Cybersecurity in a hybrid work environment
By: Garrett O'Hara - principal technology consultant at Mimecast ANZ
The recent spate of data breaches and reputational damage to companies globally is driving business leaders to review and overhaul their cybersecurity practices. Cybersecurity is of vital importance, particularly when viewed through the lens of the current COVID-19 business conditions.
Given the current economic conditions, the last thing any organisation needs is a security breach. Many employees are working remotely indefinitely, and according to the Australian Bureau of Statistics, a quarter of Australians would like to continue this work trend after the COVID-19 restrictions lift. Yet many organisations are carrying on without the normal security protections enterprise networks need as the “perimeter” dissolves due to a largely remote workforce. Additionally, many businesses still haven’t adapted their cybersecurity awareness, training and education practices to accommodate these changing workplace conditions.
This state of affairs is leaving employees and organisations wide open to attacks and breaches.
The Hybrid Workforce
We’re all hopeful for an end in sight to the current pandemic, but remote working practices, and a hybrid work environment model, will be here for the foreseeable future. As employees start returning to work, will they be walking through the door with compromised devices? Do businesses have the right checks and balances to ensure cyber security hygiene is top of mind?
Our Mimecast threat intelligence team analysed some of the most pervasive threats during the first wave of the pandemic, in our 100 Days of Coronavirus report. It revealed a huge surge in coronavirus-themed phishing and other malicious activity as attackers took advantage of people’s shift to remote working, lockdown, and desire for information. The Mimecast Threat Intelligence Centre noted that attackers have spoofed websites belonging to COVID-19 monkiers and major retail brand websites too, in attempts to steal from unsuspecting panic-buyers as they look to purchase necessities online. Cybersecurity awareness training is key to the mix.
To date, no matter the industry you work in, employee cyber behaviour still needs to dramatically change to show an increased understanding of – and alertness to –cybersecurity threats. And in most organisations, the cyber culture simply isn’t top of mind. In our recent APAC study with Forrester Consulting titled Don’t Just Educate: Create Cybersafe Behaviour, we surveyed 20 industry sectors including government, healthcare, legal, marketing, energy, telecommunications, transport and logistics. We found that over thirty per cent of security training attendees still admit to going around security policies. This means that despite some employees doing the right thing and supporting security best practices, the overall security of an organisation is still being undermined by the staff who aren’t following procedures. With the rapid shift to home working, and security and IT teams scrambling to vet collaboration platforms, many employees are working around security with shadow IT to get their jobs done.
The Two Ts
What is the solution? The answer lies in ‘the two Ts’ – training and technology. These reflect the fundamental truth that human error is in our nature.
Protecting remote workers usually starts as a technology discussion. We surveyed Australian businesses and found that many companies are using at least one solution to stop malicious emails reaching remote workers. More than three-quarters of respondents reported the use of email filtering and URL scanning. Many block or quarantine suspected impersonation emails and scan inbound emails for tricks such as domain or sender spoofing.
So where does the problem lie? Whether it’s following a link, not patching the hardware or software or not creating a robust framework, humans are involved. It is widely reported that human error and social engineering account for ninety per cent of all data and security breaches. By implementing a robust training process, you will enhance the presence of the ‘human firewall’, and this will greatly add to a layered security strategy within your organisation.
It’s worth noting that the best-protected companies also make cybersecurity awareness training a regular event, not just a way to tick the box in terms of compliance. The old models of cyber awareness and training simply don’t work. As such it’s vital to take steps – now more than ever – to lower your risk of succumbing to cyber threats by changing attitudes from top to bottom.
As such any security awareness training programs must cut through the noise of your employees' busy lives and you must tailor programs to your intended audience – the humans within your company. There is little point in telling your employees what to do and how to do it. Instead the training programs should focus on the people, developing behavioural changes, and providing employees with the right tools to help that behaviour change stick.
The first step is to make sure senior leadership rally behind it to create commitment for a strong and lasting cybersecurity program, as behavioural changes in a company always start at the top. Be persistent, as we’ve found that conducting the training in short monthly bursts works best. Make sure the training is engaging and fun, and keep the sessions short and sharp. If you can’t get your point across in three-to-five minutes, then you are missing the mark.
Find out how your organisation can combine training, education and technology to create a safer workforce at our Mimecast Work from Anywhere site.