Over the past 18 months, the world has undergone a radical experiment with remote and hybrid work due to global lockdowns and social distancing in the face of the COVID-19 pandemic. Now, as many employers are pushing for a return to the office, many of them are being faced with aggressive pushback from workforces that have come to realise over the last year and a half that full-time in-person work is about as outdated as fax machines and dial-up internet. As the “Great Resignation” looms, businesses are being forced to recognise that a key differentiator when it comes to attracting and retaining top tier talent (or any talent at all for that matter) will be a flexible, hybridised approach to work.
However, during the pandemic and going forward into this brave new hybrid world, business leaders are also being forced to contend with the rapidly evolving threat landscape thrown into overdrive by the pandemic. “The last 18 months have shown us that we are in for going forward,” explains Ian Keller, director of customer security at Ericsson. “There has been a dramatic increase, not only in the number of attacks but the number of successful compromises.” These increasingly common security breaches, Keller continues, haven’t just been affecting “small companies with tight budgets and limited skills, but companies that have long been deemed bastions of security and good practice.”
As more of the world works online, and every industry from retail to defence becomes increasingly tech-saturated, the potential threat of fraud and cybersecurity breaches looms larger every day as we get closer and closer to a “post-pandemic” world - if such a thing even exists.
The COVID-19 Cybercrime Wave
A huge part of the spike in cyber attacks that enterprises and governments have experienced during the pandemic is, Keller explains, a direct response to new opportunities and vulnerabilities created by remote work.
He notes that, as companies have scrambled to remain operational (and profitable) during the crisis, “Good security practice has gone out the door for the sake of expediency; freeware tools and weak passwords are being used for remote access to infrastructure.” The subsequent attacks have successfully hit everything from Fortune 500 companies to critical government infrastructure, “with Hospitals being held to ransom and potentially lethal changes made to the water supply.” These decidedly Tom Clancy-esque, high-profile breaches, Keller adds, “are just the tip of the iceberg as most breaches are not even reported on.”
Even in the less dramatic setting of the everyday home, Keller notes that many remote workers are even less safe than they think. “Consider your new home office,” he says, explaining that even if you’re working from a fully-protected corporate laptop “with all the security bells and whistles,” most people share their home network with their “kids and their devices, which typically have a freeware antivirus on it…..all on the same network. We now have numerous companies on the same internet link and on one internal wi-fi network, and we all know security is only as good as its weakest link,” Keller warns.
The Hybrid Problem
Adam Philpott, a Senior VP at McAfee, stresses to me that “the threats which organisations have been facing since the start of the pandemic have been facilitated by an increase in remote working – which as we know isn’t going to end any time soon, if ever.” Even if the world boomerangs back to the proportion of in-person work that we saw before the pandemic - which all the data, from Kickstarter’s recent experiments with a four day workweek to the findings of a study by McKinsey which found that between 20-25% of the workforces in advanced economies could work from home between three and five days a week, is highly unlikely - Philpott says that “it’s unlikely that levels of cybercrime will be drastically reduced over the next couple of years.”
As much as the shift to remote work has turned the past year into one long nightmare for cybersecurity teams, Philpott says that a hybrid world will be even more dangerous. “The main difficulty with hybrid working from a cybersecurity perspective is that compared to either fully remote or full on-prem, IT teams are having to simultaneously manage security risks that occur both in and out of the office,” he says. “As a result, the workforce is exposed to a larger number of threats and IT teams’ workloads are subsequently increased.”
Keller agrees that “The hybrid network has also dramatically increased the attack surface of a company. Where traditionally we had very tight control over the networks’ ingress and egress points, we now have thousands of points.”
There are a number of different approaches that companies can supposedly use to tackle this radically more dangerous threat landscape. The ones that will be successful (this state of affairs, even in Philpott’s most optimistic projection, isn’t going away for another couple of years, remember?) are those that attack the problem from multiple angles.
Keller explains that, while the threat of IoT is not in the device but in the ease in which they can be procured and added to the network, many IoT devices are “plug and play”, which means they often end up as endpoints to secure systems while still using default passwords and security configurations. “For me, there is only one way of dealing with this threat, and it’s a combination of solid governance throughout the company, from finance through procurement and to technology, where spending is investigated to stop or prohibit the purchasing of IoT technology that is not approved through the relevant governance forums,” he adds. This approach, in combination with strict network access controls that ensure “no device should be able to connect to the network if not clearly identified and evaluated for risk and compliance to policy,” can help IT departments go a long way towards safeguarding their assets.
Philpott advocates going even further. He’s a huge advocate of the Zero Trust approach, which “means that organisations trust no one when it comes to security – not trusting anything outside or crucially, inside of their networks.” This mindset, he adds, will be especially important as more and more enterprises move towards the cloud post-pandemic. “Our research saw a 50% increase in enterprise cloud use between January and April 2020 alone. As cloud plays an increasingly important role in business operations, it’s getting harder for IT teams to identify who and what should be trusted in an organisation’s network. A zero-trust approach allows teams to reduce the risk of their cloud and container deployments while also improving governance and compliance,” Philpott says.
The change currently sweeping the cybersecurity and fraud-prevention sector is seismic. While rumblings have been felt “for years”, according to Keller, the pandemic threw into stark relief the fact that “we should move away from the reliance on firewalls to secure our networks and move the defences to the device - if not the data itself.”