We are living in a time of constant change. The end of the pandemic is on the horizon, people are returning to work in offices across Ireland, and a return to life as normal seems to be a real possibility at last.
Many businesses will continue to operate on a hybrid work model, allowing their employees to work from home some of the time – but what are the security implications of this?
How employees could compromise your cybersecurity
Remote and hybrid working models pose some worrying risks when it comes to cybersecurity. At home, employees do not have the same levels of network protection that they would have in the office.
According to Microsoft, 36% of employees have backed up corporate data to their personal devices. They may also be connecting to their home and work networks on the same devices without following proper security procedures, which can leave the organisation’s network vulnerable to attacks.
On top of all this, there is also the ever-present threat of a breach from within.
In 2020, Microsoft reported that 76% of Irish business owners were worried to some degree about their employees exposing the company to digital security risks. Although this is something no business owner likes to think about, the reality is that any one of your employees could be the weak link in your cybersecurity chain.
We often hear of cybercriminals infiltrating organisations from thousands of miles away, but security threats can also come from within the network.
While malicious attacks often do originate externally, business owners also need to be vigilant against ‘insider threats’. These can include employees, both current and former, or anyone with access to systems and data that could potentially compromise your security.
Insider threats can be malicious and intentional, perhaps coming from a former employee who believes they were unfairly dismissed, or from a current employee who’s identified a weakness in your network infrastructure and sees an opportunity to make some money.
None of this is pleasant to consider, but the risk, unfortunately, is too great to overlook.
Phishing emails getting harder to spot
Insider threats can also be entirely innocent, stemming from carelessness or a lack of basic cybersecurity knowledge.
Even with a firewall, antivirus software and multi-factor authentication in place, all it takes is for one staff member to open a phishing email and click a malicious link without realising it. Or, while browsing the internet on their lunch break, they might unintentionally install malware or visit a phishing website.
The “threat landscape is morphing at its fastest rate to date,” says Paul Brennan, director of the HPE Security Fusion Centre in Galway. The ever-increasing scale, speed and sophistication of malware attacks means that even the savviest employees can be tricked into opening a malicious email.
Brennan warns that today’s cybercriminals “know how to cleverly disguise their attacks” and can make emails look completely legitimate, including logos and signatures from people they know and trust.
In this October 2021 article, we recommended that all employees should adopt a zero trust approach when it comes to opening emails.
‘Zero Trust’ model set to become the default
Virtual Private Networks, or VPNs, are commonly used to provide secure access to remote workforces, but they are proving inadequate against the more advanced cyber attacks that we have been seeing lately, largely due to how they are implemented. Because VPNs often provide unrestricted network access, this can enable malware to move across the network until it finds something it can exploit.
A more secure alternative is the ‘Zero Trust Network Access’ model, which is a means of controlling remote access to sensitive data. It operates on the basis that there is no such thing as a trusted source, and will not grant access to company systems until the user has been verified.
Because ZTNA operates on the premise that there are constant threats both outside and inside an organisation’s network, every attempt to access the company’s network, systems or applications is viewed as a threat until proven otherwise by a process of verification.
The zero trust approach is based on the following guiding principles:
- No user should be trusted by default since they could be compromised
- VPN and firewalls can’t do it alone since they just guard the perimeter
- Identity and device authentication should take place throughout the network rather than just on the perimeter
- Micro-segmentation helps minimise damage from hackers by creating interior walls
60% of businesses are predicted to have transitioned to ZTNA by 2023, and with good reason: in 2021, IBM reported that a mature zero trust approach reduced the average cost of a data breach by $1.76 million.
Cybersecurity awareness training should be your top priority
With the threat landscape constantly evolving and getting more advanced by the day, business owners need to prioritise cybersecurity awareness training for the entire team.
If your staff are not trained to be able to identify threats, then it’s only a matter of time before your network suffers a breach. Cybersecurity awareness training will give your employees the skills and confidence to minimise cyber risks, both at work and at home, and it should also be noted that most insurers now require companies to provide mandatory phishing awareness training in order to avail of cyber insurance coverage.
Calnet IT remains at the forefront of cybersecurity in Ireland, providing reliable support and proactive solutions to Irish businesses since 2003.
Contact us today to find out how we can protect your business against cyber threats in real-time.