The pandemic has introduced many significant cyber security challenges, none more so than the hybrid home worker.
The pandemic has driven a huge increase in the adoption of “collaboration tech”. According to McKinsey’s most recent global survey of executives, remote working and/or collaboration increased more than 40 times more quickly than executives thought possible before the crisis. Chief information security officers (CISOs) have had to race to empower remote workers by providing access to collaboration tools such as Zoom or Microsoft Teams and secure access via virtual private networks (VPN), balancing the need to enable productivity with the responsibility to minimise organisational risk. Adapting to this new way of working has not been without issue. Remember the early days where uninvited guests barged into meetings and high-profile individuals shared sensitive conference meeting details on screen?
We have now become accustomed to family members making an appearance in our team meetings and our colleagues have become a little more conscious of secure ways of working. For example, when taking part in video meetings, we are more sensitive to what appears behind us when on camera. However, full-time remote working on such a large scale, with cloud-based scanners and printers, and unsecured home routers sharing interconnected home devices, including Alexa or smart TVs, has increased the digital attack surface a CISO has to protect.
At the same time, our heightened curiosity for Covid-related information has elevated the risk of email-borne threats. Eager to read the latest data about the pandemic, or distracted with events happening at home, our guard is lowered, making us all easier targets. Researchers at security firm Barracuda reported a 600+ per cent increase in worldwide email phishing threats with a coronavirus theme during March 2020 alone. Covid-19-related fraud is a genuine challenge for the CISO because the behaviour and actions of our staff are now less predictable. Worryingly, in a recent survey by cyber security firm Tessian, 48 per cent of respondents said they were less likely to follow safe data practices when working from home. Extending the corporate security reach into the home to discover if this working environment is safe or has already been compromised will be a persistent challenge post-Covid.
So how should the CISO respond?
New working environments – and the associated changes in risk profiles – demand new responses. Working hours have changed, with colleagues now establishing really quite diverse working patterns to provide a work-life balance. This changes the traditional threat profile that the security team has worked hard to understand. Security teams must carry out new modelling scenarios that work through what could go wrong in the new work-from-anywhere environment – for example, security threats caused by home tech – and revise incident response procedures accordingly.
Previously, scenario “playbooks” were likely to have had guidance on how the security team should deal with an affected laptop or device they could physically access. If the workforce is dispersed across a wide geography, then third-party incident response services could be critical to recovering an incident. Dusting off and, if the opportunity allows, renegotiating and reviewing both parties’ obligations should be a high priority. Alternatively, building the capability internally may provide more control and more flexibility to deal with the unexpected. Building capability internally is a great opportunity to invest in an organisation’s most valuable asset – its staff. It is also a clear signal to the rest of the business that cyber security is being taken seriously.
UK households have, on average, 10-15 internet-connected devices, which with the continued explosion of the Internet of Things (IoT), is set to rise to 50 by 2023. This presents increased complexity as data moves in-transit across global networks, cloud platforms and apps, sometimes out of sight of the organisation’s security controls. It is imperative that the training cyber security professionals receive is frequent and reflects the latest threats an organisation is likely to encounter. For example, using a simulated environment to better prepare for the changing threat advisory builds internal competence – and confidence – in a safe-to-use gamified cyber practice range.
With state-of-the-art virtual learning labs and gamified learning provided by organisations like QA, there is no reason for Covid-19 to be a barrier to regular and engaging cyber security training. Instead, learning should be a key driver for organisational culture, which is likely to need constant reinforcement in times of change, especially when many are physically disconnected from the office and co-workers.
Why education and training are key to cyber resilience
As employees look to balance convenience and productivity at home, work data is now regularly traversing both corporate and personal devices. Borderless challenges require security training for every user in the organisation. Transferring security culture and hygiene into the home-working environment is paramount.
The emergence of technology like Amazon AWS or Microsoft Azure hubs that can protect all of our integrated devices will help secure, regulate and protect interconnected remote worker devices. Using this type of solution, CISOs can not only secure the corporate perimeter but help staff protect their increasingly connected homes, their digital personal lives and their loved ones from cyber threats. At this point, we will begin to strike the right balance and empower employees to become more cyber-resilient without compromising productivity. But we have to continue to educate our best line of defence – the “human firewall” – to be vigilant and security-conscious at home.
During a time of change, we have the opportunity to enhance security culture and improve behaviours, with role-specific security training and staff hygiene adopted by every member of staff for the new normal. This should also include targeted messaging for executives working from home. It is worth noting that many new homeworkers may lack the digital skills – or inclination – to safeguard their smart tech in the home. CISOs need to prioritise and educate to protect their organisation and staff whenever and wherever they work.
This article was first published in the New Statesman on 3 December 2020.
Richard Beck is Director of Cyber at QA. He works with customers to build effective and successful learning solutions tailored for business needs, helping to solve business problems. Richard has designed and architected numerous enterprise and nationwide cyber programmes for QA customers. Responsible for the QA cyber portfolio, products, proposition and cyber partner community. He has over 15 years' experience in senior Information Security roles.
Prior to QA, Richard was Head of Information Security for an organisation who underpin 20% of the UK's Critical National Infrastructure. Richard also held Security and Technical Management posts in Defence, Financial Services and HMG. He holds a number of leading cyber professional certifications, including CISSP, CISM, CISA.
Richard sits on a number of industry boards and security advisory panels, and previously chaired the Communication Industry Personnel Security Information Exchange (CPNI). He is the work stream lead for Cyber Skills & Diversity on the techUK Cyber Management Committee, in addition Richard is also supporting a work stream for the UK Cyber Security Council Formation project. Richard is a regular contributor for cyber insights and industry collaboration including speaker engagements.
He is also a STEM Ambassador working to engage and enthuse young people in the area of cyber security. Providing a unique perspective on the world of cyber security to teachers and encourage young people to consider a career in cyber security.
More articles by Richard
Cyber Pulse: Edition 149 | 9 April
Stop your search for cyber security talent
Cyber Pulse: Edition 148 | 1 April
Cyber Pulse: Edition 147 | 16 March
Cyber Pulse: Edition 146 | 4 March 2021
Cyber Pulse: Edition 145 | 19 February 2021
Cyber Pulse: Edition 144 | 5 February 2021
Cyber Pulse: Edition 143 | 27 January 2021
Cyber Pulse: Edition 142 | 18 January 2021
Cyber Pulse: Edition 141 | 11 January 2021