The past year has fundamentally changed the way we work today and how we will work in the future. Before 2020, companies that offered the possibility of remote work to their employees were considered forward-thinking. They understood that all employees do not need to be in the same location to be productive and drive the company forward.When COVID-19 became a reality, employees had to start working remotely almost immediately to maintain business continuity. It was an enormous change both for the companies and people that have never worked fully or partly remotely. Everybody became familiar with collaboration tools like messaging applications, video conferencing, or file-sharing overnight.Do you want to save this article? Get it as a PDF:Download it now
Now experts estimate that even once the global pandemic is over, we will never return to work solely from the office. PWC estimated that 83% of employees would want to work once a week from home, and 55% will want to continue working fully remotely.Moving completely to remote work has been a challenge for IT leaders and security teams for the past year. The storm is not yet gone. The hybrid environment will continue to be a cybersecurity risk in the years to come. While employees will most likely thrive in this environment by being more productive and maximizing their work-life balance, attackers will try to take advantage of this vulnerability.We will take a look at what hybrid work means for security operations, the risks, and how you can enhance your security using technology and training.
According to a recent report from Tessian, half of the organizations surveyed were hit by a security incident while employees were working remotely in 2020. In their survey, 75% of the respondents stated that they believe that remote work will remain significant, and a hybrid workforce will continue to have many unique cybersecurity challenges that IT leaders and security teams must prepare to resolve.
One of the primary findings of the report was the increase of phishing and ransomware attacks that were targeting employees. Email-based threats have been a top priority for CISOs to tackle for years, and at Hoxhunt, we have seen an increasing interest in preparing people to face social engineering attacks.
Another issue is that employees could be using their personal devices for work, their family members could have access to their work devices, or their home network is more vulnerable to threats and attacks than the one at the office. This means they could be downloading unsafe applications or malware, or they would access data from unsafe devices.In addition to working from home, more than ever, security leaders need to consider that people may be doing work through public WiFi.
Of course, while employee well-being and productivity are vital for an organization, security operations need to come up with a plan that identifies the risks of the hybrid work environment to prepare multiple layers of security solutions that defend the company’s network, data, cash, and intellectual property.To mitigate the most likely threats, IT leaders can identify how to update both their technical defenses and security awareness training to minimize the risk of a breach, but also to maximize the benefits of the changing work environment for the employees. While 34% of leaders are afraid that maintaining security during hybrid work will put pressure on their teams, with good planning, the right technology, and adequate training, you can remove the stress from your teams and employees.
The hybrid environment could increase the opportunities for attackers to launch an attack.
Attackers tend to utilize unfortunate events for their own gain. This hasn’t been different during the global pandemic. The pandemic has been the perfect opportunity to prey on people’s fear, curiosity, anxiety, or vulnerability. Moving to remote offices has been a unique situation that we have never experienced before, and it instantly has an effect on people; many felt stressed, overwhelmed, or even isolated.It's no wonder that phishing scams have been on the rise. Not long after the pandemic has started to take over the world, reports showed a 667% increase in phishing emails. Even the FBI has issued a warning regarding the alarming increase of scams.As Tessian stated, between March and July 2020, 68% of the survey respondents admitted that they clicked a link or downloaded an attachment. Of all incidents, 49% started with a phishing attack. It's no wonder that organizations consider phishing as one of the top priorities that they need to tackle.[caption id="attachment_11850" align="alignnone" width="442"]
The most typical email-based threats.
To start, policies, service level agreements (SLAs), and data processing agreements (DPAs) should be updated to reflect the challenges of the hybrid work environments.When you are reviewing the policies, make sure that you concentrate on the paragraphs that consider work-from-home rules. Don’t only focus on the users’ security behavior, but plan if a breach would happen how will you ensure business continuity by responding to the incident and mitigating it.When you update your policies and create new processes, communication is key. You can’t expect people to review the security policies by themselves. You actively need to communicate it to make sure that it sticks. You may want to collaborate on this with someone from your internal communication team to make sure that you reach your employees. This is the first step to preventing attacks in hybrid work environments. In your communication plan, you also need to leave space for technology and training.Both technology and training will play an essential role in defending your organization from a breach.
On the technology side, you can use a lot of tools to improve your security position. We’ve listed some of the essential measures that you can implement to keep your users safe.
As a cybersecurity provider, we cannot emphasize enough how important it is to train your employees frequently with realistic simulations. We saw new threat vectors and phishing emails constantly emerging, especially at the beginning of the pandemic: attackers were utilizing COVID-19 as their primary theme, preying on people’s fear and anxiety.Cybersecurity awareness training will be more important than before. You can’t ignore the basics, especially when you have new people joining your company that may have never received any education before or they come from a completely different security culture. At the same time, you need to emphasize the need to change people’s cyber behavior. It’s important to teach people the habit of being careful when using their emails and report potential threats. You can achieve alertness and contribution through frequent, up-to-date, and personalized training.When people start reporting threats, make sure that the processes are clear for employees on what to do so that you can start mitigation work as soon as possible. The process should be simple and positive so that employees dare to come forward.When the training is engaging for people, they don’t mind participating because it’s also deeply integrated into their workflow without disrupting their productivity; it’s easier to build cooperation with them to support your defense work. Security awareness training needs to resonate with people, so it wouldn’t be just another burden for them.As 58% of all IT leaders are planning to introduce more training, the emphasis will go toward finding training providers that can truly capture people’s interest and give them lessons on how they can protect their employers' assets and take these skills to their personal lives as well.
Accommodating the new hybrid work environment hasn’t been easy for most people, but as the survey results show, people have learned to enjoy its benefits and want to continue working from home. This is a fact security teams cannot ignore, and they need to update their playbooks to reflect on the unique challenges of remote work.While at the moment, it may seem like a burden to create plans, buy new technologies, and take your training to the next level, in the long-term, it will pay off. A majority of people clearly enjoy the freedom that remote work brings to their lives, and it can improve their productivity, which is beneficial for any company.Focus on improving people’s security behavior step by step. Forming a habit takes time, but it’s the most beneficial for your defenses. At the same time, people will learn to be safer also in their private lives.