An unholy triple whammy for IT heads
In this era of working from home, there’s no doubting the herculean efforts of countless IT teams, enabling their organisations to function under immensely tricky circumstances. But as many decisions arose through necessity and urgency, they’ve led to security loopholes and technical debt.
As we begin to recalibrate and adjust to the oft-mentioned ‘new normal’, we pause to look at some significant challenges heightened by the COVID crisis: cybercrime, Shadow IT and BYOD, and remote working.
The cyber-crime time bomb detonated by COVID
“It is expected that the frequency and severity of COVID-19 related cyber-attacks will increase over the coming weeks and months.”
– The UK’s NCSC and the United States DHS, 8 April 2020
As the pandemic tightened its grip across the globe, the UK’s National Cyber Security Centre (NCSC) and the United States Dept. of Homeland Security (DHS) issued a stark warning in a joint advisory. To paraphrase: take cover, we’re under attack.
As in most times of crisis, the best – and the ugliest, sides of human nature revealed themselves. We looked on with pride as community groups, neighbours, and charities rallied to help the most vulnerable. We applauded the NHS and all those who worked tirelessly to care for our loved ones and bring food to our tables.
And then we have the dark underbelly of humanity; the determined and soulless cybercriminals who saw the crisis through one lens only: a payday. The facts speak for themselves, with Interpol reporting an alarming rate of cyberattacks during COVID-19.
As organisations hurriedly deployed remote systems to allow their people to work from home, threat actors were only too ready to exploit new security vulnerabilities. In just four months (from January to April), one Interpol private sector partner alone detected these COVID themed criminal activities:
- 907,000 spam messages
- 737 malware-related incidents
- 48,000 malicious URLs
While there’s evidence to show that cybercriminals are growing in sophistication, the ‘favourites’ persist: phishing emails, malware (ransomware, data harvesting and DDoS attacks) and malicious domains.
And again, the facts tell the story. A poll by Check Point of over 400 professionals in global organisations with 500 or more employees revealed:
- 71% of security pros saw an increase in security threats or attacks since the start of the coronavirus pandemic.
- Phishing (55%), malicious websites (32%), malware (28%) and ransomware (19%) cited as the top threats.
- 95% of respondents feel under greater pressure because they believe home working has exacerbated the risks.
In its report of 4 August, Interpol echoes the warnings of other respected intelligence bodies:
“A further increase in cybercrime is highly likely in the near future. Vulnerabilities related to working from home and the potential for increased financial benefit will see cybercriminals continue to ramp up their activities and develop more advanced and sophisticated modus operandi.”
Shadow IT and BYOD – a growing headache for organisations
The poll by Check Point also saw nearly half the respondents agree that home workers’ use of Shadow IT solutions represented a significant problem.
“Shadow IT compromises the security posture of organisations because it markedly increases their attack surface,” says Luke Kiely, our Head of Internal Cyber Security and Technical Compliance.
The risks of adopting tech without involving an IT team include:
- Governance and compliance in freefall. An absence of due diligence can lead to the use of tools that fail to meet organisational, client or regulatory requirements (for example, the GDPR).
- Holes in data security. Shadow IT applications may lack the necessary controls (e.g. access and backups), increasing the dangers of data leakage.
- Higher costs. Poor choices could mean escalating expenses (e.g. running costs or add-on purchases) which don’t offer value for money or economies of scale.
- Technical debts. Often, IT is tasked with the unwanted responsibility of unpicking the mess and plugging the holes.
But why is Shadow IT so rampant? Fundamentally, it comes down to a disconnect between users and IT departments. Employees don’t get out of bed each morning with the express intention of annoying their IT colleagues; most simply want to do their job the best they can.
And if your users feel their needs aren’t being met, they’ll seek the solutions independently.
What’s the answer to Shadow IT? It’s both technical and cultural. It’s about striking a balance between empowering your employees and safeguarding your assets. The best IT kitbags include the appropriate technical controls alongside easily digestible policies, regularly endorsed from the top down.
And Tristan Watkins, our Head of Service Architecture, Security and Compliance, adds that the use of home computers for work is a massive factor in cyber security. On the flip side of the convenience of BYOD (bring your own device), there’s the potential for data leakage, theft, and reduced organisational visibility.
In his short video: The Bring-Your-Own-Device (BYOD) problem with home computers, Tristan explains how session controls can help.
The psychology of people working from home
As we raised a glass to 2020, few of us could have imagined that the bells heralded what would come to feel like a low-budget apocalypse movie.
People wearing masks and doing merry dances in shops to avoid one another (or not), schools and workplaces shut, and numerous stories of loss: jobs, financial stability, physical separation and bereavement.
In this era of fast-breaking news, it’s understandable that many of us are more stressed, leading to hypervigilance and anxiety. We’ve had to believe the unbelievable, which may have made us more susceptible to the nefarious tactics of cybercriminals.
Or perhaps we’re more easily distracted, but whatever your preferred theory, there’s no doubt that many organisations are being outrun and outmanoeuvred by the bad guys.
There’s a proven link to successful social engineering attacks and personality factors. In The Technological and Psychological Challenges of Working from Home, Forbes reported that people scoring low on conscientiousness are at greater risk of cyber-attack.
And interestingly, there’s scientific evidence to suggest that extraverted employees are more likely to violate cybersecurity policies, in comparison to conscientious individuals.
It isn’t a stretch to conclude that without the proximity and influence of their peers, many of those working from home will behave differently to how they would in the workplace.
In summary, a people-centric approach to lowering the cyber risks, by way of education and regular training, is more crucial than ever.
What’s next? Free cyber security advice from experts!
On 30 September, we’re hosting a virtual roundtable for IT and cyber leaders: Cybersecurity in the Post-Pandemic Era.
This unique event brings together a diverse panel of top minds in cybercrime and IT, including speakers from the AA, Crest Nicholson and the company behind HS2.
Join them – it’s gold dust, and it’s free – to hear their personal stories and insights, including:
- Adapting to the new threat landscape
- Securing your business and remote workforce
- Ensuring business continuity during times of unprecedented change
You’ll have the opportunity to pose your pressing questions to our panel, and will leave with takeaways on how to mitigate your cyber risks.
Sign Up Here