“Employees subject to new working arrangements may well react maliciously due to limited hours, lowered compensation, reduced promotion opportunities, and even expectations of redundancy,” Steve Durbin, Managing Director, ISF
With the number of COVID-19 cases in flux across the U.S., and autumn approaching fast, the work-from-home workforce now appears more permanent than ever, with many companies not expected to bring employees back until at least 2021 and possibly beyond.
And as employees settle into the reality of home office work, the conversation about securing those employees, protecting their data and guarding against threats (both external as well as internal) needs to be part of an organization’s long-term planning.
While many enterprises excelled at getting employees the equipment and resources they needed in March and April, a long-term WFH situation requires serious strategic thinking about how organizations can provide security to their staff at a time when cyber-threats are increasing and cybercriminals and hackers have a bigger attack surface to target.
“Businesses have made quick and steady strides to react to this pandemic. Now, it is time to find a rhythm and settle in for the long run,” Heather Paunet, senior vice president of product management at security firm Untangle, told Dice. “The time for reactive decision making has passed, and business leaders, as 2021 looms in the future, need to weave cyber security awareness, employee engagement, and long-term programs into their company culture and missions. While many are home focused on making the best of the situation, cyber criminals are ready to use this time to prey on employees and businesses alike.”
The numbers, so far, paint a picture of challenges to come.
In time for the Black Hat 2020 virtual conference earlier this month, AT&T released a study about cybersecurity and working from home that included responses from 800 security professionals working in the U.K., France and Germany. Of those surveyed, 88 percent reported that, while they initially felt well-prepared for the switch to WFH, a majority (55 percent) now feel that ongoing remote working is making their companies more vulnerable to cyber-threats.
Digging further in, 25 percent of those surveyed noted that their organization has not offered additional cybersecurity training for employees. Another 24 percent note that their firms have not created secure gateways to applications hosted in the cloud or in a data center, while 22 percent report that there is little or no additional endpoint security to protect laptops and mobile phones.
A similar survey released by IBM earlier this year also found great confidence in the early switch to WFH, but that security precautions and training had not kept up with the possibility that remote work may become a permanent fixture of working life.
Beware Insider Threats
Several security experts warned against an increase in insider threats, whether malicious or unintentional, as WFH becomes the norm.
Steve Durbin, managing director of the not-for-profit Information Security Forum, is advising that CISOs and risk managers consider how employee behavior is changing as people work longer hours from home, and how that could lead to cyber threats if policies and procedures are not put into place soon.
“Employees subject to new working arrangements may well react maliciously due to limited hours, lowered compensation, reduced promotion opportunities, and even expectations of redundancy,” Durbin told Dice. “These concerns at work can be compounded by increased levels of stress outside of the work environment due to worries about the health of their families, livelihood and uncertainty about the future. Under these conditions, employees might become resentful or disgruntled towards the organization, resulting in occurrences of information leakage and theft of intellectual property.”
Joseph Carson, chief security scientist and advisory CISO at security firm Thycotic, sees that traditional technologies previously used to protect a company’s network and infrastructure, such as email gateways, web gateways, intrusion detection systems and firewalls, no longer matter in the WFH era.
This means increased threats from both outside and inside an organization.