Security policies need to be reviewed

With hybrid working set to remain, employers now need to mitigate the risk of cyberattack both in the office and at home. That’s because the almost overnight switch to mass remote working caused by the pandemic 2½ years ago opened up new vulnerabilities for cybercriminals to exploit. While many large companies were already well set up for remote working, others faced a real struggle in facilitating home working for their people.

“In many cases security was an after-thought. Now that some time has passed and some lessons have been learned, companies’ IT security infrastructure is better set up for remote and hybrid working models. This does not mean there are no longer any risks however,” says Dani Michaux, EMA cyber leader at KPMG.

For example, employees working hybrid or remote still generally share a home WiFi network where other household members are streaming or downloading content from potentially risky sites. “People’s home networks have essentially now become an extended part of the corporate network, and businesses need to consider the potential security risks of these future ways of working,” she says.

Security policies must be reviewed and updated for a start.

“Given the heightened cyber threat environment, companies need to provide specific, practical guidance to end-users on best practice security guidelines when working remotely,” says Justin Moran, head of governance and security at telco Three Ireland.

Specific areas of focus for end-users should include, for example, maintaining good password hygiene, avoiding repeated use of the same password across systems and websites and protecting any sensitive personal information in line with data protection requirements.

Many employers may already provide information security training upon induction and run continuous awareness programmes. But, he cautions, if the staff undertaking such training do not adequately complete or engage in it that poses a significant risk to the organisation. “Companies should, therefore, monitor, follow up and test training and awareness levels as part of their information security governance and oversight,” says Moran.

Employers can then tailor their training and awareness programmes for any weaknesses identified.

At a technical level companies can help protect end-users through the deployment of up-to-date endpoint protection so that the devices, such as laptops, tablets and smartphones, where they are used for work purposes are protected from key threats using the latest anti-virus and malware protection.

“With the power of smartphones many users are essentially operating with a computer in their hands. For this reason mobile device management is an area which can often be overlooked and requires prioritisation to provide adequate safeguards for both the company and the end-users,” he says.

Three Ireland works with many of its business customers to provide such security solutions for their workforce through products such as 3Mobile Protect, which shields mobile devices from threats like phishing and malware. It also provides additional safeguards to filter out non-work apps and content such as social media, gambling and inappropriate websites.

The rise of remote and hybrid working stretches the cyber security systems of businesses already under siege from an ever-increasing number of cyberattacks, says Catherine O’Flynn, partner and head of employments and benefits at law firm William Fry. “While the focus tends to be on the calculated attacks and sinister methodologies of malicious third parties, research shows it is the innocent errors of naïve insiders which is responsible for the majority of data breaches,” she says.

Developing a “security culture” which frequently reminds employees of in-house security principles and policies and explains the types of attack they could face will help.

As the attack strategies deployed by hackers are constantly evolving, the defence training provided should be held frequently and be up to date. “Security training should have no limitation of delivery in a hybrid world – employers should be able to effectively deliver the same content to all employees whether they are working from home or in the office,” she adds.

Old style “castle wall and mote” controls have been superseded by the “plastic perimeter” of remote working, points out Puneet Kukreja, leader for cyber projection in Ireland at EY.

“There has been a herculean effort to get everyone working from home, and we’ve seen years of tech transformation in a 24-month period with smart working and endpoint devices, but the human being is the weakest link,” he says, as remote devices become the first line of attack.

As a result the conversation has moved from working at home to data at home, he adds, with cyberattackers taking advantage of trusted, vetted insiders to slip up and provide them with access to their employer’s crown jewels, its back-end data systems.

For many organisations, particularly SMEs, cybersecurity can feel overwhelming. It is complex but also really simple, believes Kukreja. “It’s two eggs in a basket: you have the identity egg, and the data egg. And the basket is all the controls you need to protect them,” he says. That goes regardless of whether employees work in the office or at home.

Much of the increased incidence of cybercrime since the pandemic can be attributed to remote working, according to David McNamara, managing director of cyber security services provider CommSec.

“In order to get people working from home organisations often sent out laptops without any encryption, VPN (virtual private network), multifactor authentication or controls. As such they provided easy access for malicious actors,” he says, adding that cybercriminals exploited human weaknesses too, emailing links with clickbait headings, such as cures for Covid, at a time when people were panicked and searching for news.

Very many organisations now have malware sitting dormant on their systems as a result, waiting for an opportune time to attack, he warns. Typically such attacks happen on a Friday night, or over a weekend, when people are less likely to notice.

Simple practices can help. Microsoft releases patches, or fixes, for Office365 and its operating system on Tuesdays. These provide protection for holes in the system, and, together with backing up data, using multifactor authentication, and simply being alert to cyber risk, are “an easy win”, he says.