When staff operate outside of the traditional perimeter without system vigilance, they become the weak link in pandemic-themed cyberthreats.
The term ‘business as usual’ has been replaced with ‘business as never before’ this year.
Back offices have been rapidly moved to the confines of people’s living rooms and bedrooms, with personal laptops becoming the new office hardware.
For some roles, the transition was logical and seamless, prompting some firms to abandon the ‘bricks and mortar’ office permanently. However, for companies and teams that handle sensitive data, operating without the traditional perimeter has thrown up some major security challenges, many of which have been overlooked by organizations in their scramble to facilitate remote-working.
According to some reports, 56% of workers have been using their personal laptops to perform work duties during the pandemic, and these ‘non-hardened’ devices are putting company data and IP at risk. Compounding these threats, remote employees, without the supervision of relevant personnel, are more prone to relaxing their internet usage habits. Research by Trend Micro found that more than half of workers surveyed admitted to using a non-work application on a corporate device, with 66% uploading corporate data onto that application. This is despite nearly three-quarters claiming they had become more aware of their company’s cyber policies during the COVID-19 lockdown.
Crisis equals opportunity
Workers handling sensitive data outside of the traditional security perimeter are an attractive target for attack campaigns. This has already been on stark display during the COVID-19 crisis, with the likes of the World Health Organisation reporting a fivefold increase in cyber-attacks against its staff this year.
Hackers have also created thousands of COVID-19-themed domain registrations for aggressive phishing campaigns. Forcepoint’s own findings indicate that cybercriminals are piggybacking on the public’s interest in COVID-19.
Our analysis revealed a rise in unwanted emails (malicious, spam or phishing) containing embedded URLs using the keywords of ‘COVID’ or ‘Corona’ from negligible values in January 2020 to over half a million blocked per day by the end of March, settling down to around 200,000 per day right through until the end of May.
In the face of these issues, how can enterprises maintain security and data privacy? Despite the complexity of the problem, the answer to this question may be simple: focusing on the human element.
Staff are already aware they should keep an eye out for suspicious emails, attachments or pop-ups. But with a distributed workforce, how can IT teams know whether their colleagues are taking this advice?
Under these circumstances, strategies which factor-in situational awareness are equally. For example, are your remote team members operating from their bedroom, or perhaps a shared living space with casual flat mates they barely know? Are they using a public WiFi network to access your VPN?
The current climate calls for organizations to be adaptive in their approach to securing the physical location of both people and data, and to implement cybersecurity policies that cover access by any device and access in the cloud.
Cognitive biases and mental shortcuts
Additionally, your risk strategy will need to factor-in cognitive biases and heuristics (mental shortcuts)— and their associated behavioral tendencies—which can disillusion people in terms of risk awareness: particularly when staff are operating outside of the traditional perimeter and without management oversight.
For example, a recent survey found that employees exercised the least caution when using apps such as Slack and Microsoft Teams, despite their vulnerabilities and attractiveness to threat actors. This could be due to the ‘familiarity heuristic’, which causes people to trust things based on how familiar they are, regardless of their actual risk factor.
Be sure to remind your team that no sensitive information should be visible on camera, and ensure that your call is secured by a password and end-to-end encryption.
Finally, it is vital that you have a baseline understanding of your employees’ behavioral patterns. This will enable you to implement a human-centric security framework that adapts cyber policies to individual users—and can recognize suspicious behavior before significant damage is done.
While home is normally a place to relax, in the context of cyber security and data privacy, it most certainly is not.