The global Covid-19 pandemic forced many businesses to rapidly relocate employees from the office to working from home. For many organizations this meant enacting, and exposing weaknesses, in their emergency plans created to continue business in the event of fire or flood. Most of these back-up plans centered on protecting data and setting up a temporary workplace and were reliant on financial support from insurances.
When the shift to home working happened, many companies had no experience of remote working, or had only practiced it ad hoc previously, making this change drastic not just in terms of hardware and support, but also for management and best practice.
At the end of 2020 Morphisec Technologies, an endpoint security specialist, issued a report into issues surrounding the security of working from home; entitled the WFH Employee Cybersecurity Thread Index. In this they reviewed how more than 800 US employees had coped with the changes and highlighted most of the biggest cybersecurity concerns.
Scarily, but maybe not unexpectedly, the report found that more than half of employees surveyed were using their personal computer as their work device. This immediately puts company data at risk of cyber-attack. Twenty-three percent of employees said they were unsure of what security protocols were even available on their devices – let alone what they were supposed to be using. Some organizations simply had no best practice in place for remote working. Some did have guidelines in place but, a quarter of respondents said that even though there were strict company guidelines around security protocols they were not implementing them.
For IT management it was largely impossible to implement and enforce any standards and many had little understanding of the reality of what employees were doing. Much of the time they did not even know what devices were in use – let alone what security was implemented. The emphases often rested on keeping the business running, rather than keeping it safe.
Andrew Homer, vice president of security strategy at Morphisec, said, “We’ve seen anywhere between a doubling or a tripling of the amount of attacks that we blocked since COVID. That’s over 170,000 attacks a week across the five million end points.”
Since 2014 there has been a 44% increase in the number of employees working from home, according to a 2019 report by FlexJobs. So, for some organizations, it was a natural progression to move the remainder of their employees to remote working. These businesses already had protocols and management structures in place but still suffered an increase in attempted cyber-attacks as the criminal community switched focus to remote devices and unsecured connections.
Despite many organizations already being on the path to remote working, the dramatic change brought about by the coronavirus pandemic highlighted that working from home was an entirely new concept for nearly half of office workers, according to the Morphisec report. This surge in the numbers of remote employees placed enormous pressure on IT departments. Before the pandemic, IT professionals had plenty of time to add additional security measures to remote employee’s devices as routine. Now, with businesses urgently having to transform to fully remote, the ability to implement security on devices shifted from weeks to hours. IT managers were often obliged to implement less than satisfactory emergency solutions.
Cybersecurity professionals have not only had the challenge of rapidly building a remote environment, they have also had to handle an expanded attack surface. By moving outside a controllable building, organizations were not able to guarantee employees were working on secure devices or trusted Wi-Fi connections. Despite the strain placed on IT teams, 62% of employees rated their company and IT department’s response to supporting a home workforce as above average or better.
Although home working brings a host of security challenges, the majority (75%) of employees said they usually followed the advice of their IT department when it came to cybersecurity. The most common tips from IT teams did not significantly change: be wary of suspicious emails, attachments, or pop-ups; ensure antivirus software is connected and working; and accept software updates and patches as they occur.
Because the transition to working from home happened so quickly, many employees said they were not provided with the necessary company devices, forcing them to use personal devices instead. Personal devices are not equipped with the same precautions and security measures as corporate devices, putting data at risk. However, even being on corporate devices could be dangerous, as the devices could be exposed to unsecured networks or other individuals in the household. Being outside the office means that employees are on their own Wi-Fi networks, which are usually not as secure or sturdy as office connections: Some 26% of respondents reported having frequent issues with their Wi-Fi connections.
Andrew Homer of Morphisec said, “There’s a lot of things that go out the window. Network security is largely out the window. One in four experienced problems with Wi-Fi, and traditional security today relies on Wi-Fi. We’ve seen a tenfold increase in the amount of adware, which is games, or unwanted software on these devices. That’s indicative of kids using their parents’ machines. That’s really concerning because adwares have become the delivery mechanism of putting malicious, highly nefarious malware onto these machines”.
What makes all this more worrying is that some organization’s security hygiene was already lacking. Remote working considerably added to these security vulnerabilities and many companies found their issues compounded. The key to survive is to focus on tools and strategies that put an end to an attack before it starts, so that devices and connections are never compromised. Only time will reveal the full extent of the damage done to many businesses.