A surprising number of my fellow IT Professionals need to wake up and see what is coming before it’s far too late!
The rush to ‘Work From Home’ some 18 months ago was the precursor to possibly the most significant single threat to cyber security since well ever; ‘The Return to the Office‘. Numerous reports published over recent months show the situation is dire, and the risk to fundamental cyber security is off the chart.
Take the findings of the ‘Blurred Lines and Blindspots’ and ‘Rebellions & Rejections’ Reports from HP Wolf Security. [i]
The home/remote working shift is here to stay, which has changed the scale of cybersecurity risk. Many IT Pros and even more of their employers have not fully appreciated it.
The threat is less visible or wholly underestimated. Senior management frequently believes “that we are too small to be targeted” or “that sounds too expensive” or simply “It won’t happen to us“.
WAKE UP! – It will happen, and it will cost you a lot of money. According to the National Cyber Security Centre, the typical cost of a security breach is at least £9000 for small businesses and rising exponentially for the larger organisations.[ii]
Why should the return to the office cause such a massive increase in the risk/threat levels? Consider the following analysis from the HP Wolf reports!
63% of UK office workers report they have started to regard their work notebook/laptop as both their work and personal notebook/laptop
12% of UK workers said that someone else has used their work devices in the past year.
27% of those that have shared their device say they know they are not meant to, but the exceptional nature of the pandemic gave them no choice
20% allowed unauthorised usage of a work device multiple times a day.
YouGov asked IT professionals. They estimated that approximately a third (33%) of their end-users use their work computer for personal things (e.g., gaming, shopping, browsing for fun). In reality, the percentage is much higher!
In fact, 70% of office workers admitted using their work device or letting someone else use it for personal tasks. It is those personal tasks that cause the increased risk/threat level.
55% Opened personal email attachments or web pages.
These will be emails that have not passed through any corporate network security.
27% Played Games.
Bad Actors who exploited popular gaming platforms increased by 54% between January and April 2020, often directing users to phishing pages.
36% Watched online streaming services
According to KuppingerCole analysis, streaming services were also targeted during the pandemic, with at least 700 fraudulent websites impersonating popular streaming services identified in 7 days in April 2020.
Phishing scams that targeted Netflix users increased 60% over 2019. Phishing URLs that targeted Netflix increased 646% over 2019, targeting Twitch’s URLs increased 337%, and targeting YouTube increased 3,064%.
The “Rebellions & Rejections” Report highlights that apathy, frustration and circumvention are rife within the end-user community ;
64% of those interviewed cited that they had not had any cyber security awareness training regarding remote working.
39% of those between 18-24 were unsure of the existing data security policies.
48% said they felt that all the rules just get in the way
31% of the 18-24 age group admitted that they had tried to actively circumvent corporate security controls.
So the above in mind, how safe is your network now all those unprotected/mistreated devices are plugging back in?
Most cyber-criminals are very patient; I can assure you that they are just waiting for the likes of Audrey, in marketing, or Colin, in customer support, to return to the office with their laptops.
You know, the very laptops they have, most likely, let the kids use or been downloading torrents or been streaming god knows what from god knows where!
And plugging it directly into your nicely secured from the outside world corporate network.
And in all probability, the scumbags know that the devices they have compromised it is now on a corporate network. Consequently, it is just a matter of time before they bring a particularly nasty flavour of crazy to your company.
Depending on your corporate risk appetite, mitigation could be simple as banning portable devices from the network.
However, this is not as simple an approach as it may sound and requires several steps and full co-operation from the workforce.
These include taking all laptops off returners as they walk in the door, conducting a forensic level wipe, and rebuilding the returned devices.
Also, a vital step is to constantly monitor your network for any anomalies and take your general threat level to the highest possible level. Equate’s Cyber Security Practise can help you manage this risk and provide actionable intelligence to further minimise the issue.
Combine this with mandatory cybersecurity awareness training for all staff. Good quality Cyber Security training is proven to reduce any organisations risk of accidental end user-driven compromise from 30% to 5%. Of course, training is nothing without metrics, and the Equate Cyber Security Awareness training packages can test your team like never before.
But in good news, if you are fortunate and get through the next 24 months without incident, then you may be able to look at relaxing just a little bit.
As a parting shot, might I add that if you don’t think the risk is real, just ask the Maersk how fast your world with go crazy when the bad guys get in.
Just search for ‘Maersk Ransomware’ on your favourite search engine to find out how the most prominent shipping conglomerate in the world lost £300 million in revenue alone.
[i] Based on a YouGov survey of approximately 8500 people in the US, the UK, Mexico, Germany, Australia, Canada, and Japan in March 2021.
A Toluna Survey of IT decision-makers in the exact geographic locations in March 2021
The 2020 Cybersecurity Threat Landscape for Remote Workers as a Result of the COVID-19 Pandemic report from KuppingerCole, conducted in March 2021
[ii] National Cyber Security Centre – March 2021