With phrases like ‘new normal’ being bandied about in our daily lives, there’s a tendency to forget about the finer intricacies of how COVID-19 has changed the way we do business. Yet the nature of how the workforce now interacts with its employers has opened companies up to far greater risks of cyberattack.
Historically, a ‘castle and moat’ approach to cybersecurity has been the go-to strategy. As long as you were barricaded inside the ‘castle’ and happy to make the necessary investments, company infrastructure of servers provided sophisticated cybersecurity options that acted as a defence against siege.
But the pandemic changed all that. As companies were forced to change their ‘ways of working’ and allow staff to work from home, they weakened themselves due to the lack of infrastructure. Even though businesses required employees to continue to work in a creative and collaborative manner, security policies weren’t agile enough to allow them to do so. Location became the biggest threat to cybersecurity as staff started connecting with data from a variety of locations.
This change in perimeter – essentially removing the moat and even the castle walls – has led to increased security threats as employees access sensitive data through unsafe Wi-Fi networks and use personal devices for work. Surveys show that almost half of employees ‘admitted to transferring files between work and personal computers when working from home’ during the pandemic, which is extremely poor safety practice.
The outcome is that cyberattacks are at an all-time high – the Cyber Security Breaches Survey 2022 report from the Department for Digital, Culture, Media and Sport (DCMS) highlighted a rising frequency in cyberattacks, with almost two in five businesses (39 per cent) experiencing cybersecurity breaches or attacks in the last year. Phishing attacks are the most prevalent, but malware, ransomware, denial of service attacks and other breaches are also common. Small businesses – whose data may not be backed up – are especially susceptible to ransomware and denial of service attacks because they are typically not equipped to absorb these attacks. Attackers can often count on ransoms being paid as the cheapest and easiest way for businesses to regain access to their files, as they look to get back to being fully operational as quickly as possible.
In short, businesses, particularly SMEs, are not doing enough when it comes to their own protection; in fact, many lack the necessary expertise in cybersecurity. Of course, it didn’t help that businesses around the world had to cut down on their outgoings as a result of COVID-19, and it can be hard to justify spend on something ‘invisible’ like security protocols. But, when weakened systems (due to lack of infrastructure) combine with unencrypted file sharing, use of weak passwords and a lackadaisical attitude to create a perfect storm of poor security practices, the results are inevitably increased security risks. And it’s a vicious cycle – poor practices fuel increased attacks and so on.
So, where companies might have dialled down their defences, they need to be ramping them up and investment needs to come in three areas; improving the tooling in place, improving the attitude of employees to security risks and investing in the right expertise that can support your business’s cybersecurity.
Strategies like two-factor authentication and physical identification (e.g. FaceID, VoiceID or Fingerprints) aren’t costly, and stronger endpoint protection solutions are required for devices when working remotely; laptops, mobile phones, etc. VPNs hide your online identity and encrypt your traffic, preventing attackers from using your connection to harvest confidential information. Enterprise applications accommodate the needs of an organization, allowing employees to collaborate securely, anytime, anywhere.
Education is also crucial. Rather than staff losing sight of security concerns and complacency creeping into everyday practices, companies should be embarking on in-house training for their teams to improve their online safety knowledge and flag the types of scenarios to which staff could fall victim (as outlined above). This approach ensures staff are aware of current practices around data infringement and, by keeping this as a priority in the eyes of employees and having the right measures in place, internet behaviour can improve.
The ideal business cybersecurity tech stack will feature layered security measures that include perimeter security (such as firewalls), strong endpoint protection, authentication protocols and more, but for business leaders who are looking for a place to start, steps can be taken towards improving digital security. These include:
· Security awareness training: training employees to become more aware of attackers’ methods is a great way to reduce the number of successful breaches, especially phishing attacks. Smaller businesses can have their employees
sit on security awareness courses externally or online.
· Secure email gateways: these are security solutions that provide initial protection, between internet and inbox, and block suspicious mail from reaching employees. This provides effective protection against spam, viruses, malware and ransomware attacks.
· Endpoint protection platforms: this technology protects endpoint devices – laptops, smartphones, tablets, and all other devices that obtain data – from malware attacks and ransomware attack. Examples include CrowdStrike Falcon, F-Secure and Microsoft Defender.
· Password management technologies: businesses can make the task of implementing strong passwords and regular password changes easier by using specially designed platforms that allow users/employees to generate and store different passwords for multiple accounts in one encrypted vault. This reduces the need to remember passwords manually and reduces the chance of employees having the same password for everything.
· Identity and access management: two-factor and multifactor authentication improve help businesses’ security measures by getting each user to provide their identity and establishing authorised access before they can access certain data. Software providers include SailPoint, CyberArk and Azure AD.
Otherwise, the market is burgeoning, with a growing (and promising) trend of businesses looking to add to their security teams. From small information security companies looking for people who manage governance, risk and compliance, to large telecoms companies recruiting Heads of Cybersecurity, Architects and Information Security Consultants, this type of investment is invaluable.