As of mid-February 2020, about 4.7 million US employees were working remotely. The social distancing measures introduced in March caused that number to surge dramatically. According to Gallup, the percentage of full-time employees working from home due to COVID-19 jumped from 33% to 61% in the second half of March. These changes have inevitably brought about additional cybersecurity risks.Out of 2,000 new pandemic-forced remote workers surveyed in IBM’s report, 45% said they had not received any additional security training since going remote. More than two-thirds of North American companies that were surveyed for the “Remote Work in the COVID-19 Era” report also said they were struggling to strike the right balance between flexibility and security for remote employees.
Connectivity first, security an urgent second
Efforts to manage the COVID-19 pandemic have forced enterprises to rapidly adapt to new working models. Businesses have drastically increased capacity to meet the needs of businesses and consumers: virtual meetings, live streaming, automated customer assistance, business intelligence driven by machine learning, online education, and more.
In this rush to adapt, many companies have neglected or ignored both their risk and change management processes. While this may be understandable given how quickly businesses had to adjust to continue operating in a new environment, the time has come to put security measures in place.
“One of the things that’s changed is that corporations no longer have control over the infrastructure their employees use for work,” said Juta Gurinaviciute, Chief Technology Officer at NordVPN Teams. “In some cases, employees may use personal computers to access a business network.
“They may also use unsecured or outdated Wi-Fi encryption algorithms or weak Wi-Fi passwords that can be easily breached by bad actors. That’s a critical issue that could result in data breaches or malware making its way from a personal computer, over a home Wi-Fi, to a business network.”
Cyberattackers not taking time off
While security is in itself a basic principle, many enterprises have not received the message that cybersecurity has to be the immediate and primary focus of IT strategic agendas. These errors in judgment are why so many companies have become victims of ransomware, social engineering, or DDoS attacks during COVID-19.
According to Gartner’s research, the average cost of downtime for a small-to-midsize business is $5,600 per minute. The World Economic Forum’s “Global Risks Report 2020” reveals that, in the United States, the chances of catching and prosecuting a cybercriminal are almost zero (0.05%). At the same time, the impact on the targeted companies’ business is massive. IBM’s “Cost of a Data Breach Report” pegs the average cost of a security breach at $3.92 million.
Now that many employees have shifted to remote work – in addition to organisations being distracted trying to handle the virus – security and risk management teams need to be more vigilant than ever.
‘’If your company took shortcuts to expand remote connectivity, you should prioritise access and access control assessments. You should also assess the threats your remote workers may inadvertently be creating,’’ the NordVPN Teams expert adds. ‘’If you have 5,000 employees, you now have 5,000 remote offices to protect. The bandwidth has increased dramatically, and there’s really no time to waste.‘’
While no network is immune to attacks, a stable and efficient network security system is essential for protecting data.
Where to start with security implementation
Cybersecurity risks posed by remote work can be categorised into three key areas: People, places, and technology. The risks presented by people include employees falling prey to social engineering, phishing, and targeted attacks that aim to capture users’ credentials or make them accidentally download malware.
Place-related risks include connecting to the corporate network from unsecured home or public Wi-Fi locations. Technological risks have to do with using personal or unauthorised devices that aren’t in line with corporate security policies and patching hardware.
Protecting identities and applications is vital regardless of whether your business is on a hardware-reliant corporate network or the cloud.
Juta Gurinaviciute comments: ‘’Risk reviews take time, as most companies have very complex IT environments. However, control and ransomware strategies, SaaS vulnerabilities, multi-factor authentication, and VPN security are among the first steps tech leaders need to take towards a secure remote work environment’’. Employees should also be alert to the usual pitfalls of day-to-day cybersecurity, such as poor password practices.
COVID-19 has set a new baseline for effective and secure remote work, and we should assume that many organisations will continue to use remote workforces after the pandemic ends. In this new normal, cybersecurity leaders will not only have to protect their organisations in remote settings but will also need to make cybersecurity an integral part of their plans to deliver business value.