Companies spend more than $100 billion a year on security technology, but despite that enormous investment, more than 12 billion records were compromised in 2020. If cybersecurity is a multi-billion industry, so is cybercrime, which consists of organized and unorganized actors, including foreign government entities. It’s a never-ending arms race, and in 2020, the battlefield changed pretty dramatically.
With the drastic shift to hybrid and remote work induced by the global pandemic, organizations and companies rushed to adapt to the new workplace environment. That display of resilience came with risks, however—and in the case of the shift to remote and hybrid work, the security of an organization’s sensitive information faced increased risks.
Earlier this month, Apricorn, a manufacturer of 256-bit AES XTS hardware-encrypted USB drives, released a survey that analyzed data about cybersecurity practices a year into the adoption of remote work arrangements. The respondents are IT security professionals scattered across the United States and Europe.
Too much trust
The survey reveals an alarming finding: the trust organizations give their employees extends to household members and third-party vendors. Such a level of trust runs the risk of compromising a company’s sensitive data, and certainly explains the growing interest in “zero trust” security solutions.
Of the survey’s 420 respondents, 60 percent said they experienced data security issues over the last year, and 38 percent admitted difficulties managing data control.
Nearly 20 percent said members of their household had accessed their work computers.
45 percent of respondents permit the use of personal USB devices by employees without corporate oversight.
While most respondents agree on the need for enforcing an encrypted USB policy, 40 percent expressed their concerns about the lack of plans in rolling out such a policy.
Despite the common occurrence of third-party vendor security breaches, 25 percent showed no concern about the risk.
49 percent say employees don’t consider themselves as targets for cybersecurity attacks.
Cybersecurity risks in remote work environments
While working from home provides flexibility to employees, organizations might have in the process created a paradise for hackers. It’s always best to remind ourselves of how the dark elements of the virtual world work. They always find opportunities to exploit as they see the patterns and routines of people’s behavior.
One common tactic is social engineering, which involves psychologically manipulating people into doing malicious actions that compromise data security. A hacker baits a target to divulge sensitive information by taking advantage of a person’s psychological profile — or lures an unmindful employee into installing malware or ransomware.
Another form of social engineering is scareware — a false alarm or threat that looks legitimate to an employee. But as you investigate closely, it’s a scam that aims at harvesting information. Always be alert when receiving suspicious emails and texts.
Targeted phishing is not new, but found a renewed purpose with the new shift to hybrid and remote workplaces. Data thieves, hackers, and scammers cash in on human vulnerability to access a company’s sensitive data. According to TechRepublic, 48 percent of U.S. remote workers experienced phishing attacks six months into their work from home arrangement.
Hijacking password sharing
Password sharing had been a common practice among employees even before the quick transition to remote work. It helps accomplish tasks more quickly.
Sharing of passwords between employees working from home with access to sensitive information exposes companies to security risks. A professional hacker could mimic the behavior and communication pattern of a colleague to steal credentials. Therefore, passwords should not be shared and must be changed often. Saving passwords on a browser might not be secure. Multi-factor authentication and password vaulting might be of some help.
For employees working remotely, maintaining strict discipline on using devices for work can pose a challenge. Many of them struggle with the temptation to use company-issued laptops and mobile devices for personal matters, such as personal email, online shopping, and social media checking. The most concerning of all is allowing other members of the household to use the device. This behavior can compromise data security.
Employees should keep work devices solely on work-related matters to maintain data integrity, and use personal devices for personal needs. Don’t synchronize files to devices not issued or approved of by the company. When emailing sensitive company data, employ encryption to ensure that only the intended recipients can read the message.
Unsecured public networks
An employee might feel the boredom of staying at home and want to go to a cafe or a park with a WiFi connection to finish some tasks. That employee might have unwittingly accessed an unsecured public network. Such behavior exposes to security risks not only the device but also the organization’s sensitive data. Public networks are a haven for cybercriminals.
Make sure employees log only onto secured networks, avoiding unsecured public WiFi. Always have an encrypted web connection. Create a personal or private hotspot for your WiFi connection. Getting a VPN service might help, but the protection does not extend to the data’s destination, so it has limitations. Setting up an encrypted remote connection into an individual server can also be an option.
Think like a cybercriminal. Be suspicious when working in a cafe or coffee shop; a cybercriminal might be watching you. Blocking sightlines is helpful. Also, avoid using USB thumb drives that you don’t know where they come from.
Work from home is a perfect opportunity for a malicious insider working in the company that might have ties with hackers, or just want to steal company intellectual property. A positive company culture can reduce such risks, but tools like data loss prevention (DLP) can help.
There’s always a security risk as a business adapts to new environments and technologies. Organizations that adopt hybrid and remote work must invest in training and assisting work from home employees on cybersecurity in addition to keeping an IT team dedicated to data security that keeps up on the latest threats.