In a recent article, I examined the growing desire among workers to be able to work from anywhere. This principle goes beyond “merely” working from home or a co-working space in the location of your employer and opens it up to literally working from anywhere.
This has been commonplace among gig workers and digital nomads, with data from 2020 revealing that around 5 million Americans identified as such. With the Covid pandemic showing how effective remote working can be, and numerous places around the world opening their arms to digital nomads, it’s a concept that seems likely to grow in the years ahead.
Security concerns
The shift to remote working during the pandemic coincided with a significant rise in cybersecurity incidences as criminals sought to take advantage of both the stress and disruption of the pandemic itself and the increased “attack surface” available to target.
“While most industries made the shift to remote work due to the pandemic, it created new attack surfaces for cybercriminals to take advantage of, such as home devices being used for business purposes,” Microsoft explained in their recent Digital Defense Report.
This has forced employees and security teams alike to think about security in a way that was not required in the pre-pandemic landscape when work was predominantly conducted in a physical workspace.
“We need employees to be far more aware of things that they wouldn’t need to be aware of when they’re working in the office,” says Nadya Bartol, Managing Director, BCG. “For instance, who is standing behind us? Am I leaving my device unattended? How is the network I’m using protected? Do I let family members use my device?”
Significant implications
The remote workforce represents a significant increase in the so-called “insider threat” faced by organizations. A recent study from cybersecurity firm ProofPoint found that insider threats have increased both in terms of their frequency and cost during the Covid era.
The researchers highlight that while we may think of insider threat risks as the preserve of a disgruntled employer acting maliciously, the overwhelming majority of leaks and breaches are simply due to carelessness and negligence.
The findings chime with those from a recent study by the University of Central Florida, which found that when employees are stressed, they’re far more likely to break security procedures and protocols. Indeed, the researchers found that the most common form of breach is when adhering to the rules slows workers down and so they break the rules in order to maintain their productivity.
The costs of such carelessness can be considerable, however, with the ProofPoint data revealing that each incident cost nearly $500,000, with large organizations (with 75,000 or more employees) spending $22.68 million on average to fix insider-related incidents.
Facilitating the change
We’re living in a world in which flexibility is increasingly demanded by workers. For instance, researchers from Swinburne University suggest that for many Australians, the exposure to remote working during the pandemic was sufficient to convert them to the benefits of flexible working.
“As we begin our return to office, organizations should not be rushing to resume normal programming (just with reduced days in the office),” the researchers say. “This is an opportunity to rethink our approach to hybrid working, and what makes sense for hybrid models today might not be as effective in six months’ time.”
The pandemic has seen much of the cybersecurity focus on ensuring that home environments have been as secure as possible, but research from the Business School (formerly Cass), City, University of London and Goldsmiths, University of London shows how remote workers value “third spaces”, such as cafes, bars, and even pubs, that they can work remotely in.
This ups the ante as these spaces, while offering the flexibility that workers crave, also greatly increase the risk from a cybersecurity perspective. For instance, famous research from the University of Michigan found that almost 70% of us willingly plugged in a USB flash drive we found lying about without considering the security implications.
“I don’t think that security is a choice as every business that we speak to sees flexibility as a business imperative so they have to figure out a way to make it work,” Ryan LaSalle, North America Security Lead at Accenture, says. “It is 100% an imperative for every security organization, they don’t get to say no, they simply have to make this work.”
Securing the remote workforce
The Microsoft Digital Defense report suggests there are some pretty straightforward steps that employees and organizations can take almost immediately, including mandating more secure passwords, implementing two-factor authentication, ensuring all devices are fully patched with the latest software updates, and providing training to employees on secure practices, especially in identifying the kind of phishing attacks that continue to make up the bulk of cyberattacks today.
Virtual private networks (VPNs) are also commonly deployed to try and offer secure remote access connections between employees and their private corporate network. While VPNs can be highly effective, they can also come with numerous risks, especially if the network is poorly configured. Indeed, the Colonial Pipeline attack was administered via just such a VPN.
5G promises remote workers more powerful connectivity, with the promise of greater security than using WiFi connections or even VPNs. The reduced latency promised by 5G is set to make it a realistic alternative to WiFi, with remote workers having the option to use unlimited data options as their default connection to the workplace.
5G technology has encryption built-in via anti-tracking and anti-spoofing tools. It also utilizes network slicing, which allows a network to be spliced into multiple virtual networks, each of which can have customized security protections. This would allow specific controls to be given to highly important people within an organization to try and fight off whale phishing, which is when such VIPs are targeted by criminals due to their value.
A holistic approach
Of course, 5G is not without risks of its own, not least of which is that the advanced capabilities mean that many more devices are likely to be connected, and IoT devices multiply the number of possible vulnerabilities within your network. This was highlighted by a recent paper from Palo Alto Networks, which emphasized the growing number of non-business IoT devices that were now connected to corporate networks, including pet feeders, coffee machines, and gym equipment.
“5G has better authentication, so I can’t pretend to be you and you can’t pretend to be me, as you could in earlier generations,” Jeremy Thompson, Executive Vice President, Cyber Security, Western Europe, says. “But from a corporate security point of view this may not be seen as any different to other forms of connection, as you generally assume that you can trust nothing.”
It seems likely that remote work is going to endure after Covid, so it’s vital that organizations get a grip on cybersecurity to ensure that their remote workforce doesn’t provide easy pickings to criminals. 5G might play a part in that, but Thompson explains, the best security is likely to come from a combination of other aspects of the network that go beyond the means of connection itself.
“I don’t think most security teams would treat working in a third place any differently to working from home,” he explains. “The mindset is that connections are questionable and the environment you’re working in will be open to attack.”
As such, the vast majority of attacks can be prevented by ensuring that passwords are secure, software is patched, and employees have a basic awareness of cyber hygiene and phishing awareness so that they don’t place themselves into vulnerable situations.
“We know this is what people want, post-pandemic, and so starting with embedding security from the beginning is a must,” Jefferson Wang, Global Lead of 5G and Cloud First Networks at Accenture, says. “It’s not just a decision, there’s a whole program around it that includes policies, tools, training, and so on, that all work to ensure we can give remote workers the flexibility they crave while maintaining the security that is so crucial to the modern enterprise.”
Cyber hygiene
Pleasingly, achieving sufficient cyber hygiene to rebuff the overwhelming majority of cyberattacks doesn’t require sophisticated technology or a highly skilled security department. Instead, it just requires organizations ensure the basics of cyber hygiene are adhered to. This includes:
- Multi-factor authentication. Multi-factor authentication (MFA or 2FA) prevents the majority of credential-based attacks. This is easier than ever with the kind of passwordless technology that is increasingly the norm in modern software. MFA should be enabled wherever possible.
- Least privilege access. As well as deploying MFA to protect login to key accounts, it’s also important to ensure that each account only has access to the systems they really need. Indeed, the researchers argue that distinct accounts should be used when accessing privileged systems than when browsing the internet or using email.
- Keep devices up to date. A basic requirement for any device on the network is to ensure that it’s both configured correctly and has the latest patches and updates from the manufacturer. Endpoint management software can be a useful aid in ensuring this happens across the network.
- Deploy anti-malware software. Another simple step to take is to ensure that malware protection software is installed and used in addition to more standard anti-virus software. This software can often not only provide protection against attacks but warnings that attacks are being attempted.
- Protect data. All of the aforementioned steps can prove highly effective at protecting key organizational data, but it’s also highly important that organizations have a good understanding of the data they have, and its relative sensitivity and importance to the organization. Indeed, under regulations such as GDPR, this is often mandated and underpins a risk-based approach to data governance.
As we get used to a more hybrid way of working, the introduction of cyber hygiene training into employee onboarding is likely to be a key part of ensuring that the disparate workforce is a secure workforce.