So how does this affect cyber security? What’s it got to do with a company like mine? Apart from of course, if we are one of those considering redundancies, which thankfully, we’re not. But Cyber criminals won’t be laying anyone off either, in fact they’ll be rubbing their hands with glee, at what they see as more opportunities to relieve companies of their hard earned cash.
Why is that? Well quite simply it will be related to more homeworking and the vulnerabilities that can be exploited via that environment, it will be related to the loss of staff, often IT and admin related, as being more dispensable as they don’t, in some eyes, contribute to the core business, although I think that can be somewhat short sighted. However hard decisions have to be made and some rationale has to be used. If you are not a revenue earner, and can be seen as a cost, then you are probably at risk.
This in turn means that the staff remaining, have to take on extra responsibilities, often outside of their normal job function, and which they are not well equipped to handle, but will put up little fight as they themselves are feeling relieved that they are not on the redundancy list. It’s not selfish, just human.
Turning back to home working, and at the risk of boring those who have read my views on that before, a distributed work environment ie personnel spread around various locations home working, creates critical challenges and new security threats as a result. The speed with which this has happened has meant that many simply did not take this into account and if they did, thought, well, this is temporary and it won’t matter in the long run. Well perhaps, but as many are now finding, there have been advantages to home working, not least a lowering of costs in terms of how much office space is actually needed to carry out the business function. Many are now looking at Hybrid working ie from home with a day or two in the office during the week. There are pros and cons to this outside of the scope of this article, and businesses will have to make their own judgements, but one thing is clear and that is that businesses need to understand the risks now inherent in distributed work, and need to get better at cyber security and data protection, in those environments.
Work-from-home employees are at much greater risk than those in offices. Since home connections are less secure, cybercriminals have an easier entry into the company network. Furthermore, the explosion of various online tools, solutions, and services for collaboration and productivity tend to have the bare minimum of security default setting, and updates from third-party vendors can change security preferences and be easily overlooked.
Phishing becomes an even greater threat to home workers simply because, in an office environment, they have access to colleagues and managers, who they can approach for advice and guidance. This is much harder to replicate with remote workers, especially those who may not be particularly tech savvy and who may not wish to become ‘burdensome’ to their co-workers.
Ransomware also enjoys an advantage in the work-from-home model. If their connection to the company is blocked, it is more difficult for workers to get assistance from the right experts and authorities. And since trust levels are lower when working from home, some workers will be concerned that they have “done something wrong” and so may be more reluctant to seek help. While this risk can be addressed by increased training, as well as messaging that vigilance and involving company IT will be rewarded, it can still be an uphill battle.
Attacks are on the increase, some such as the Log4J flaw, is being exploited by nation state attacks, but don’t for a minute think that other groups won’t use it to attack smaller targets. Taking £1K off 100 targets, is a good return on investment. Just about everything that companies do these days, and consumers for that matter, is web based, using some form of web enabled software/operating system/apps, and Java is a popular programming language which this flaw exploits. Without boring you with technicalities, as more and more people move to cloud based systems, and especially home working, and let’s not forget the working from the coffee shop culture, the more data in transit can be exploited and the more these systems can be exploited.
So now we not only have problems introduced, or perhaps revisited, via more home working, but compounded by a reduction in staff, involving the remaining staff, taking on duties that are outside their normal field and for which they are very possibly ill equipped.
A Managed Cyber Security Officer manages everything to do with your online security, from assessing your threats and vulnerabilities, to working with your IT partner or staff to ensure you are protected. They are live named experts who work for you for an agreed number of hours per month. Whilst SMEs can rarely afford such a highly qualified person, more and more firms are now realising that they need a dedicated resource to manage the growing number of online threats and risks that face their business, and to take responsibility for ensuring they are doing all they can to be protected.
The benefits of having a managed cyber security officer include:
- No need to employ someone full time, or allocated an existing member of staff to cyber security.
- The Managed Cyber Security Officer is a named person who is always available to you within the hours contracted.
- They will respond to your cyber security queries within 2 hours.
- They will work and liaise with your IT provider and/or internal IT resource to minimise the risk of cyber threats.
- They will assess your cyber threat vulnerability and undertake a monthly scan of your systems to identify any areas of concern (this attracts an additional cost).
- They will manage and investigate any cyber risks you fall victim to.
- They will provide you with regular advice and guidance on cyber security.