Imagine the scene. You’re sat working from home, as has become the norm for you throughout the COVID-19 pandemic, when an email pings into your inbox, apparently from your company’s IT team.
It says that, following a review of remote working security protocols during the pandemic, it has been decided that staff will be asked to change their password for the company cloud platform every six weeks. A reminder will be sent out each period and this email is the first such prompt.
There’s a link included to update your log-in details.
What do you do? Would you even think to double-check the new policy with your service desk before doing as instructed? Would you spot any of the warning signs that might give even the most convincing phishing scam away? Would you know that fake prompts to update log-in credentials are one of the most common ways cybercriminals steal personal information and get access to restricted systems?
Phishing scams of this type, known as a Business Email Compromise (BEC) attack, have been on the rise throughout the pandemic, up 15% from Q2 to Q3 2020 alone. It’s part of a pattern that has seen hackers and cyber criminals rapidly adjust their tactics to suit the ‘new normal’ of remote and home working.
So-called social engineering cyberattacks, which boil down to the use of trickery or manipulation to hack systems or steal data, were already highly prominent, accounting for a third of all recorded data breaches in 2019. But while phishing attacks might previously have focused mainly on private email, IM and even social media accounts, perpetrators have quickly latched onto the fact that mass home working opens up a whole new window of opportunity.
Outside the office, away from colleagues, supervisors and managers they can quickly ask for advice, people are that much more vulnerable to a fraudulent request. Especially if it is dressed up as an official communication sent via an authorised business channel.
The growth in BEC and similar attacks also seeks to exploit another factor in the rapid shift to remote working – a lack of appropriate cybersecurity training. According to one survey by Malwarebytes, 44% of businesses provided no cybersecurity training focused on the potential threats of working from home during the initial wave of COVID-19 workplace closures.
Tellingly, more than half of respondents to the same survey (55%) cited the need to train employees on how to securely and compliantly work at home as the top challenge they now faced. In another study, a similar proportion of IT decision-makers (57%) said they believed remote workers would expose their organization to greater data breach risks.
On one level, it’s not entirely surprising companies should have struggled to keep cybersecurity training and policies up to date in line with the changing requirements of remote working. It has been a year of massive disruption and upheaval where the first priority has been ‘keeping the lights on’ at any cost. Other factors such as the inevitably weaker security protocols found on personal devices and home networks have also played their part in many businesses experiencing a significant rise in security threats.
But a year on from the start of the pandemic, firms can no longer afford to think purely in terms of keeping the lights on. We know now that, even if we do emerge out the other side of COVID-19 in 2021, many aspects of the ‘new normal’ it has created are here to stay. This includes remote working – according to McKinsey, 70% of employees who have worked from home during the pandemic will factor the ability to ‘telecommute’ into their next job choice.
The cementing of remote working into the mainstream means the rules of engagement on cybersecurity have changed forever, and one of the biggest shifts is that companies can no longer manage as much of their protections centrally.
Greater responsibility must be handed to workers, and not just to make sure they can spot, avoid and report potential social engineering attacks appropriately. They must also be empowered to secure their home networks, configure their VPNs correctly, keep their antivirus and firewalls up to date, and understand the difference between good and bad data management practice, including the relevant regulations.
All of this starts with training and education. If you are wondering where to focus your company’s cybersecurity investment strategy for the next financial year, there can be no better place to start.