Today’s office looks very different to how it did only a few years ago. While trends in hybrid and remote working were starting to emerge prior to the pandemic, they have accelerated as a result and are now firmly embedded in the way many businesses work.
It is no coincidence that cybersecurity incidents are also on the rise. Between 2020 and 2021, the average number of cyberattacks and data breaches increased by 15.1%, with 2021 seeing the highest average cost of a data breach in 17 years. The shift to remote work has had a direct impact on the cost of data breaches too, with the average cost $1.07m higher where remote work was a factor in causing it.
In line with this, companies are increasingly reassessing their cybersecurity and making changes to minimise the risks that come with working remotely. According to research from Kaspersky, 85% of IT decision-makers expect their cybersecurity budgets to increase by up to 50% this year, with small and medium sized businesses seeing it as a particular priority. Almost one-fifth of SMEs (19%) say their organisation will increase their cybersecurity budgets by 6-10% in the next year, compared to 12% of mid-market businesses and 11% of enterprise businesses.
If you’re reading this, there’s a good chance you’re thinking about how to better protect your business and team in this new world of work. Our ultimate guide to cybersecurity when working from home will tell you everything you need to know about the security risks of remote working, some of the steps you can take to safeguard your privacy and data, and what to do if something goes wrong.
Security risks of working from home
A combination of new technologies and software, increasingly sophisticated hackers and a rise in coronavirus-related scams is presenting new challenges for IT departments working remotely, all over the world. We know that the majority (95%) of cybersecurity incidents are a result of human error, and so a new level of vigilance is needed to reduce the chances of a cyberattack being successful.
Before we think about our defence, let’s first take a look at some of the most common cybersecurity threats.
Phishing
With roughly 15 billion spam emails sent every day and 30% of phishing emails opened, it may come as no surprise that phishing is one of the biggest cyberthreats businesses face. In fact, it costs large organisations an eye-watering $15m every year (about £12,800), which equates to more than $1,500 per employee.
Most attacks of this kind happen by email, usually involving the fraudster registering a fake domain that mimics a real organisation and then sending multiple generic requests. This could be disguised as a business asking employees to click on a link to update their password within a given timeframe, or a fake notice from an internet provider concerning “unusual sign-in activity”.
In 2021, more than 80% of organisations experienced at least one successful email-based phishing attack – 46% higher than in 2020. There are two particularly sophisticated types of email phishing: spear and whaling. While spear phishing relates to malicious emails sent to a specific person at a company, whaling takes targeting to the next level and is usually directed at senior executives, encouraging them to take a secondary action such as transferring money.
Smishing and vishing
These are another two types of phishing which are becoming more common. Smishing, also known as “SMS phishing”, is a phishing attack carried out over text message, while vishing, “voice phishing”, takes place over the phone or voicemail.
Similar to the traditional email-based approach, both cases usually involve a fraudster pretending to be a reputable company in order to obtain sensitive information, and both have experienced exponential growth amid the pandemic.
Smishing attacks increased by a staggering 700% in the first two quarters of 2021, with tax scams the most common type and hackers increasingly using fake two-factor authentication messages to steal confidential information. Vishing attacks, meanwhile, more than quintupled (+554%) over the course of 2021, with job scams and tech support scams contributing to 9.4% and 1.4% of reports, respectively.
Remote access trojan
Remote access trojans, also aptly known as an RAT, started gaining popularity in the early 2000s. An RAT is a type of malware programme – often disguised as legitimate software – that works by trying to force VPN credentials to gain access to a company network. They are usually sent as an attachment or link, which when clicked on by the user gets downloaded to their device.
Once infected, a hacker gains full access to the device and is able to do almost anything. This includes controlling a user’s mouse and keyboard, monitoring behaviour, accessing confidential information and distributing viruses. RATs can attack home routers, too, which is one of the main reasons why they present such a risk for remote working.
Unsecured network connection
An unsecured network connection is one of the easiest ways for somebody to access an employee’s home network, or target them via an unsecured public network such as a coffee shop. This is when there is no login or password required to access a network, meaning anyone can access it. Logging on to an unsecured network is especially risky for remote working given all the readily available network detection software that hackers can use to see surrounding WiFi networks.
And while most home routers are set up to be secure, if they are not updated regularly or do not have a sufficient firewall in place, then they become particularly susceptible to security issues and data breaches.
Creating a secure remote working environment
While cyberattacks are becoming more sophisticated, there are a number of simple steps you can take to protect your workforce and IT systems from them. Some may seem more obvious than others, but they all have an equally important role to play in boosting security when working remotely.
Use strong passwords and multi-factor authentication
We did say some may seem more obvious than others, but having strong passwords for all devices is an absolute imperative for any business that has a remote workforce. As per the National Cyber Security Centre’s (NCSC) advice, all passwords should be at least 12 characters in length, use random and unrelated words, use words from different languages and use a combination of random numbers and special characters throughout the passphrase. Avoid using common phrases or quotes, abbreviations associated with your organisation or industry, and absolutely do not use personal words such as a pet’s name or your mother’s maiden name.
That being said, even the most random and complex passwords can be hacked, so enabling multi-factor authentication (MFA) is a great way to add an extra layer of security. MFA requires somebody to present two or more additional pieces of information to prove their identity, which might be a one-time password (OTP) sent via a text or email, or a biometric verification such as a fingerprint.
Encrypt your data
Given the amount of sensitive information being shared over email, instant messengers and the cloud, it is crucially important to make sure they do not fall into the wrong hands. Data encryption works by translating data used in emails, documents and other various files from everyday language into another form or code so that only people with access to the correct decryption key or password can access them.
There are two types of encryption: symmetric and asymmetric. Symmetric encryption is when you use the same key for encryption and decryption. Asymmetric encryption is when a different key is used for the encryption and decryption process. The Information Commissioner’s Office (ICO) has a couple of great images which show how each of these work in an easy-to-understand way.
Set up a VPN
A VPN is the safest way to access company data from home, offering the same level of security as if working in an office. VPNs use encryption to hide a person’s IP address which makes their online activities private, anonymous and virtually untraceable. This is done by redirecting internet traffic through a VPN server before it goes to a destination, which makes spying and tracking extremely difficult.
They are safe to use on public WiFi networks as well, which means employees can log into work systems securely and avoid using unsecure networks that make them vulnerable to hackers.
Install robust antivirus and antimalware software
Again, perhaps another obvious one but we cannot emphasise enough how important it is to have robust antivirus and antimalware software installed on all devices – that includes mobile phones and tablets as well as laptops and desktop computers. Android is a particular target for cyberattacks, given its open-source nature, and so it is important to consider the different platforms and systems your staff are using and choosing software according to their individual requirements.
We recommend taking a look at the NCSC’s website for a list of platform-specific recommendations, which includes Android, iOS, Windows, macOS, Chrome OS and Linux. It also explains how to configure antivirus software and how it might interact with other defences your organisation deploys.
Learn the tell-tale signs of phishing
You might think you’ve read everything you need to know about phishing – perhaps you’ve even been a victim yourself and sworn to never fall for it again – but there’s never any harm in brushing up on your phishing email awareness. Especially as these kinds of attacks become more popular, harder to spot, and pose an even greater financial risk to companies of all sizes, across all sectors.
There are a few key ways to identify a phishing email from a genuine one, and the clue is often in the detail. Beyond keeping an eye out for strange email addresses, typos and suspicious-looking links and attachments, it is important to pay attention to the domain an email comes from too. Most businesses have their own email domain and very few will send emails from a public domain such as gmail.com. Even if they did, it would come from googlemail.com rather than gmail.com.
What to do if you think your security has breached
In any case where you think a cyberattack has taken place, it is important to act quickly to try and contain the breach. The sooner you act, the better you can mitigate the risks. Some immediate actions you can take include: disconnecting your internet, disabling remote working and changing your password.
You will then need to think about whether the breach poses a risk to people. If there is a personal data breach – this means a breach of security leading to “the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data” – businesses are required by law to notify their relevant supervisory authority within 72 hours.
Remember, under the General Data Protection Regulation (GDPR) it is a business’s responsibility to prove it followed best practice and did everything in its power to mitigate the risk, and a failure to report a breach when required to do so could result in a hefty fine. You can take the ICO’s self-assessment to help you determine whether you need to report a breach.
Once you’ve taken all the necessary actions, you will probably want to think about what you can learn from the attack. How did it happen? What was the impact? How well did you respond to the situation and what could be improved in future? You may decide that you need to update your systems to better protect you from any potential future attacks, or implement new processes to improve how you manage them. The ICO has a couple of checklists that should help you with this too.
Cyber Essentials accreditation
The Government-sponsored Cyber Essentials accreditation is another way for businesses to guard themselves against the most common cyber threats and make their security processes and governance more transparent. There are two levels of certification to choose from: a self-assessment that shows you how to address the basics, and one that involves a hands-on technical verification.
If you’re not sure if you meet the requirements, the NCSC has created a ‘Cyber Essentials readiness toolkit’ to help companies create a personal action plan. This also includes specific guidance on how to do so.
The Cyber Essentials accreditation is something we encourage all of our clients to aim for. Not only does it demonstrate best practice, but it also gives that all-important peace of mind.
If you’re managing a lot of staff who are increasingly working from home and assessing systems remotely, you’ve come to the right place.
Whether you have any questions about improving the security of your remote working or if you need advice following a data breach, Dial A Geek’s team of experts can work with you to review your existing cyber security measures, identify any weaknesses and help you to deal with them effectively.