As the future of work continues to evolve, cybersecurity should be a top priority for organisations everywhere.
Despite employers pushing for the end of work-from-home policies for both financial and security reasons, recent data from LinkedIn showed that up to a third of employees would quit their jobs if they were forced to work from the office full time. So how can organizations retain their talented home-office workers and stay safe and secure?
There are plenty of reasons why employers want their staff back in the office, with ideas around exposure, company culture and the perceived benefits of in-person interactions all featuring. However, from an IT team’s point of view, a mass remote workforce produces a whole host of new cybersecurity challenges. For example, nearly a fifth of IT professionals say workers aren’t secure when working remotely, largely due to using more unsecured and untrusted networks and vulnerable hardware at home. Given the financial, reputational and operational risks that cyberattacks pose, businesses cannot accept these threats lightly. Yet, they must find ways to manage it if they are to protect themselves in this modern way of working.
Stop playing the ‘blame game’
Far too often in cybersecurity, there’s a tendency to blame the end user for getting attacked online. Despite this blame game, standard security training frequently offers up unhelpful advice such as ‘don’t click links’ and ‘don’t open email attachments’, which don’t address the root of the problem, or help end users truly keep themselves safe online.
End users without an engaging and up-to-date security awareness training program may fall for different tactics when they’re accidentally clicking malicious links or fall victim to social engineering scams. Unfortunately, user blaming has worsened amid the switch to hybrid working, with companies reporting an increase in insider threats driven by a higher number of remote workers. If a breach does occur, companies must avoid playing the blame game and unfairly placing responsibility for attacks on their staff. After all, cyberattacks are designed to trick people into slipping up. Especially if their security training isn’t thorough, the average worker won’t be able to identify every threat that comes their way.
Instead, companies should treat cybersecurity as a shared responsibility across the whole organisation. Creating a positive culture and environment where employees feel able to speak up about potential threats will yield the best outcome. This way, IT teams will be alerted to potential intrusions and can catch them far earlier in the process, becoming more effective at pre-empting and combating threats.
Public space or public enemy?
‘User blaming’ can also be manifested in the narrative that working from public spaces is far riskier than working from home. Despite some prominent examples of targeted attacks using watering hole techniques, there’s currently very little evidence to suggest working from your local Starbucks is more of a threat than working on your home network. In many cases, the discussion around insecure public Wi-Fi can be boiled down to scare tactics.
When it comes to working across multiple locations, one approach businesses can take is to ask employees to install a managed VPN on their devices. This will encrypt traffic that travels between two points, helping to keep data communications and internet activity private even when in a public setting.
That said, a VPN doesn’t always provide the privacy and security they claim. Most consumer VPN providers are relatively unrestricted with regard to regulations, which potentially poses additional risk to your threat model. It should be assumed that whoever runs or owns those VPN providers can view all the traffic they process. That means organisations need to choose a trusted provider who will allow them to manage the termination points, encryption keys, and certificates themselves.
The human factor is always the weakest link
While it’s unhelpful to blame staff for a breach, it’s important to acknowledge the key role they play in the protection of the organisation and provide them with thorough training. This should include encouraging staff to be vigilant and teaching them how to spot the signs of a potential attack. It can be as simple as whether an email has been sent at a suspicious time or whether it contains any obvious misspellings or errors.
The responsibility also falls to the IT teams themselves, who need to set boundaries with employees about what corporate data they can and cannot share online, and what applications can be used on a work device.
Despite a drive to return to the office, we’ll likely see most organisations adopt some form of hybrid working model as their standard approach. As a result, managing the cybersecurity challenges that accompany these new systems will be essential.
About the Author
Ian McShane is VP of Strategy at Arctic Wolf. The cybersecurity industry has an effectiveness problem. Every year new technologies, vendors, and solutions emerge, and yet despite this constant innovation we continue to see high profile breaches in the headlines. All organizations know they need better security, but the dizzying array of options leave resource-constrained IT and security leaders wondering how to proceed. At Arctic Wolf, our mission is to End Cyber Risk through effective security operations.