The changing landscape of working environments due to COVID-19 have become an opportunity for cyber attackers. Josh Ong breaks down the potential risks and what we should be aware of.
If you are reading this article as it is published, chances are you are not sitting in an office with colleagues or having face-to-face meetings with clients. Rather, you are probably juggling answering, what appears to be never ending, phone and video calls with social and personal commitments intertwined and little notable delineation between the three.
The lockdowns induced by the COVID-19 pandemic have significantly shifted the landscape we operate in. Large-scale adoption of work-from-home arrangements, heightened activity on customer-facing networks such as IT help desk, and greater use of online services all present new and multiple avenues for heightened cyber related activity, which cyber-attackers have been quick to exploit.
As we inch towards what appears to be the ‘new normal’ in the foreseeable future, perhaps it is important to understand some of the heightened cyber vulnerabilities that we have left ourselves exposed to as a result of the work-from-home arrangements.
Organisations are adapting to a lot of changes… too quickly and all at once!
Organisations are adapting to employees working from home by widening user access rights and increasing frequency of staff communications to maintain continuity of business operations. Whilst the pace of change has been unprecedented, employees are having to constantly acclimatise to an ever growing series of software patches, web links and emails.
Consequently, social engineering ploys are on the rise, with companies now seeing a greater frequency of malware-laced email campaigns that borrow the identities of the organisation, health, aid, and other charity organisations. Examples of phishing emails include imitating the identity of the employer’s IT help desk and requesting staff log into a new portal to access information about tasks.
Employee work behaviours have also changed
Being able to work off the corporate network grid and under less stringent centrally managed controls, exposes an organisation to an array of additional cybersecurity vulnerabilities. A more relaxed working from home environment may induce behaviour in employees to engage in non-work-related tasks, leading to more internet traffic to browsing unfamiliar websites or downloading unfamiliar softwares. This is accentuated by organisations encouraging employees to use remote socialising platforms to maintain team morale and rapport. Platforms ranging from Zoom to Discord, Houseparty to Skribbles tend to be newer, untested and more susceptible to cyber-attacks.
Where technology does not function as expected, homebound employees tend to find riskier work-arounds such as saving work documents in local drives or portable storage. In some cases, employees even work from their own personal devices (whether allowed to or not). The lack of cybersecurity controls (network monitoring, antivirus) and back-up systems exposes the organisation to data loss and leakages, potentially causing severe reputable damages and remediation.
The ‘not-so-obvious’ risk working in a new workspace
Most of us are now sharing a common working space, with our partners, families and housemates. There is now a cross wiring of many different organisations (and potentially competitors) under a one roof, where sensitive information might be unintentionally overheard. Furthermore, the lack of network security of home wifi and the likelihood of physical security measures against theft are additional variables that are difficult to manage within the existing controls and risk management framework of an organisation.
The ‘downside’ in cyber-related risks has to be viewed in-lieu with the ‘upside’ of ultimately preventing many organisations from coming to a complete stand-still and maintaining some momentum in continuing the core business operations. In fact, most organisations are well aware of the heightened cyber-related risks due to the new work arrangements, and have attempted to mitigate this by putting in place mandatory e-learning courses as well as reinforcing working-from-home checklist to equip employees with the required know-how to identify and prevent potential cyber risks.
As individuals, while we appreciate that work remains possible even amidst the lockdown, the onus is on us to appropriately adjust our mindset in this fluid and technologically dependent lifestyle, and practise a certain degree of awareness and vigilance when it comes to work using our technological medium. Little may we know, a more fluid and flexible remote working environment may not be that far into the future as we may envisage.
Thank you to Peter Yeates who kindly reviewed this article.
CPD: Actuaries Institute Members can claim two CPD points for every hour of reading articles on Actuaries Digital.