When the pandemic first hit, many organizations scrambled to keep the lights on, adopting technologies and implementing processes that would help them shift to remote working overnight, all in the name of business continuity. Yet, well over a year on, many of these short-term cybersecurity solutions are still in place.
About the author
Ben King is Chief Security Officer EMEA at Okta.
Despite a continually advancing cyberthreat landscape, with ransomware, social engineering and IoT-based attacks ever increasing, organizations are still using poor security solutions. This needs to change as it is only a matter of time before more breaches occur. So why are organizations still falling behind on security?
Implementing workplace security measures
Although social-distancing restrictions and the government advice to work from home is soon set to end in the UK, it is uncertain whether the return to the workplace will ever return to the ‘normal’ it once was. Many organizations are opting for a staggered return to the office, primarily on a hybrid basis, with research from Okta suggesting that the traditional 9 to 5 could even cease to exist once restrictions ease. Over three quarters (79%) of respondents agree with changes to governmental legislation that would make it illegal for organizations to force employees to go into the office, suggesting remote working may be here to stay. On top of this, almost two-thirds (62%) would choose to work in an asynchronous environment in which there are no fixed hours for employees and people can choose where and when they would like to work if given the opportunity.
With a large proportion of employees wanting to define their own working preferences, organizations must ensure their staff have sufficient technology and security in place to enable this. Yet, 15% still do not know if their current employer has any security measures in place, a worrying disconnect between management and staff on the security awareness narrative.
The rising threats
This is particularly worrying because there are now more security risks than ever, with criminals evolving and adapting to change more quickly than all but the most agile organizations. As a result, cybersecurity breaches are becoming more frequent, severe and sophisticated. Driven by a surge in phishing and ransomware, criminals are targeting VPNs and other exposed areas of an organization, which leaves workforces more vulnerable to attack. The past year has seen the UK’s National Cyber Security Centre handle more than three times as many ransomware incidents than in the previous year. This surge in ransomware targeting many high-profile companies, coupled with the rise of Ransomware-as-a Service, has made it far easier for criminals to launch attacks, as they can simply purchase the software rather than having to spend time and resources developing the technology.
The pandemic has also seen a sustained change in online behaviors. People are more likely to click on suspicious links when isolated at home making it even more difficult for traditional defenses to effectively protect the organization and its workforce. For example, we’re seeing an increase in phishing attacks taking place via text messages and personal social media accounts, such as the Post Office ‘failed delivery’ text message phishing scams which included a link to a fraudulent website asking for payment. Scams related to COVID-19, healthcare, tax and other common emotive cues are likewise circulating, presumably because they remain successful at volume. Criminals are also increasingly using number spoofing scams to change their caller ID to disguise their identity and trick individuals into thinking that they are receiving a call from a recognized business such as a bank, in order to encourage people to share personal, company or financial data.
To prevent their employees from falling victim to these kinds of attacks, we have seen many organizations fast-track remote working security tools to give their employees the security they need to work from home safely and maintain business continuity. However, a short-term fire-fighting approach isn’t sustainable or futureproof. The need for organizations to invest in security technology and staff that can protect a remote workforce has never been more important.
The technology needed
The worrying news is that two-thirds of office workers admit to still using passwords as their only security measure. On top of this, many people continue to duplicate their passwords across their full range of online accounts, making it easier for hackers to steal their digital identity. This leaves organizations open to multiple attacks from just a single initial breach. To protect their workforces, organizations must instead incorporate multi-factor authentication (MFA) security solutions that combine passwords with other factors, such as physical tokens, contextual information, or biometrics. The addition of MFA makes it both far harder for malicious actors to access a network, as well as making detecting such attempts easier to spot. Trusted password managers can also be used by organizations to generate unique and complex passwords for sites that do not support additional authentication factors to provide better protection.
As more and more data is created and the number of access points for criminals to exploit increases, IT teams are also at risk of becoming over-stretched. In response, productized security automation and orchestration tools have also become increasingly valuable. Security orchestration tools can be used to automate processes such as identifying potential security threats and applying corrective actions. Emerging technology such as artificial intelligence (AI) can also be incorporated to learn and identify unusual or suspicious patterns of behavior online, providing an additional layer of security.
The steps required by organizations to protect themselves long-term
The pandemic has highlighted the urgent need for organizations to adopt a shift in mindset when it comes to security. Businesses need to ensure they are better prepared to meet demands for hybrid working models, as many people continue to work from home.
With employees becoming the new frontline when it comes to security practices, organizations should equip workers with the understanding that being secure is an essential company mindset. This includes a move to using Zero Trust frameworks which analyze the people who access their systems and the access controls for those individuals. In Europe, 76% of IT and security leaders admit that COVID-19 and the remote working economy has accelerated Zero Trust as a priority at their organization. The core principle of Zero Trust architectures is that all network traffic should be considered untrusted and is a shift away from the idea of a trusted internal network versus an untrusted external network.
By empowering employees to stay vigilant against potential threats and to actively report any suspicious activity, such as phishing attempts, malware attacks or hacks, organizations will be better prepared to protect their workforce, no matter where employees log in from. Making security a priority for all workers is also key. Organizations need to educate employees in IT best practices, such as avoiding clicking on links in unsolicited emails and opening unknown attachments, alongside sharing personal, company or financial information with unverified contacts or in an insecure way.
In short, a successful, secure hybrid working model requires the consolidation of all aspects of IT. To achieve this, organizations need flexibility in the technology they use and must adopt a strategic approach to how they manage the way employees access and share information, wherever they are. The longer organizations hang onto their short-term solutions, the greater the risk that they could fall victim to the next major attack.