A Back-to-the-Office Transition Could Cause Big Problems for your Cyber Security

Our circumstances are constantly changing and as employers are handed more autonomy in the decision-making process as to whether employees return to work or not, they must not forget about the risks that come with this transition, especially when concerned with cyber security.

The ongoing pandemic has caused the majority of businesses to opt for a more home-based office set up – for some this would have been easy and smooth. But, for others, this will inevitably have come with its complications and flaws. A change on such a big scale, if not managed correctly – from the logistics of ensuring all staff are comfortable to making sure that your network is secure – can cause a big headache for business owners. 

Recent research by Beaming shows that between April and June 2020, UK businesses saw a record surge in attempted cyber attacks. There were a total of 177,000 separate attempts on each business Beaming tracked, which is indicative of a wider problem across the UK. That’s equal to one attack every 45 seconds – a 13 per cent increase on Q1. 

We can assume then that many attackers saw this mass transition to home working as an opportunity to attack while defenses were down and processes disrupted on a huge scale, so it’s fair to deduce that they are poised and ready to attack as we transition back to ‘normal’.

According to the NCSC (National Cyber Security Centre), since the start of the pandemic, there has been a huge increase in phishing attacks. The Cyber Security Breaches Survey: 2020, showed that 46 per cent of businesses overall have identified breaches or attacks in the last year, giving the following statement: 

“Staff receiving fraudulent emails or being directed to fraudulent websites. This is followed, to a much lesser extent, by impersonation and then viruses or other malware. One of the consistent lessons across this series of surveys has been the importance of staff vigilance, given that the vast majority of breaches and attacks being identified are ones that will come via them.”

Phishing attacks are sophisticated and adaptable, they can change to fit the recipient or the business. The attacks are difficult to spot and threat actors embrace times of chaos, like COVID-19 and other changes in society to seem as legitimate as possible, which can create big trouble for businesses when spread apart.  Phishing attacks can target anyone at your company.  Regardless of technical ability or position within the business, anyone with a connection to the network could be a target.

report released following the ‘peak’ of COVID-19 revealed a ‘mad scramble’ as firms prepped security for remote working; it’s likely similar trends will be seen over the next quarter. There are a lot of security elements that must be considered, like having the right system configuration or having security patches installed. 

There’s a lot we can learn from how underprepared many were for such a massive change, so how do businesses ensure a safe return without cyber risk?  What can you learn from the last transition? Where were the holes in the system?  These are the questions that need asking as you transition back to the office.

Businesses can prepare now by following some simple structural changes in the way cyber security is viewed in the business, these include:

– Ensuring all leadership teams are educated and well-versed in phishing attacks

– Adopting a top-down approach.

– Ensuring you have cyber security representation at the leadership – level within your organisation.

– Introducing a “no-blame” culture – it is more important for incidents to be reported and resolved, than ignored and left to adapt.

– Empowering staff to be able to report issues they are concerned about.

– Don’t allow cyber security to be a blocker – any controls implemented should not cause staff difficulties which in turn would lead them to seek a workaround and bypass controls, the solutions should be simple and easy to understand.

– Have a business continuity plan in place that outlines how your company would continue to operate should the worst happen – in this case, it would be worth reviewing any difficulties experienced in the last quarter, making sure these are addressed and that the plan going forwards can embrace new changes.

It’s essential to communicate the importance of these steps and cyber security to everyone in the business. If all employees – whether in IT, cyber security or not – understand that their own role contributes to the overall security, then there could be up to a 70 per cent less chance of being attacked.

Education and understanding the threats your business faces especially in times of unrest is key; mitigations and preventative measures can then be implemented to ensure staff stay engaged with protecting the cyber security of the business. Investment in coordinated and strategic processes is as equally important as training and education as well as any technical controls.  

Businesses can take the first step by implementing controls such as the Cyber Essentials scheme. The Government-backed initiative can play an important role in the safety of a company at a time when cyber attackers are on high alert for an opportunity to move in.

About the Author

Sarah Knowles is senior security consultant at Nexor, which works with the UK Government, military and NATO on their cyber defences. 

Featured image: ©Twenty20 Photos