2020 was a mixed year as far as the cybersecurity community was concerned. On one hand, the raw figures are hard to argue with – a new Cloud Security Report 2021 from Wandera found 52% of organizations dealt with a malware incident in 2020, up from 37% in 2019. Cyber threats are growing across the board, with insider threats particularly on the rise as the pandemic has made WFH a necessity for many organizations.
On the other hand, it may be that the pandemic has a silver lining. By forcing so many employees to work remotely, it has also forced them to take more responsibility for their own security, and for Smart IT administrators to see their role as one of empowerment rather than censure. Because of this, there is good reason to believe that remote work is driving security innovation as much as it is undermining traditional approaches to security.
In this article, we will look at the challenges WFH presents for the average company, and how these challenges can be overcome.
First, let us be careful to locate the challenges that WFH presents within broader movements in the practice and process of enterprise cybersecurity. Despite the breathless tone of much of the industry press on this subject over the past year, the truth is that the primary obstacle to ensuring security in WFH environments is not new.
This challenge can be put simply: WFH reduces the oversight of IT departments and reduces the behavioral restrictions on employees. This becomes immediately apparent that the challenges of WFH are not primarily technical. Rather, they are about managing the behaviors, expectations, and workloads of remote employees in environments where extensive oversight is impossible.
The response of most firms to WFH orders was to immediately provide employees with off-the-shelf tools that supposedly offered increased protection against cyberthreats. Many were crash-trained on using a VPN or told to use a secure browser as a matter of course, without adequate training on how and why these tools should be incorporated into their everyday working pattern.
Furthermore, it is important to recognize that this is not a new problem. Employees have been working from home more and more over the past decade; therefore, the problem of oversight has long been lurking in the background. It has certainly become more acute this year and how we manage it will define the cybersecurity landscape for the next twelve months.
In order to assess how threats to remote workers can be reduced, it is important to understand how the process of moving to remote work affects the behavior of employeesand how this can lead to security threats.
Take a look at the attack statistics for this year, you will immediately see that one type of attack “outperformed” every other: phishing. This is notable, because as we mentioned previously that many of the toolsnewly remote employees were given at the start of the pandemic were designed to protect against some form of a MITM (man-in-the-middle) attack.
To put it another way, VPNs and secure browsers are great if you assume that most attacks will come from outside your organization. What this year shows is that the oldest attack of all – phishing – is still the most effective, because it does not rely on securing external access to systems. Instead, it relies on good old fashioned human error.
Phishing methodology has become so sophisticated even highly trained cybersecurity professionals can have a hard time distinguishing phishing from genuine WFH communication. Ultimately, the responsibility for preventing these attacks falls on cybersecurity administrators, and the best way of meeting this challenge has always been detailed training.
Training for Cybersecurity
Because of this, if there is one cybersecurity technique that will make a difference for your organization in the coming year, it is providing detailed training to WFH employees on how to spot phishing attacks and what to do about them.
The problem with “traditional” approaches to WFH cybersecurity training is that these have regarded the employee as having sole responsibility for “letting an attacker in.” Not only does this ignore how good attackers have become at imitating legitimate messaging, but it also puts undue responsibility and stress on the employee who is already learning to adaptwith an entirely new work environment.
Instead, all firms should look at the model used by companies in the B2B space. In this context, industrial espionage is often more of a threat than in B2C companies. As a result, staff are given a much greater appreciation of the sophistication of their attacker. This then naturally leads to a more collaborative approach to face and overcome cybersecurity risk – one in which system admins and staff can feel that they are equally and mutually responsible for securing networks.
The second strategy that will be key to success in this new era of WFH is directlyrelated to the observation we started with in this article – in this type of environment effective oversight is reduced.
Many system admins will react to this situation first with horror and then with an approach that seeks to limit what WFH employees can do. This is a misguided approach. As multiple studies on the rise of shadow IT indicate, blocking employees from using legitimate tools, under the belief that this reduces security risks, simply leads to them using non-legitimate tools that pose even more of a threat.
Instead, administrators working with WFH employees should focus on making security easier for the end-user. The simpler the systems you provide, the lesser temptation there will be for employees to try to get around them. This should also go together with an approach that stresses that IT operations staff are there to support WFH employees, not punish them if they fall victim to a phishing attack.
This being said, and in contrast to some of the more speculative opinion pieces in the industry press in the last few months, IT admins should stop short of actively encouraging an increase in shadow IT in their companies. The reason is simple enough – without extensive training, it can be difficult for employees to judge whether a particular tool is safe or not. Instead, they should be encouraged to ask IT operations staff each time they want to use a new tool, and IT staff must take a balanced view to these requests.
Ultimately, the rise in WFH over the past year is a problem of degree, rather than essence. As we also point out in our predictions for cybersecurity in 2021, it was always likely that we would have to deal with almost fully remote workforces within a decade. It’s just that many system admins would’ve preferred to have had another few years of preparation time!