Following the outbreak of Covid-19, businesses around the world rapidly implemented new technologies to adapt to remote working and accommodate hybrid workforces.
In general, businesses have shown great resilience and agility. But as working from home continues, many organizations are beginning to turn their focus to cyber security.
From an attack standpoint, the pandemic has not changed the way cyber criminals operate. The methods they use are much the same, with phishing, vishing, and smishing among their main tactics. What has changed, however, is that cyber criminals are using the pandemic and their victims’ fears and uncertainties, more prominently in their attacks.
According to an INTERPOL report, two-thirds of countries surveyed have seen significant use of Covid-19-related online scams and phishing attacks “often impersonating government and health authorities”.
Further to this, the report reveals there has been a “significant target shift from individuals and small businesses to major corporations, governments and critical infrastructure.”
This is something the cyber security industry fully anticipated. As entire countries moved to remote working, with all but essential workers allowed to enter their physical workspaces, organizations’ attack surfaces expanded greatly. To respond to these threats, businesses must take a people-first approach to technology adoption. With this in mind, here are four tips to help businesses of all sizes.
1. Be mindful of Covid-fatigue
Organizations are made up of individuals with varying degrees of cyber security awareness and conscience. Add to this the wider stresses of the pandemic, such as lockdowns, furlough, redundancies, childcare, home schooling, and illness, and many other variables; and the stark reality of any organization’s potential security risks become clear. The sentiment that an organization’s cyber security posture is only as strong as its weakest link, has never been more relevant.
In the first lockdown, most firms will have prioritized business continuity, which meant adopting the technologies that enabled communication and collaboration between teams. Microsoft Teams users, for example, surged from 20 million in November 2019 to 115 million in November 2020, with that figure still rising daily.
With people working remotely, many businesses’ security controls will have had to play catch-up, leaving potential holes in their networks as they adapted. For many businesses, web filtering, for example, might not have been possible for a user’s end point when they began working outside the corporate network.
The right solutions can mitigate these issues. But as the pandemic continues, businesses must ensure that communication regarding security and vulnerabilities is effective. Tools and technologies are the key and there is some great advice out there from the likes of the National Cyber Security Centre, which details key areas to focus on.
But when the default security posture shifts so dramatically in a short space of time, immediate user education should be prioritized.
This is particularly the case for small to medium-sized businesses, which may not have the coffers to enable mass implementation of advanced cyber security controls.
Processes for people must therefore take precedence. Even simple instructions, such as prohibiting the use of work devices for personal reasons, such as online shopping, or accessing personal accounts, can greatly reduce a company’s risk.
2. Tailor implementations to business needs
There is a wealth of information available on cyber security best practice and technology recommendations. The key to shoring up any firm’s defenses, however, lies in taking a holistic approach.
One organization’s risk profile will be very different from another. For example, the regulatory environment of an industry, or the country in which a business operates may change the security focus and requirements of that business.
The GDPR is a prime example of this, as failure to safeguard sensitive data can result in significant penalties, meaning firms must stay on top of their compliance procedures and user education initiatives.
Even if two firms are of a similar size and operate in the same industry, a “cut-and-paste” approach to cyber security should not be taken. The tech stacks of these organizations, as well as the technical skills and knowledge of their workforces, will also vary.
Add to these concerns the rapid move to remote working and the situation becomes increasingly difficult to manage.
Even if firms can afford greater adoption of cyber security technologies and measures, they must still meet the challenge of ensuring compliance from a Covid-fatigued workforce.
People can pose just as much of a risk as a malicious insider when it comes to data integrity, especially when circumstances mean their guards are lower than usual.
3. Consider the impact on your people
Effective implementations of solutions and processes must always take into account the effect on the end user. There are many tools that can be used to monitor the activities of employees, for example. But consider the price and purpose of doing so. Are you monitoring for productivity or risk? Is there a simple technology solution that allows you to restrict access to certain sites or networks on work devices, so employees do not have to be monitored so closely?
Furloughing staff, for example, creates a unique problem that many organizations were not prepared for. Maintaining furloughed users’ access to systems and accounts, while ensuring they are not accessing them in any significant way, is unprecedented, but manageable with the right controls.
Assessing the risk profiles of employees and implementing a strategy that scales to the level of monitoring required is a good way to approach this.
Conditional access, for example, allows users to access exactly what they need within the contexts of their roles and end-point security. If they do not meet the criteria, they will not gain access, or be given only partial access. This can also be scaled if the user’s needs evolve.
4. Be realistic
Reacting at pace to a global black swan event is a daunting prospect. But a measured approach should be taken.
Now, more than ever, the trade-off between security, productivity and cost must inform business decisions. Organizations must think carefully about how each technology adoption will affect productivity, and if it can be utilized effectively by remote workforces.
How will effective implementation and optimization be achieved and what are the cyber security concerns with each potential adoption? Does moving to a cloud platform bring new risks that cannot be adequately protected against. If so, is there another solution?
As with adopting any technology, businesses must ensure cyber security software addresses a core business problem. They should not overstretch resources and overreach in clamping down.
If firms rapidly adopt new and advanced cyber security tools and practices – as happened in response to the pandemic – but do not have the resources to implement and manage them effectively, IT departments are at risk of becoming stretched. Particularly as they try to manage the many other implications of remote working.
Luke Kiely, Security Operations Manager, Content+Cloud