As more companies adopt a hybrid remote work structure, leaders need to realize they’ve opened a Pandora’s box of sorts. With employees in no dedicated location, using a nearly infinite number of devices, networks, or Wi-Fi connections, keeping companies secure from cyberattacks has only become more difficult.
Speaking with BetaKit, Andrew Milne, the Chief Revenue Officer at cybersecurity analytics company Field Effect, explained how employees can partner with their employers to keep sensitive information secure.
Threat actors are coming downstream
A major concern Milne noted is that threat actors are “coming downstream,” moving on from attacking only enterprise companies in favour of quick attacks across the board. In particular, he said, SMBs are a target because they often aren’t able to invest the same resources into cybersecurity as enterprises.
“They don’t care whether you’re a small, medium, large business,” said Milne. “They care that you’re a business with either IP, finances, or some way of taking or stealing money from your organization, or that you’re part of a supply chain they can take from.”
These downstream attacks also create what Milne calls the “one-two punch” of cyberattacks. It’s not just one person breaking into your network and stealing something: there are now sophisticated service providers who break in, scan data quietly in the background, and sell that data (or their break-in services) to what Milne calls “lesser threat actors” who will then stage a campaign against you with the information they’ve purchased.
To securely support hybrid remote workers, Milne said companies need to think about both levels and adjust to how employees are actually working “instead of forcing you to work a certain way.”
Field Effect’s State of Cyber Security guide recommends companies educate themselves on new attack strategies including:
- Pandemic-themed social engineering scams: Pretending to have critical news and information about COVID-19 at your company.
- Attacks on remote workers and their tools: Targeting one employee to get into the whole company.
- Cybercrime-as-a-service (CaaS): A burgeoning economy to buy off-the-shelf malware and hire ‘customer service reps’ to give phishing scams a much more real appearance.
- New extortion strategies: Including threatening a privacy breach that would break new, punitive security regulations globally.
Employees can also step up to ensure they are doing their best to keep the company secure. Field Effect’s Employee Cyber Security Handbook recommends a few approaches, including:
- Recognizing every employee has a part to play in security: Especially with remote work, there are more attack points than ever, so everyone has to care about security.
- Staying up to date on new attack techniques: This includes pandemic-themed scams, impersonating an executive, or impersonating your bank to scare you into thinking someone has hacked your account.
- Using foundational cybersecurity best practices: This includes a difficult, complex password, using multi-factor authentication, and taking time to inspect emails for clues of a scam such as a weird email address or a different reply-to email address.
Empowering the collective good
Milne said if companies want employees to be proactive about security, it’s not enough to train them on how to identify (then delete) a phishing email or spam attack. You have to give them a way to communicate it outward and tag it as an attack so there’s “collective good.” In this approach, you give people who see something malicious the opportunity to do something about it.
Field Effect’s Incident Response Cheat Sheet offers some quick next steps if you think there’s been a compromise.
- First, take a breath to avoid making rash decisions.
- Second, identify all stakeholders involved and alert them.
- Third, work with stakeholders to properly identify the threat, recover any lost data, and secure things so it doesn’t happen again.
Milne added that this process only works if companies change their tune around incident response. Empowering the collective good means shifting from blaming people to asking “How do you create an ability for [employees] to take action and be involved in the security of the company?”
Another critical part of success, said Milne, is that all steps must be easy to follow. Otherwise, you’ll struggle with adoption. He added that a lot of companies try to make things easy by directing employees to forward suspicious emails to IT or the security team, but that creates a huge backlog with key-person risk. Instead, Milne encourages companies to think about how to leverage technology to do the heavy lifting – not just to scale up the security practice but also give people simple ways to help keep themselves and their colleagues safe from cyberattacks.
“Provide the tools without creating so much inertia the security team can’t handle it,” said Milne.
You can’t put remote work back in the box
Regardless of some companies saying they plan a full return to the office, Milne is clear that hybrid remote work isn’t going anywhere.
“Hybrid work is out of the box and there’s no putting it back,” said Milne.
What bothers him, though, isn’t that some companies want to return to the office. His annoyance is with companies that use cybersecurity as the justification for a return to the office, saying that it’s not an accurate statement of concern.
New technologies, he said, enable a secure environment for remote workers and hybrid workers. The issue is that many employees and companies alike don’t know how to properly leverage those technologies, both from a platform-specific case and from a general best-practices case.
To help employees better partner with their companies to keep everyone secure, Field Effect published a Remote Worker Cyber Security Checklist, which features 13 questions all employees should ask of their employers such as verifying the company has a remote work cybersecurity policy and asking to see appropriate use policies for personal devices or other remote work tools.
The company has also created a cybersecurity starter kit – specially designed for startups and SMBs alike – featuring a handpicked collection of its top cybersecurity resources to strengthen corporate defences.
“Security should not be the driver of being in the office or being out of the office,” said Milne.