Cybersecurity and the Remote Work Experience
As the number of world-wide employees working remotely has risen, so too has the number of IT-related security threats. According to the Pew Research Center, prior to the pandemic, approximately 20% of Americans worked from home all or most of the time. By mid-2020, this number dramatically increased to 75%1. Despite organizations taking sweeping measures to mitigate risk, security breaches still became major issues for large and small employers alike.
“While organizations have gone to great lengths to secure their office networks and spaces, the new remote work environment poses new and unforeseen challenges and has left many professionals scrambling to play catch-up,” explained Charles Keane, Security Specialist for cybersecurity company, Sailpoint. “Core controls like Identity Governance, Data Security, and Malware Protection are still critical while remote, but people remain the weakest link in all cybersecurity programs.”
According to a recent article presented by cybersecurity blog csoonline.com, phishing attacks account for an alarming 80% of all security incidents and email is responsible for distribution of 94% of malware2. InfoSecurity Magazine recently presented the disturbing statistic that one person falls victim to Ransomware every ten seconds in the United States3.
In August 2020, cybersecurity firm, Malwarebytes, released a report detailing the disruption caused by the shift to remote working. According to the report, 28% of those polled said they use personal devices for work-related activity. Additionally, 20% of those polled said remote work has led to at least one security breach. Because of this significant increase in attacks, nearly one quarter of participants and/or their employers endured unanticipated expenses to resolve the incidents4.
“To further complicate this, COVID has given attackers an extremely disruptive platform to carry out increasingly sophisticated campaigns,” said Keane. “Attackers are benefitting from changes in routines, employee disengagement, and learning curves on new tools to accommodate remote collaboration. For example, we recently saw phishing campaigns focused on changes to health insurance coverage in the middle of the pandemic as a way to get users to click on malicious links or attachments.”
According to Keane, the increase in online interaction, rather than traditional face-to-face collaboration has opened the door for more attacks.
“Without the traditional office setting and being able to directly interface with colleagues, employees are more vulnerable to these sorts of attacks than ever,” said Keane.
Organizations affiliated with the government, whether directly or contractually, are especially subject to stringent security measures. The office plays a vital role in maintaining a secure presence, both physically and virtually.
According to Audrey Russo, President and CEO of the Pittsburgh Technology Council, “Companies who have government contracts may have different levels of security requirements placed upon them. The requirements are clearly identified based upon the department contracted with and the need to ensure security practices. Each agency has specific protocols, many of which ensure that cybersecurity compliance for classified and unclassified data storage are used.”
Russo further describes the importance placed on maintaining a secure workplace for those who desire to obtain government contracts. “Returning to a controlled environment, of which offices can and do comply, is critical to government awards,” said Russo. “Many of our regional companies who are especially operating in AI and robotics are awarded government contracts from all of the federal departments of our government.”
Are there any specific actions organizations can take to alleviate increased threats? Keane suggests education as being the single most effective form of defense. “Security awareness training remains a cost-efficient and effective control when faced with a remote work force. There are a number of curriculums available that help to educate employees on what to do and what not to do when they see suspicious communications,” Keane stated.
Keane further illuminates the importance of communication followed by proper protocols once a threat is suspected. “Another alternative is to create strong corporate messaging around reporting any suspected phishing or social engineering attempts – it can be as simple as a hotline or alias to empower employees to report things that seem off,” said Keane.
To summarize, remote working poses a significant threat to any organization’s security. Those companies who maintain or desire to gain contracts with government agencies (such as the Department of Defense), are required to take exceptional measures to secure their infrastructure. Maintaining updated firmware, deploying anti-virus software, and utilizing a Virtual Private Network (VPN) are great ways to combat cybercrime. Additionally, all organizations must educate their employees and implement effective means of reporting and communication. However, the strongest form of defense is a secure office environment.