75% of IT decision makers believe the future of work will be ‘remote’ or ‘hybrid’.
I return to one of the subjects I’ve written about a lot since March 2020; Data Security and Remote Working.
As well as reflecting on the enormous changes we all experienced since 23 March 2020, I use analysis from Tessian in this article to demonstrate the increased data security threats we all now face, to inform practical and tangible steps all organisations should be implementing now, and which UKDataSecure can help you with today*.
Whilst you may be an organisation prioritising survival when you look at revenue streams and budgets currently, I cannot emphasis enough that to secure the viability of your ongoing business you need to secure your data and ensure that your greater reliance on your remote workforce does not compromise your data security, cyber hygiene and data privacy controls.
UKDataSecure can help you* with very cost effective, flexible and pragmatic data security services to mitigate the increased risks that come with remote working.
Please don't be tempted to deprioritise information security in these unusual times at the expense of becoming a victim of a data breach; no-one is immune as we've seen this year with significant breaches experienced by EasyJet, Honda, Garmin, Blackbaud, Twitter and Marriott and many more.
Please contact us and book a short chat this week using https://bit.ly/ukdsbookacall.
The World Changed Forever….
On 20 March 2020 I took my last business trip into London to meet with clients and chat about future collaboration opportunities with respected peers.
Three days later on 23 March our world and everything we assumed was normal changed forever, amongst other things a significant and fundamental change which office workers had little option than to adopt; leave the office and work from home!
Some organisations, already used to working across multiple office locations (and I include in that at least one of my clients), were of course prepared; many more were not.
We read from many sources that five years of digital transformation was forced into little more than five months; Chief Information Security Officers (CISO’s) have told me that their existing Business Continuity Plans were ripped up in the first weeks of lockdown when they were tested to the limit and found to be wanting, and new plans, processes and procedures were formulated in days to cope.
Those first few days and weeks after national lockdown was enforced upon us were tough on technology teams expected to deliver hardware and software to allow seamless continuation of business, and whilst keeping the proverbial wheels on the bus was the first priority, Information Security Managers suddenly had a much bigger data security problem to deal with.
By the time regional lock-downs and the second national lockdown happened in the ensuing nine months, most organisations have settled into what is referred to as the ‘new norm’ (a phrase I personally dislike, but it describes the situation appropriately), and Tessian’s recent analysis, from their own experiences, confirms the ‘new normal’ is here to stay, and with it numerous risks, threats and vulnerabilities to organisations’ data security.
Data Security Risks and Threats Increased
I summarise here some of Tessian’s findings:
75% of IT decision makers believe the future of work will be ‘remote’ or ‘hybrid’.
Half of organizations experienced a data breach between March - July 2020.
*78% of IT decision makers believe their company is at greater risk of insider threats when employees work remotely.
*58% of businesses intend to introduce more security training if their company adopts remote working permanently.
Email traffic increased by 129% at the start of the lockdown period enforced by the COVID-19 pandemic.
*Phishing was the leading cause of security incidents when employees worked remotely.
Tessian’s research suggests that employees agree with IT decision makers:
Just 11% of employees want to work exclusively from the office post-pandemic; the average employee wants to be able to work remotely at least two days a week.
35% of employees said they wouldn’t consider working for an organisation that didn’t allow flexible working.
Tessian breaks down statistics around age group, gender, geographies and departments but the over-riding challenge is that accommodating these preferences and expectations creates significant and fundamental challenges for data security.
Behind employee wellbeing (50%) the next biggest concern for IT leaders is employees’ *unsafe data security practices (46%), acknowledging that the two go hand in hand. More data breaches comes third (40%) and more phishing attacks fourth (39%).
Risks that Threaten Remote Working
You will be familiar with most of these; IT decision makers experiencing more of the following *threats between March – July 2020, compared to the previous five months:
30% ransomware attacks delivered by phishing
29% smishing attacks (SMS phishing)
27% phishing attacks
27% insider threats
24% vishing attacks (voice phishing)
22% business email compromise (BEC) attacks
A previously mentioned high-profile example, ‘in July 2020, Twitter experienced a major data breach, which led to the hacking of accounts belonging to celebrities and politicians like Joe Biden and Kim Kardashian-West. Attackers used a ‘vishing’ attack to target a small group of Twitter employees, tricking them into sharing network credentials. The scammers reportedly made more than $100,000 from the attack and exposed how easily attackers can dupe people into sharing highly sensitive information.’
Tessian also analyses *causes of data breaches between March – July 2020, including:
49% phishing attacks
45% malware
43% malicious insider
37% unpatched software
35% ransomware attack
34% user error
Phishing is a greater risk for remote workers because employees can’t easily verify a suspicious email with a colleague when working at home, and they will often mistake phishing emails for genuine emails from their organisation.
There is much evidence of phishing emails targeting employees with links to ‘new software updates’ for video conferencing and other applications and software required for remote working, or purporting to be from their senior management asking them to send important information outside of the organisation.
27% of businesses experienced more security breaches caused by *insiders during March – July 2020 and not all of this is due to malicious threats; in many cases people didn’t realise that they were doing anything wrong.
Working remotely employees are known to be more likely to use personal email accounts, and personal devices not managed by a Bring Your Own Device (BYOD) policy and Mobile Device Management (MDM) solutions; 58% of employees used personal devices during lockdown and 78% received a phishing email whilst working on a personal device.
With this in mind, 43% of IT leaders said they are now looking to *upgrade or implement new BYOD policies in order to better secure their organization for a future of hybrid working.
Tessian’s findings build on some of the top cyber threats remote workers have been subject to since lockdown enforced remote home working, explored in one of my previous articles Threat Model of a Remote Worker, including:
Attacks on availability of remote-access solutions, such as VPNs and email services (eg. denial of service attacks (DDoS).
Lost/stolen devices.
Data leakage owing to inadvertent disclosure increasing accidental exposure of your company’s sensitive information.
Unauthorized access to corporate sensitive data
Stolen/leaked user credentials reuse.
Email channel security has become even more important since lockdown; much of the 129% lockdown increase in email traffic will have been employees staying connected when unable to have face to face conversations in the office.
Working from home has inevitably introduced more distractions (eg. children, partners and pets in close proximity) and email threats are more easily missed, and the inherently open nature of emails means that they are much more susceptible to hackers emailing and impersonating people or third parties your employees regularly communicate with via email.
Whilst IT leaders appreciate there is much to do to achieve and sustain appropriate data security amongst remote working employees, they are concerned that their teams don’t have the band-width to cope; *34% are worried that their teams are stretched too far in terms of time and resource.
Appropriate Training Is Crucial
Data Security *education and awareness is obviously key in making sure remote working employees are prepared for managing security risks on their own at home, but this is also made more problematic just by the fact that they are working at home.
Tessian states that ‘despite 57% of IT departments implementing more education and security training for their employees during the pandemic, nearly 1 in 5 workers said they didn’t take part.’
And worse, 34% of organisations have not implemented *additional or revised data security education and awareness training since the pandemic lockdown. It’s absolutely essential that remote workers are aware of how they may be targeted at home and that they are educated to appreciate how their remote ways of working could compromise your company data security.
Focus of Data Security Controls has not Changed Forever……
Whilst the world changed forever in March 2020, key risks and vulnerabilities have not; the Verizon 2020 Data Breach Investigations Report states that credential theft, social attacks (i.e., phishing and business email compromise) and errors cause the majority of breaches (67% or more).
We know that these tactics prove effective for attackers, so they return to them time and again. Verizon identifies that for most organizations, these *three tactics should be the focus of the bulk of security efforts.
FairWarning recently outlined the things that organisations with advanced privacy programme maturity and focus on, and provide us with a very useful checklist of *things we should be doing as standard to support remote working data security and privacy:
Conduct regular data security risk assessments
Have an incident response plan
Have data security policies and procedures that are reviewed/updated regularly
Provide regular data protection and security training to our workforce
Have identified potential threats to our data
Know where all our data is located and where it flows
Understand the data processing activities that impact the privacy and security of our data
The message remains to maintain great basic data security controls, but think hard and tailor these to protect our remote workers who are never likely to exclusively work in the offices they once occupied.
*UKDataSecure is currently working with organisations across multiple industry sectors and ‘start-ups’, small and medium sized enterprises (SME’s), FinTech’s, retailers and others.
We can help your organisation with just about everything you need to secure your remote workforces, whether it be data security policies, incident response planning, security by design, data permeation, expert resources and experience, remote Data Security as a Service, training and awareness or something bespoke for your organisation.
We can also help you to achieve and certify against most data security and privacy frameworks including PCI DSS, GDPR, ISO27001, Cyber Essentials, NIST, SOC2, NIS and CAF.
We’d love to talk to you today to see how we can help you to maintain and improve secure working amongst your remote workforce; the new normal we are getting ever more used to in our Covid-19 impacted world.
Please contact us and book a short chat this week using https://bit.ly/ukdsbookacall.
I look forward to talking through the details of the services we offer as soon as we can, and I look forward to working with new clients to achieve appropriate data risk management and information security governance and compliance as required.
Sources
Digital Shadows: Digital Risk Protection Software | Digital Shadows
Comments