught wholly off guard.
As touched on in the introduction, only 38% of businesses had a cybersecurity policy. In addition, only 39% of businesses had a continuity plan in place for the type of emergencies we saw during the pandemic.
Inadequate cybersecurity tools
Most enterprise cybersecurity tools are built for a specific use case. That use case is people going into the office, where there is a high level of control over the corporate network and the kinds of devices that can be brought in.
Allowing work from home drastically alters this use case and that brings with it many risks.
The most important of these risks is the (insecure) extension of the corporate network with employee’s home networks. This is an important problem because rather than having defined network boundaries and secure entry points, the corporate network is now subject to the security level of the employee’s home network.
To use an example, image a castle with 6-foot thick rock walls. This castle also has a series of 1/2 inch thick plywood wall sections. Now, it doesn’t matter if the 6-foot thick walls exist, they have been rendered useless by the plywood section.
You’ve heard the saying “a chain is only as strong as its weakest link” well now, the weakest link is not contained on the corporate network, where it can be managed. It is now contained in the uncontrolled network of the remote employee.
This poses difficult questions for the cybersecurity team of the company, however, in the next section, we hope to provide some answers.
Lack of cybersecurity education
Good tooling is important, but it is just one side of the equation, the other side is the people. If people don’t understand or believe in the value of good cybersecurity practices, they will become an attack vector that can be exploited easily to attack the organization.
For example, some employees see changing passwords frequently as a chore, others have never even thought about the network security status of their home office networks.
Now, this education will need to be focused on 2 fronts, the first is cultural, the second is knowledge.
The cultural aspect will need to be ingrained in the “why” i.e. why should we care about and implement good cybersecurity practices. The knowledge portion will need to focus on the “what” and the “how” relating to the aforementioned practices.
Remote-first cybersecurity tools
Organizations must expand their cybersecurity toolset to include tools that can help their employees validate the security of their home network. This is because employee’s home networks are mingling with corporate networks and if the home network is not secure, it will prove to be an additional attack vector for the company.
Organizations should prioritize 2 types of tools. Firstly are tools that can provide security insight about an external network. Secondly are tools that can provide security for an employee’s home network.
In addition, these tools should integrate with existing cybersecurity intelligence tools to provide a unified vision of the hybrid (organization and employee) networks. This will help give the organization a realistic view of its security status.
One issue to address here is the one of privacy. This relates to the fact that a lot of employees may not feel comfortable granting their employers information about their home office network. This fact must be addressed openly so employees know the organization has their best interest at heart.
Security focused culture
The issue of cybersecurity in the organization is not just one of technology, it is also one of culture. A company’s cyber tools are only useful if the employees of the company use those tools effectively and consistently.
The most effective way to guarantee actions get done consistently is to ingrain them within your organizational culture. These cultural practices must be explained in detail and a “why” must be given to help your employees understand why good cybersecurity practices contribute to a better business.
Once the culture is created and understood by employees, cybersecurity policies can then be linked with it to create a robust and secure environment that will benefit the organization.
Some example policies are, requiring multifactor authentication, requiring employees to use secure networks and encrypted communication methods, ensuring IT personnel keep remote access servers secure, etc.
In addition, this culture must be backed by actions that reinforce it. There is nothing employees hate more than empty words coming from on high without real action taking place. The leadership must provide examples that everyone should follow.
One final thing, culture is not a static entity, it is forever evolving, the organization’s leadership must foster an environment of feedback and iteration. This means the leadership should constantly take feedback from employees on the ground and see how the culture can be improved to drive business and security success.
Employee cybersecurity education
Cybersecurity education is difficult to achieve in the sense that as long as a member of your organization is uneducated regarding cybersecurity threats and practices, that person represents an attack vector.
This means any education program must encompass all levels of the organization from leadership to front-line employees. In addition, this education will need to be tailored towards the intended audience i.e. executives will receive different training from engineers (for instance).
Finally, with cybersecurity, things are not static. There is a constant arms race occurring between attackers and victims. This means this year’s best practices will not be next year’s (or even next month’s). This is why as an organization, education must be ongoing.
An example way to implement this kind of education would be to use a self-paced style of learning and internal certifications. This method works because employees can take it at a convenient time and internal certification tracking will give the organization insight into its knowledge level.
In this article, we spoke about the major cybersecurity concerns, ranging from employee cybersecurity knowledge to improper tooling, that has surfaced because of remote work. In addition, we offered some practical solutions to these concerns.
Remote work is here to stay and so are the cyber attackers that target remote workers. Organizations must take a step back and assess whether they are ready for this change and all the good and bad it will bring.
Furnell S, Shah JN. Home working and cyber security – an outbreak of unpreparedness?. Computer Fraud & Security. 2020;2020(8):6-12. doi:10.1016/S1361-3723(20)30084-1
Abukari, Arnold & Bankas, Edem. (2020). Some Cyber Security Hygienic Protocols For Teleworkers In Covid-19 Pandemic Period And Beyond. International Journal of Scientific and Engineering Research. 11. 1401-1407.