Many organisations have adapted well to working within a pandemic reality. They have discovered that their staff could be perfectly productive from home, that business as usual – to some degree – could continue, and that remote working can work on a scale never before considered feasible. However, as usual there have also been those who have looked to exploit the weaknesses inherent in this ‘next normal’.
Estimates have it that more than twice as many people have been working from home during the pandemic as before, ramping up the pressure on already vulnerable processes and revealing entirely new ones. The threats to a company’s cyber security are very real and growing, so what are you doing to counter them?
Many of the organisations we work alongside have reported issues that range from irritations to serious threats. We have listed a number of the most common below to shine a spotlight on areas where your cyber security may need further consideration.
- Use of own devices
Not all companies issued staff with laptops to work on when they sent them home. Therefore, many organisations may find themselves at greater risk due to the inherent weaknesses on their staff’s personal computers —weaknesses such as inferior connections and anti-malware tools, and security patches not being updated. These devices will also be used by staff for their personal emails and web surfing — not to mention other family members, of all ages, logging on — so the risks continue to ramp up.
- Unfamiliar new technologies and lack of training
Whether in the form of a new laptop or new platforms for sharing data and interacting with team members, staff may feel more out of their depth than usual while working remotely. In the office they may call down someone who could explain it to them, but at home there is an increased chance of their attempting to muddle through. In doing so, improper use may allow for security issues to creep in.
- Slower identification and categorisation of risk
Cyber security staff are likely to be stretched thin with increased calls on their time due to the disparate nature of the workforce working from home and the added risks associated with this. This is likely to have a knock-on impact on response times to counter genuine security threats. Unfortunately, as time is always of the essence to prevent further spread, damage and access, this inevitable delay could well be a risk in and of itself.
- Speed with which new systems were created and deployed
Robust systems take time to test, implement and secure properly. However, time was not a luxury many companies had when developing systems to support remote working en masse during this pandemic. Speed may have been achieved at the expense of security and even the smallest of cracks could be exploited by those determined to cause harm or access the company’s systems.
- Phishing attacks
According to reports, the last two weeks of March alone saw more than 400,000 spam emails on the subject of Covid-19, presumably looking to exploit staff anxiety about the pandemic to increase chances of those emails being opened. Add to that greater staff reliance on email as a form of communication with colleagues , and there’s an increased risk of one being clicked.
- Disgruntled ex-employees and suppliers
An unfortunate result of the catastrophic impact Covid-19 has had on business globally is an increase in redundancies and the letting go of suppliers. These make businesses more susceptible to internal threats heightened by remote working. These threats include–unsophisticated attacks such as the theft of company data or intellectual property, or more sophisticated attacks which exploit known weaknesses in the remote working system to cause damage on a company-wide scale.
- Reduced investment in cyber security R&D
The pandemic has meant a reallocation of funds within many organisations to areas that they consider to be business-critical in these most uncommon of circumstances. Compromised cyber security resourcing could lead to fewer staff, less time dedicated to researching the market for new threats and the solutions to them, as well as less time to spend identifying vulnerabilities in the company’s existing systems. This is an ever-evolving problem and one that requires a response that is able to adapt just as rapidly.
- Difficulties monitoring cyber security policies and procedures
A time-stretched cyber security team must also monitor possibly hundreds, if not thousands, of staff in just as many locations. As such, it will naturally be more challenging to keep on top of staff adherence to existing policies and procedures that look to protect the company. Add to this the complexity of disseminating new security measures and the shortage of experienced team members to explain them, or to deal with genuine security issues when they arise, and you have an ever-increasing number of ways in which threats, big and small, can exist.
Awareness of these risks is the first step towards mitigating them. Recognising the threats they pose and the cost their impact could have is a logical next step. Each vulnerability noted above can be individually identified and addressed. However, the single most effective solution is to ensure that your cyber security team has the resources and the authority to seek out and solve the risks that exist.
It may be that your team requires additional expertise at this time, but in many cases it is likely that, at least in the short term, the issue is more a matter of numbers, to ensure that your stretched team has the additional support it needs.