Us humans struggle with change. When our status quo is disrupted it can create feelings of shock, anxiety, excitement and fear and we rarely perform at our best. With 95% of cybersecurity breaches being caused by human error it comes as no surprise that in times of change, cyber criminals run riot. And the last 18 months have been no different.
The number of cyber attacks, including everything from theft, to data hacking and destruction is up massively as a result of the COVID-19 pandemic. The number of malicious emails increased by 600% during the current crisis and 88% of organisations worldwide experienced spear phishing attempts in 2019.
With successful attacks on both high-profile private and public bodies getting huge media coverage in nearly every country, every industry has had to embrace new cyber security solutions.
Now, most of us are right in the middle of another drastic change to our day to day – getting back to work. While the return to work signals a much-needed return to normality for many of us, it is a time that cyber security risks are magnified more that many of us realise.
So, we have put together a list of cyber security threats that your business needs to be aware of as your employees return to work to help you keep your business secure as you try to reclaim some normality in the coming weeks and months.
Bringing personal devices into the work network
The move to remote working has led to the widespread use of new devices, personal computers, laptops and mobile phones for work purposes with many of these devices being connected to company data and accounts without the proper IT security measures in place.
As employees move back to the office and reconnect to the work network there is high risk that some of your employees may connect these insecure devices to the work network. There is also a risk that employees will move back to using devices in the office and leave their home devices connected to company data unnecessarily.
So, it’s important to take a hardware inventory of all devices used for work purposes as part of return-to-work planning.
- Ensure all devices with access to company data and accounts are catalogued, scanned and assessed for cyber security measures.
- Ensure your users are logged out of all company systems on work-from-home devices that will no longer be used.
- Ensure your users delete any company data that has been downloaded to work-from-home devices that will no longer be used.
- Ensure that users uninstall any VPN software that has been configured on work-from-home devices to access company networks on home computers
Reviewing Software Versions And Updates
While employees were working from home, many operating without IT support at hand, some may have fallen out of the habit of ensuring that all software and cybersecurity software were kept constantly up to date.
Some companies will have endeavoured to ensure that updates were automatic, however this may not have been monitored effectively while users were working from home and in many cases the updates may have been put on the long finger by employees working under stressful conditions.
- Ensure all devices are up to date and configured with appropriate antivirus and malware software.
- Ensure that no devices that are being connected to the work network have any unapproved software installed that could compromise the network.
Reviewing User Access
During the various lockdown periods, technology played a significant role in business continuity and allowed many businesses to recover rapidly from the disruption to their workforce with users connecting to company data securely from across the globe.
Many will remember vividly the effort that it took to ensure that users were able to access the files, folders and systems they needed to perform their roles from any device, anywhere.
However, with the return to work, it’s important to revisit the access granted to all users. In many cases, access rights may have been granted to users that are no longer necessary with the user being back in the workplace.
Unnecessary access to data and systems can lead to cyber criminals being able to wreak more havoc than they would otherwise be able to. It’s vitally important that all users are allowed access rights only to the devices, data and systems that they require for their role.
- Reconfigure all users’ access rights to devices, data and systems in line with the change in work environment to ensure all users are limited to accessing data essential to their individual role.
- Restrict the use of devices to each individual user and advise all users on the risks of leaving logged-in devices for others to physically access.
Enable Multi-Factor Authentication & Strong Passwords
In March of 2020, Microsoft engineers said that 99.9% of the account compromise incidents they deal with could have been blocked by a multi-factor authentication (MFA) solution. As with any review of cyber security practices, it is essential to roll out multi-factor authentication (MFA) for all users accessing company data and systems.
It is also important to note that users tend to choose simpler passwords for their personal devices to allow for simplicity of access. During the switch back from personal and work-from-home devices to work computers it is also important to ensure that all users adopt secure passwords as part of their MFA.
- Ensure multi-factor authentication (MFA) is rolled out across all user accounts and data access points.
- Ensure users are using strong passwords and pass phrases as part of their MFA.
- Remind all employees never to send passwords over email or text, or write them down on post-its to remember them.
Be Aware Of Physical Data Security
With employees having gotten used to working from the comfort and safety of their own home, it can be natural to let standards slip when it comes to physically securing data. Make sure to remind all employees about the company policies on physical data protection such as shredding policies, locking access points and clean desk policies.
- Ensure all employees adhere to a clean desk policy, clearing their desks of all files, notes and data at the end of each workday.
- Ensure all removable devices, memory drives and paper documents are stored securely in locked drawers or cabinets.
- Remind all employees about the company policies for shredding sensitive documents once they are no longer required.
Raising Awareness of Phishing Attacks
Phishing attacks account for more than 80% of reported security incidents with a reported $17,700 lost every minute due to a phishing attack. Phishing remains one of the top cyber security risks to be aware of and this return-to-work transition is another great opportunity for hackers.
- Advise all employees to use a zero-trust approach to all emails they receive and to think twice before reacting to any email that sparks a sense of urgency.
- Advise all employees to check and verify emails that contain requests for action to be undertaken or requests for information with their sender before acting on them.
- Never click attachments in emails before verifying them with the sender and never click on links in emails that weren’t expected.
Cyber Security Awareness Training
Both the rise in cyber security attacks over the past 18 months and the fact that 95% of all security breaches in 2020 were caused by human error underpins the absolute necessity for Cyber Security Awareness Training training across all organisations and businesses.
It has never been more apparent that ongoing training for employees at every level of an organisation is now required to combat the level of sophistication these attacks have reached.
- Ensure all employees are provided with cyber security awareness training and are tested regularly.
Hopefully this article will help to direct a cyber safe return to work for your business. If you would like to enquire about Cyber Security Awareness Training or any of our cyber security services, please contact our team at info@calnet.ie or call us on +353 (0)1 818 3272.