Cyberattacks are on the rise amid work from home – how to protect your business
by Michael Parent, Professor, Management Information Systems, Simon Fraser University
Organizations are more vulnerable to cyber-attacks as employees work from home
Experienced outdoor athletes know that with winter rapidly approaching, the secret to success lies in protecting the core. That is, the body’s core temperature through layering, wicking and a host of ever-improving technical fabrics that prevent the cold, snow and ice from affecting performance.
The same could be said for cybersecurity. With organizations and workers now in their ninth month of COVID-19, the time has come to prepare as the threat of cyberattacks becomes even more menacing.
Cybersecurity experts predict that in 2021, there will be a cyberattack incident every 11 seconds. This is nearly twice what it was in 2019 (every 19 seconds), and four times the rate five years ago (every 40 seconds in 2016). It is expected that cybercrime will cost the global economy $6.1 trillion annually, making it the third-largest economy in the world, right behind those of the United States and China.
As the ongoing pandemic has a larger segment of the population working from home — with all of its attendant distractions — and the setting is ripe for exploitation. The humble home router has become the surface attack, and the harried, hurried, tired and stressed employee the target of choice. It’s no wonder that within months of the pandemic’s first lockdown, over 4,000 malicious COVID sites popped up on the internet.
The pandemic has forced organizations to innovate and adapt even more rapidly. Education, medicine, travel, retail and food services are but a few industries that have been radically transformed by COVID-19. Unfortunately, innovation and security rarely travel together.
What can organizations do to prepare then? It boils down to protecting the core: the people, processes and data that are the most critical to the organization.
People bring their personal habits, good and bad, into their professional lives. People who re-use passwords for different online shopping sites or use weak, easily remembered passwords (pets’ names, anyone?) tend to be similarly lax when creating or using enterprise passwords and databases. They have and will likely continue to click on phishing emails and engage (innocently or not) in potentially destructive practices.
For them, winterizing means ongoing formal training programs and monitoring to reduce the probability of accidental disclosures or malicious uploads. If they happen to be in sensitive positions, with access to confidential data, it means an extra layer of vigilance, and perhaps even restrictions and advanced tools like multi-factor authentication. For executives and directors, it means ensuring they are familiar and compliant with privacy and other regulations.
In sum, organizations need to spend even more time attending to its employees as they work remotely, not less.
That organizations should allocate resources into their priorities seems like an obvious statement. However, if the business model has completely shifted, have organizational processes led or lagged? Too often, in times of rapid change, processes lag, leaving ad hoc ones to emerge. Without identifying them, it’s hard to understand risks. Therefore, it is incumbent on an organization’s information technology (IT) department to constantly monitor, review and update procedures.
Shadow IT are applications or software used by an individual on a computer without the knowledge or approval of IT services, such as a game or a shopping browser extension. At best, nothing untoward happens. At worst, the unvetted software causes a system crash or enables surveillance software or malicious code to be uploaded.
Shadow IT might be unavoidable, especially as computers might be used by many people in the home for many reasons, known vulnerabilities can and should be monitored by the organization, and communicated clearly to all employees.
It might also mean that organizations provide protected and locked computers to home-bound employees that restricts them from installing software.
The final and most important area to protect is the organization’s data. Managers, executives and directors need to have a firm grasp on the data that the organization possesses, processes and passes on.
A recent study revealed that companies share confidential and sensitive information with over 500 third parties. The first step in protection is to conduct an inventory, and if necessary, parsing of these third parties.
Secondly, organizations need to keep abreast of industry benchmarks in cybersecurity, namely trends in the frequency, changing nature of and severity of attacks. They can then compare themselves and adjust resources accordingly. This includes keeping track of three key metrics: the time it takes to detect an attack, the time it takes to respond to it and the time it takes to resolve any damage.
Finally, conversations around cybersecurity need to go beyond the fatalistic discourses that characterize most discussions, especially during the dark days of winter. Like a warm coat, or winter tires, investments in cyber-resiliency can foster growth and positive performance.
Cyberattacks are on the rise. Like the athlete that dresses and prepares for the weather, organizations can be proactive in continuously strengthening people, processes and data.