For two years, employees have been waiting to be beckoned back to the office – some with anticipation, others with dread, but hackers haven’t shared the same mixed emotions! The pandemic-led overnight transformation to our working habits opened the floodgates to cybercrime, leaving hackers to take full advantage of the cybersecurity gaps in home networks. As of February 2022, the NCSC received over 10 million reported phishing scams and this figure shows no sign of slowing down as hybrid working environments continue to become the norm.
Dan DeMichele is the VP of Product Management for LastPass at LogMeIn.
There is no denying that hybrid and remote working exposes organizations to increased security risks. This set up creates further opportunities for cyber criminals as they continue to evolve their tactics to take advantage of the expanded security perimeter and vulnerabilities. For companies, the pandemic gave rise to ‘messy’, insecure working habits as workers more freely shared their data without the protection of their companies secure Wi-Fi and firewall protection. It’s time to shed these habits if we’re to meet the cybersecurity challenges of the new working world.
Now, as more staff return to offices, organizations must be hypervigilant to potential threats and the best methods of protection to prevent employees bringing in infected devices that put both the individual and the business at risk. As email-based cyber threats continue to mutate, the onus is on organizations to lead the charge in training and promoting a new cybersecurity culture. After all, prevention is better than cure.
Phishing is big business for cyber criminals
In the UK alone, one small business is successfully hacked every 19 seconds, with data breaches across UK enterprises costing an average $3.88 million per breach. The staggering number of emails sent daily around the globe means it is a simplistic and effective method of attack for cyber criminals, with a high return on investment.
Cybercriminals aren’t just coming for governments, large scale enterprises and critical infrastructure, but individuals and SMBs too – there is money to be made off all industries and individuals alike. The number of publicly reported breaches in 2021 soared past previous years as the biggest culprit was stolen credentials. More than a third (36%) of data breaches were due to employee credentials being stolen through phishing attacks – 96% of these occurred through email. The message is clear – everyone at every level needs to be prepared.
Hybrid work calls out for cyber attention
Prior to the pandemic, many organizations toyed with the idea of hybrid working but its onset forced unimaginable change to every aspect of our working lives virtually overnight. Cloud-based applications enabled work to go on ‘business as usual’ outside of the castle walls, but defenses were often built reactively and often too late. Cyber criminals also got ‘2-for-1’ bonus with access to both home and work as digital footprints expanded, creating a greater attack surface for cyber criminals to capitalize on, that many are still grappling with today as employees return to the office.
The rapid adoption and acceleration of cloud has undoubtedly brought its own challenges. Whilst underway before the COVID-19 pandemic struck, urgent changes to operations caused this to occur at a faster pace, and by 2024, enterprise cloud spending will make up for a whopping 14% of IT revenue globally. A growing cause of this is the rise in ‘shadow IT’ – where users download and use apps away from the eyes of security teams – with research finding that there are 3 to 4 times more SaaS apps in use at a company than the IT department is aware of. As we navigate the future of work, security teams need to develop a SaaS management strategy to mitigate and address their shadow applications. Without the pre-pandemic sources of visibility, IT and security teams are working with clouded vision.
Leading the hack attack fight back
Cyber criminals capitalize on blame, with cybersecurity errors leading to a culture of silence. This stunts progress in the recovery of the targeted information and prevention of future errors. By creating a ‘no blame’ work culture we can focus on defense against the faceless cyber criminals.
To help keep credentials and other sensitive information out of the hands of cyber criminals, organizations must educate employees through building a cybersecurity culture. By ensuring that all employees from entry level to executives are given ongoing training, organizations can help reduce the success rate of attack or at minimum, raise an alert. Normalizing training within workplace culture will also maintain attentiveness and adoption of these practices in the long-term.
This means employees know what to look out for and the go-to steps to follow: take caution across all channels, ensure emails addresses are legitimate, trust gut instincts, and following the guidance of security teams.
The work from home mandate meant employees were away from the gaze of IT and security teams, with organizations updating security measures on an ongoing basis. Understandably, cyber hygiene took a hit with security teams almost blind to what staff were up to. IT teams need to ensure the correct protocols and processes are adopted by employees when returning to offices, even if only for a few days a week. This means promoting proper device and password hygiene and updating teams on potential threats associated with the return to offices. With phishing on the rise, cyber criminals are continuing to make use of this opportunity, so employees should be instructed on how to best protect themselves and their organization. This means ensuring all accounts are protected with strong passwords/passphrases and using account privileges opposed to shared passwords wherever possible.
The secret weapon to combat human-error
Human-error is unavoidable as cyber criminals’ success with phishing and other methods of attacks attempt to evade human detection. Luckily, good cyber hygiene, training and tools like a password manager help to protect organizations and individuals alike.
Cybercriminals are always looking for ways to get hold of data. As we return to the office, we must resolve the security issues highlighted by the pandemic, with emphasis on training and education. This way we can pave the way for a new cybersecurity culture, for a resilient, cyber secure future. The lesson learnt is: don’t make it easy for them.
