One of the biggest changes that has come about due to the Covid-19 pandemic is the pivot to remote working, with the majority of people across the country working from home. However, with this transition also came a lot of friction, with cybersecurity at the forefront of many peoples minds.
Mark Nutburn is the Group IT Director at the British Assessment Bureau. He has over 20 years of experience within the Certification industry and has developed cloud-based software solutions supporting a variety of assessment products.
Here he shares his thoughts on remote working and its effects on cybersecurity.
Of all the changes the coronavirus pandemic has forced on businesses, the abrupt lurch from office to remote working within the space of a few weeks early in 2020 must rank as the most startling.
Remote working isn’t new, of course. But, until 2020, most businesses were largely supporting a small subset of mobile employees working in the field. As pretty much every business that tried it has since discovered, there’s a big difference between this and offering the same remote access to every worker with no investment, planning cycle, or ‘what might go wrong’ planning.
Anecdotally at least, plenty has gone wrong. Early on, many employees didn’t have the right equipment for home working, or even a desk to work at. Others couldn’t authenticate themselves to the network, or access important applications too old to be hosted in the cloud. Many organisations lacked enough VPN capacity to support lots of people. Then there’s been the unproductive and sometimes insecure toil of Zoom unleashed on employees who still rate video conferencing as a last resort.
But there’s a bigger anxiety out there that’s yet to be fully processed: the effect of remote working on cybersecurity. It’s easy to assume that the effect has been negative because it’s not hard to believe employees aren’t less secure when accessing a corporate network from their backroom across a public network, even when using an encrypted VPN. However, to date, the evidence is largely an extrapolation of lessons drawn over many years supporting small numbers of employees remotely plus a handful of PR-driven surveys.
For example, a May survey by security company Pulse Secure found high levels of concern among US-based executives that remote working would increase data leakage and weaken compliance with regimes such as GDPR, PCI-DSS, and HIPAA. An August report by Malwarebytes confirmed much the same message, with one in five of those asked believing remote working would lead to a security breach of some sort. These conclusions sound plausible, but we need to remember that security companies are not disinterested observers. If there’s no problem to solve, there’s no sale.
In the end, it’s about preparedness and planning, which takes longer than most people realise. On any computer, only one thing needs to go wrong for that to lead to disaster, be that a successful phishing attack, rogue link followed, or malicious app inadvertently installed. There’s no reason why this is harder to defend against for remote workers than those in the office if companies have invested in the right security systems to react quickly to missteps. The problem is that not enough have because they have been conditioned into seeing remote working as a specialised user case that attackers are less interested in.
That assumption doesn’t scale well when you’re defending 10 or 20 times as many workers seven days a week. Where does this lead? Given that there is now plenty of reported evidence that attackers have modified their attacks to target home offices (plausible lures including ‘please reset your application password’ and ‘watch this CEO video on redundancies’), the answer is, tragically, more data breaches.
Breach déjà vu, all over again
The world is already overrun with data breaches as it is so the idea of adding more to the list is hugely depressing. Cyber-attacks have numerous complex outcomes but it is hard to imagine one that is more long-lasting than a data breach. If malware hijacks a PC, that can be cleaned. If ransomware locks data, companies have the possibility of recovery. A server hit by a DDoS attack can be restarted or the traffic sent to a sinkhole. Data breaches don’t work like that – once a criminal knows someone’s name, social security number, home address, or has stolen company IP, that data becomes public forever.
In the last decade, data breaches have grown into something that happened a few times a year to something so commonplace it barely elicits comment. In the early days, the world reacted to these with horror but this quickly turned into mesmerised indifference as their number surged. Breached companies haven’t helped with too many relying on complacent platitudes about customer security being a top priority just after suffering an attack that suggests the opposite. Others, meanwhile, have entered a state of denial, claiming that ransomware attacks aren’t the same as data breaches on the absurd basis that they failed to find any notifiable evidence data was stolen (the rapid rise in double extortion attacks during 2020 trashes this daft assumption).
The problem with data breaches is that you can’t see them until it’s too late. Indeed, in many cases, the victim organisations don’t discover breaches at all and only realise something has gone wrong when third parties spot data on the dark web or processors phone up with bad news about strange spikes in credit card fraud. Too often they’re invisible until suddenly, horribly, the truth dawns.
Right now, for a world unprepared for mass remote working, it’s hard to imagine a worse environment for oversight than a workforce that’s sitting at home struggling to follow rules and policies, assuming they understand them at all. Many organisations can’t easily monitor what their employees are doing or not doing, nor constrain where data is shared, saved, and viewed. Pandemic IT was never going to be a pushover but if history offers us any learning it’s that the worst might still be to come.