For most organizations, the return to office-based work comes as a sigh of relief. Millions of employees that worked remotely under work-from-home orders have resumed full-time office work or a hybrid setup. In addition, with the availability of vaccines, COVID-19 infections have fallen significantly. Despite this, 45% of full-time employees in the US continue working remotely, while a Microsoft survey indicates that most workers prefer to continue with flexible work arrangements.
Additionally, most IT leaders consider the traditional, 9-5 office work routines to be in the past. A 2020 report on the future of hybrid working revealed that 3 out of 4 employees believe hybrid or remote work to be the future of work. The hybrid approach enables workers to choose whether to work from the office or a remote location, or some mix of both. The survey results showed that only 11% of workers want to continue working from the office exclusively. As a result, many companies have, or will soon adopt, hybrid and remote working strategies.
Most post-pandemic workplace environments will be a hybrid model, combining the old office-based methods with remote working. With this acceleration of a permanent shift in work, remote and hybrid work comes with heightened cybersecurity risks. Cloud technologies, including SaaS apps and services, provide the flexibility to work remotely anytime from anywhere but still allow employees to go to the office when necessary.
Despite the benefits of a hybrid work model, a survey from Tessian of 4,000 employees and 200 IT professionals revealed telling cybersecurity findings regarding hybrid and remote working methods:
Cybersecurity teams must identify innovative ways of supporting a changing and complex mix of remote, hybrid, and office-based working strategies. With employees increasingly using both company-issued and personal devices for work, hackers continue to exploit the resulting security flaws. Poor cybersecurity controls, insecure remote access to company apps and data, and a sudden shift to less secure home networks are just some of the exploitable security loopholes keeping IT departments awake. For example, consider the following security statistics:
Many companies have indicated a willingness to embrace a hybrid work model as it improves productivity and has become an expectation for many workers. Nevertheless, the COVID-19 pandemic has shown that cyber adversaries are ready to exploit any vulnerabilities. The FBI reported a 400% increase in cybersecurity complaints as it recorded at least 4,000 daily reports at the onset of the pandemic.
A survey by Check Point revealed that 61% of cybersecurity professionals were worried about the cybersecurity risks that resulted from rapidly enabling remote working. In the same survey, 55% of IT professionals expressed the need to improve cybersecurity approaches when allowing remote access to critical assets. In addition, 49% of respondents were also concerned regarding the need to scale endpoint security amid the increased use of IoT devices in remote working arrangements.
While remote and hybrid working methods provide employees with increased autonomy, these alternative methods increase the risk of workers permitting other people to access their work-issued devices. Unauthorized individuals may gain access to protected business information compromising its confidentiality and integrity. Moreover, untrained individuals may use the same devices to access insecure websites or download pirated, malicious software applications. Such practices increase the possibility of infecting company-issued devices with malware and transferring it to secured servers and corporate networks.
The 2021 HP Wolf Blurred Lines and Blindspots Report echoes some cybersecurity concerns resulting from remote working options. For example, the report found that 70% of surveyed office employees indicated they had used work-issued devices for other personal activities, while 69% admitted using personal devices for work reasons. Additionally, the report revealed that 30% of employees working remotely allowed other individuals to access and use their work-issued devices.
Due to these and other cybersecurity behaviors, hackers are increasingly targeting remote and hybrid working employees. For example, KuppingerCole, an international analyst firm, notes a 238% rise in the global cyberattack cases throughout the pandemic. Subsequently, Joanna Burkey, HP Inc.'s Chief Security Officer, states that "as the lines between work and home have blurred, security risks have soared and everyday actions such as opening an attachment can have serious consequences." So what does this mean for cybersecurity with more organizations looking to transition to hybrid and remote working methods? It means IT security teams with limited resources due to the pandemic, will be working with a clouded vision to access internal networks and sensitive information.
Ransomware attacks have made headline news recently due to the numerous attacks recorded in the US alone. For example, a ransomware attack that targeted Colonial Gas caused major gasoline supply disruptions in many areas of the US for several days. Furthermore, SafeAtLast predicts that ransomware attacks in the US will occur every 11 seconds in 2021, and companies are expected to pay a $233,217 average ransom, costing businesses worldwide more than $20 billion.
Although ransomware attacks have risen to new heights in recent months, hybrid and remote working arrangements will only make organizations more vulnerable to the attacks. Recorded Future, a cybersecurity firm, estimates there were at least 65,000 successful data breaches in 2020. Additionally, US Homeland Security Secretary, Alejandro Mayorkas, estimated that $350 million were lost to ransomware gangs in ransom payments.
Cybercriminals use more sophisticated tactics to target companies with ransomware attacks by targeting a less secure remote or hybrid workforce. Such methods include using themed phishing emails to trick remote workers into delivering ransomware malware. Moreover, Tech Republic identifies other enablers of ransomware attacks, among them being poor remote or hybrid work security training practices and the use of weak passwords.
Implementing a hybrid work model brings numerous risks for cybersecurity chiefs, requiring organizations to rethink their network security approaches. For example, employee security training designed for office setups focuses on reporting filtered spam emails and threats. However, the training may not be appropriate in hybrid models where remote workers are responsible for identifying and stopping possible cyber threats. In the words of Tim Sadler, Tessian CEO, "it's insane that we have basically said that we are going to train people to filter phishing emails. We didn't train people to filter spam emails; we just invented spam filters to take the problem away." Therefore, a poorly trained hybrid workforce will be a cybersecurity challenge for most organizations and may expose them to multiple security threats.
Furthermore, the primary challenge of hybrid and remote working options is that they simplify a hacker's ability to breach external defenses. The threat can be attributed to employees failing to follow good cybersecurity hygiene practices and maintaining vigilance when accessing sensitive resources remotely. Also, since most traditional security tools are designed to keep malicious actors out, it becomes difficult to stop them once they compromise a network.
Due to this increased risk and the need to change approaches to human security practices in remote work environments, SANS has created resources (guide and deployment kit) to guide organizations in making the proper changes to their cybersecurity training practices.
The lines between home work and office work are blurring or disappearing. It’s easy for remote workers to be lax regarding robust cybersecurity practices, protecting devices used to access sensitive information and critical IT resources. A recent survey found that more than half had connected personal and work devices to public Wi-Fi. Public wireless networks are open to everyone, including hackers. As such, most IT leaders consider public Wi-Fi to be insecure and have high-security risks, such as interception of sensitive information and eavesdropping attacks. Moreover, attackers can infect devices connected to public networks with malware like ransomware or spyware. In this case, with organizations shifting to hybrid work models, employees can potentially expose themselves to attacks by failing to protect their personal and work-issued devices adequately.
In addition, a 2021 AT&T Inc. survey revealed that more than half of the involved 3,000 workers had used their work-issued devices for personal reasons. These included downloading third-party applications, online banking, accessing insecure websites, and connecting to smart home devices that may contain inherent vulnerabilities. Using work devices for personal activities and connecting to a company network may provide hackers with access to an otherwise secure network. Also, they may spread malware infections that may compromise data integrity, availability, and confidentiality.
Companies depend heavily on infrastructures like cloud technologies to enable employees to work remotely. Cloud adoption also permits enterprises to leverage tools that facilitate remote connectivity, such as VPNs. However, since the early days of the coronavirus pandemic, cyber-attacks targeting cloud services have increased by over 600%. Also, cybercriminals have focused their attention more on exploiting security flaws in VPN gateways. Brute-force attacks targeting the Windows Remote Desktop Protocols (RDPs) increased sharply, with security researchers recording at least 377.5 million attacks as of February 2021. On the same note, ESET reported that RDP attacks increased by 140% in the third quarter of 2020.
This implies that as companies register a heavy adoption of remote work infrastructure to enable remote working, they will draw more threats and attacks. For example, some of the concerns surrounding cloud services include unpatched vulnerabilities and inaccurate user configurations of SaaS products. Additionally, hybrid workers may share their login credentials with unwanted parties enabling malicious actors to access sensitive work information.
As a result, 41% of organizations that participated in a poll by the Cloud Industry Forum hold that working from an office ensures more security than remote or hybrid working. On the other hand, hybrid workplaces may see the data transmitted between remote workers, office-based employees, and cloud servers increase significantly and attract more cyber adversaries.
With remote or hybrid work, the types of communications that people expect have changed. In the past, announcements about new policies or org-wide changes were done in-person at an all-hands meeting. Today, it’s common for these to go out over Slack or other internal communication channels. Attackers know this, and they’re using this change in behavior to attempt social engineering attacks. Some of the most successful phishing attacks today put employees into scenarios such as announcements for remote work policy changes or the attacks leverage the fact that not all employees have met in person.
One of the benefits of office-based work arrangements is that the physical offices of most organizations contain the requisite physical controls for managing access to and disposal of sensitive data. For example, office shredders can assist in destroying sensitive data in physical form to prevent tailgating attacks. However, companies may miss some of the physical safeguards essential in protecting unauthorized access to physical assets in a hybrid work environment. Also, remote workers' inability to monitor virtual workspaces means employees may hold onto for longer periods, which is a liability and high-risk practice.
The zero-trust security model is one of the most recommended approaches for securing hybrid work environments. The model is based on the principle that no single device or user should be trusted to connect to a network or service without authentication and verification. IT departments of companies embracing remote working arrangements can use the zero trust model to authenticate individual devices and users before allowing them to connect to corporate networks.
According to John Shier, Sophos senior security adviser, "The nice thing about zero trust is that it builds security around the user in a way that should be transparent to them." Furthermore, zero-trust security enables companies to automatically detect abnormal behaviors, such as users accessing internal networks from untrusted devices, employees connecting from unusual locations, data access during odd hours, among others. Companies can reference the NIST SP 800-207 framework on building an efficient zero-trust architecture.
Not surprisingly, the security awareness training programs for raising cybersecurity awareness in a traditional office setup are not adequate or even relevant for training remote or hybrid employees. As such, businesses must roll out training and awareness programs specifically tailored for remote or hybrid working approaches.
For example, SANS Awareness recently created and released a security awareness work-from-home deployment kit. It is a free training kit that describes step-by-step guidelines that rapidly enable companies to implement a training and awareness program for remote workers. The essence of using a remote work-focused training kit is that it provides the resources and materials required to adequately secure remote working infrastructure from modern threats and employee mistakes.
In addition, companies offer their own security guides for users of their software. This is particularly valuable for services that are used for remote work. Below are examples of security guides for software and services used for remote work:
In addition to providing employees with new security awareness content specific to remote or hybrid work, the method of delivering that training needs to change. Lunch and learns, even done over video / Zoom are not the same as in-person settings. Employees can’t be expected to be engaged for an hour over Zoom.
In a remote work environment, where the place of work is new and often out of context with the mindset of work, employees need continual engagement to promote security and privacy thinking. This can be accomplished with continual, digestible (30-120 second) content targeted at very specific risks, workflows, and best practices.
Hybrid or remote work leaves most organizations exposed to multiple cybersecurity threats, among them being password theft. With an increased reliance of SaaS services (see next section), this threat is compounded. It is imperative for companies to implement multifactor authentication technologies (MFA) whenever possible. MFA is one of the most low effort, highest value things you can do to secure your SaaS services, company data, and employee accounts.
MFA requires a user to provide multiple authentication items to verify their identity and access privileges. For example, after providing a correct username and password, MFA schemes require users to provide additional items, including biometrics like fingerprints or a verification code sent to a device accessible only to the user. Malicious actors with unauthorized access to login credentials cannot access protected resources and data remotely unless they provide the necessary additional MFA authentication items.
Cloud-based technologies, such as SaaS services (Slack, Zoom, Salesforce, Notion, Atlassian, etc.), are the heart of hybrid or remote working. Therefore, it is not surprising that attacks targeting cloud services have increased two-fold since enterprises began shifting to remote working en masse. As a result, companies must scale cloud security offerings to attain complete visibility of all endpoints, SaaS apps, workflows, data flows, and user activities.
In order to effectively combat the increased threats to SaaS services and workflows, companies with hybrid or remote working arrangements should scale cloud security to focus on protecting SaaS services like:
With employees increasingly using both company issued and personal devices for work reasons, and those same employees working in new settings outside the traditional office setting, attackers continue to exploit the new security posture. Cybersecurity teams must identify innovative ways of supporting a changing and complex mix of remote, hybrid, and office-based working strategies. Cybersecurity experts must be vigilant in identifying new vulnerabilities to protect their organization's data from new and emerging cyberattacks. They also need to support an employee’s need for flexibility without compromising security. The result will be more productive organizations capable of delivering world-class experiences while maintaining high levels of confidentiality and integrity of all data.