Throughout the entire month of January, The Fintech Times will be exploring every dimension of one of the industry’s most pressing topics: cybersecurity.
And to open this month’s investigation into the relationship between fintech and cybersecurity, we’ll be addressing how the two work together when set within a remote working environment, and the varied challenges that remote teams continue to face.
As part of its ‘Plan B‘ measures to prevent the spread of Coronavirus variants, on 8 December 2021, the UK Government announced the recommencement of its recommendation for employees to work from home (WFH) wherever and whenever possible.
Once again, workforces up and down the country, and indeed across the world, dispersed to prevent the spread, and although this distanced and isolated model does boast its own range of advantages, the layout becomes highly problematic when satisfying adequate cybersecurity measures.
Part of the problem with this is that many WFH models were implemented seemingly overnight, with little in the way of preparation in their execution. Businesses can hardly be blamed for their lack of foresight in this way, but unfortunately, this gap has allowed cybercriminals to work their way in.
According to this report by Velocity Smart Technology, during the UK’s first lockdown in April 2020, 70 per cent of remote workers stated that they had experienced difficulties with IT during this time, whilst this report by Pulse Secure, which was produced during the same period, states how 66 per cent of workers expected an increase in WFH security threats whilst 63 per cent agree that WFH could expose compliance risks.
It’s an aspect that our publication has discussed at length throughout the trials of the pandemic. When we investigated Tessian’s report, we found that disturbingly, 82 per cent of IT leaders believe that their company is at a greater risk of phishing attacks within a WFH model, whilst a further 78 per cent believe that they are at a greater risk of an insider attack.
Further supporting this evidence is the data from Atlas VPN, which highlighted how 78 per cent of businesses across the world experienced an increase in the volume of cyberattacks because of a shift towards remote working.
These findings correlate with similar data from Atlas VPN, which found that 16.4 million Covid-19 related cyber threats were detected online in 2020 alone, and how cybercriminals were exploiting the pandemic to satisfy their own illegal means.
“From bilateral attacks between competing nations to the ever-increasing amount of scam emails sent to businesses and their staff members, there’s been a consistent increase in both the attempts and successes of cybercrime,” explains Amir Hashmi, CEO and founder of the managed services provider zsah.
“Industry research suggests that a cyber-attack now hits UK businesses on average every 45 seconds, and it is not just the prominent, influential players being targeted. In fact, 43 per cent of all data breaches involve small to medium-sized companies.”
The writing is on the wall, and it’s clear and almost expected that the level and sophistication of the attacks would both rise within such a working environment. With WFH models expected to continue as regular features in the corporate world, how has this new set-up changed what we know and expect from cybersecurity?
We sat down with a variety of industry professionals to explore their take on the impact WFH has had when staying safe whilst working.
“When it comes to cybersecurity, an organisation’s weakest link is often its people,” Jason Dowzell, CEO and Co-Founder of the cloud software development company Natural HR tells The Fintech Times. “In fact, research estimates that 95 per cent of breaches are due to human error. With employees now relying on home networks and in some cases, their own devices, to do their job, the cybersecurity space and the challenges of this virtual working environment have both changed significantly.
“And yet, the almost overnight move to remote or hybrid working put cybersecurity initiatives on the backburner. In 2020, 93 per cent of CxOs admitted they delayed security projects in order to manage the transition to remote work.
“The increase in working from home demands a greater focus on cybersecurity, purely because of the greater exposure to risk. A global surge in remote work is a prime opportunity for cyber-attackers to step up their criminal activities by exploiting the vulnerability of employees working from home.
“Working from home doesn’t guarantee the same rigorous levels of cybersecurity as an office environment. A home office will likely not have the sophisticated prevention and detection measures that a workplace does. Additionally, home Wi-Fi networks are usually much easier to hack.
“With potentially business-crippling threats appearing almost daily, the ways cybersecurity breaches occur are constantly changing, as are the methods of deceit employed by online criminals. These malicious individuals have been quick to realise that previously robust security measures are no longer fit for purpose in this increasingly remote working world. Similarly, employees working from home with less supervision and fewer technical controls may neglect to recognise (or indeed report) any cybersecurity threats.
“As organisations embarked on this new world of work, cybersecurity was not always a key priority in the fast deployment of remote working capabilities. However, businesses must now re-evaluate the capabilities and efficacy of existing cybersecurity measures following this shift towards working from home.”
Adding to this, Andrew Hindle, the Chair of identity technology and service provider IDPro told us: “The overall risks of remote working are well understood, and the cybersecurity, digital identity and privacy industries have developed robust solutions to handle those risks.
“The biggest change for the industry has been the increased pace of new deployments. Many organisations had not yet fully embraced digital transformation and were therefore not well-equipped to support a largely remote working population or to respond to the risks presented by a digital-first client base.
“Companies in this position need to rapidly shift from a more traditional ‘perimeter-first’ security model to move to an identity-centric and zero-trust approach: permitting much broader access through the perimeter, and implementing strong and granual authentication and authorisation security measures to protect access to sensitive data, applications and systems.
“There has been some change in the balance of risks faced. With a larger estate of hardware outside of traditional corporate IT control comes an increased threat from endpoint compromise. Malware threats—in particular from ransomware—need particular attention; and there has been an overall increase in phishing (and similar) threats over the past two years, as criminals have taken the opportunity to try and exploit the new WFH landscape.
“The needs of remote working are driving a welcome focus on deploying strong, multifactor authentication, for the workforce and for client and customer access. For many in the financial services sector, this coincides with the requirements for strong customer authentication deriving from PSD2. It is important that companies deploying such solutions stay current with leading practices (in particular: SMS-based verification is well understood to be insecure and should ideally be avoided in preference for less vulnerable approaches).
“In many ways, the requirements imposed by increased remote and digital-first operations are welcome. Organisations are now updating their security measures at pace, and so benefitting not only from an improved risk posture but also from the improvements in usability, flexibility and reliability that up-to-date solutions bring.”
We conclude our discussion with the Data Fraud expert Colum Smith, Chief Vision Officer for a Top 60 Law Firm and creator of RCP Innovation Ltd.: “Work from home is here to stay, and so is the cybersecurity risk it has created,” he tells us. “Businesses are hastily preparing for life in a post-pandemic world. And for many the increased efficiencies work from home models have created will become a permanent fixture. But this creates a whole new cybersecurity risk and many companies are leaving the door wide open.
“The first danger comes via employees who are logging in to work servers via home networks which are often not password protected. Any worker ‘clocking on’ from their kitchen or spare room office is potentially unlocking the door to a myriad of company data that would otherwise be protected from hackers.
“Cloud documents, emails and attachments, instant message platforms and third-party services are all vulnerable. And with so much information being shared digitally, your attack surface has grown much wider.
“The threat isn’t just to desktop computers or laptops. More and more employees are also working via their mobiles. They may well have mobile app versions of IM clients, such as Teams and Zoom. These blurred lines between personal and professional life can increase the risk of sensitive information being compromised.
“Work from home has also led to an explosion in phishing emails. These are scams designed to fool people into handing over details or downloading a malicious attachment containing a keylogger. A recent report found there has been a 600 per cent surge in cases with many cyber-criminals cashing in on the uncertainty surrounding the pandemic.”