The pandemic was the most impactful accelerant of changing the paradigm of how we work. It forced organizations to enable most, if not all, employees to work from home. In the third year of the pandemic, businesses realized the shift to remote work is here to stay, as many settle into a hybrid framework, allowing for flexibility in employee schedules.
Allowing remote work is also the expectation of many workers, with many fine to never return to the office. Thus, companies must evolve to remain competitive in recruitment and retainment.
The adoption of remote work brings advantages and positive opportunities. However, there are also inherent risks regarding cybersecurity. When workers are distributed, it increases the endpoints and the risk. So, what is the impact on security, and how can businesses successfully manage risk while providing accessible, cloud-based systems to staff?
The Cybersecurity Landscape After the Remote Work Acceleration
It’s important to understand the environment of what’s happened in terms of cybersecurity since the age of remote work. There are several main themes.
First, cybercriminals have taken advantage of the pandemic. They’ve deployed phishing attacks and other scams relating to COVID-19. Second, they’ve attempted to infiltrate systems through these new endpoints created by employees working from home. Third, the use of work-from-home technology was another vulnerability to exploit.
Here are some stats to illustrate the landscape.
Phishing and Other Scams Explode
In January 2022, fraudsters registered over 600 suspicious domain registrations associated with COVID-19 free tests provided by the government. However, the start of these scams goes back to early 2020. Google reported blocking over 100 million phishing attacks a day in April 2020.
Worker Actions Make Companies Vulnerable
One-fifth of companies reported a security breach from a remote worker’s actions. The same study found that 28% of IT leaders admitted using personal devices more than work-issued devices for work-related activities, creating new opportunities for cyber-attacks. Employees also eschewed cyber policies while at home. A cyber threats report discovered that 58% of CISOs (chief information security officers) said employees ignored guidelines and procedures.
More Remote Work Software Opened Up New Attacks
To provide the tools for remote workers, many organizations rushed to make this happen. They didn’t take on the necessary vetting or configurations. It was a race to keep business moving. As a result, 45% of IT decision-makers confirmed they neglected analyzing the cybersecurity of remote work software tools. Another report confirmed this swift change, with 85% of CISOs saying they sacrificed cybersecurity in the race to get workers set up remotely.
The platforms themselves had cyber challenges as well. Zoom’s breach exposed half a million accounts that found their way to the dark web. Other remote access technology also had its share of attacks. Citrix attacks increased by 2,066%. Cisco experienced a 41% increase. VPN attacks spiked by 610%, and RDP (Remote Desktop Protocol) went up by 85%.
Ransomware Attacks Soared
Another pandemic cybersecurity trend was the increase in ransomware attacks. The volume increased 105% year-over-year (2020 vs. 2021) and is up 232% since 2019. Almost every industry felt these effects, with many losing data or facing substantial downtime and disruptions.
Company Responses to Cybersecurity and Remote Work
These numbers paint a picture of disruption, accelerated planning, and unfortunate consequences of remote work and cybersecurity. Many companies have responded, either after an attack or by being more proactive. Some of those policy and protocol changes included:
- Increased VPN capacity
- More web controls
- Using multifactor authentication (MFA)
- Requiring employees to use Office 365
- Providing more and updated employee training on work-from-home cybersecurity
To facilitate these new practices and fortify infrastructure, companies increased cybersecurity spending. A study of IT budget leaders found that 44% expected to expand budgets in 2022. Gartner reported a 12.4% growth in 2021. For 2022, they estimated spending would hit $172 billion.
Additionally, a substantial perspective shift is occurring. A new Gartner study showed that 88% of boards regard cybersecurity as a business risk, not just a technical IT problem. That’s of considerable importance. Businesses that adapt to this notion may have a huge advantage in surviving and thriving in the remote work world.
There are some key elements in need of reframing about how a company addresses, mitigates, and prevents cybersecurity incidents. These insights can enable your own adaptation to the new rules of work and security.
Reframing Cybersecurity in a Remote Work World
Your strategy, plans, and ideas about cybersecurity must evolve. Not only because of remote work but also because of how cybercriminals adapted to this. This reframing involves several steps, which are central in my book, The Smartest Person in the Room.
Cybersecurity Is Everyone’s Responsibility, but IT Needs to Take the Lead
As referenced above, enterprises are slowly coming around to the idea that cybersecurity isn’t solely an IT problem. All leaders and staff have to have this mentality to prevent cyber-attacks most effectively.
The reframing is that CISOs aren’t breach preventers but rather leaders in risk management. The pushback that many CISOs receive is the misconception that security impedes speed. It’s a myth that cybersecurity is counter to innovation. The shift in mindset should be that security enables agility and that being secure by design is the most appropriate approach.
When security is part of the conversation from the beginning, all stakeholders can benefit. That can apply to implementing new software, developing proprietary systems, or creating and maintaining your technology products for customers.
Debunking these falsehoods around security and making everyone accountable for it can improve your security posture, no matter where people work.
Cybersecurity Is Dynamic; Being Adaptable Is Critical
In just the past few years, we’ve witnessed just how adaptable cybersecurity is. That’s never going to change. Adaptation doesn’t relate to the technology you use and how you deploy it. It’s also about your people, who are routinely the most challenging.
As an IT leader or CISO, leading by example is instrumental in changing behaviors. If you can do this, your cyber experts will be more well-positioned to combat cyber-attacks. So, how do you drive this change in your people and the entire enterprise?
- Start with empathy in communication so that others see the realm of cybersecurity as gray, not black and white, which many tend to do.
- Work on soft and people skills, as they can facilitate adaptation more effectively.
- Talk about incidents in more than just technical terms in order to understand why an incident occurred, but there’s more to it than just the facts. Tapping into reactions helps understand motivations and, ultimately, behaviors.
- Urge everyone to be flexible thinkers. If you keep people in a box, they’ll stay there. Having the freedom to leave the box encourages innovation and creativity.
- Create a culture of learning. Since cybersecurity is so dynamic, what you learned yesterday might not apply tomorrow. Providing upskilling and education to IT and other departments ensures your organization isn’t living in the past in terms of cybersecurity.
Providing Remote Workers the Right Tools Without Sacrificing Security
In the rush to remote enable staff, we know security was an afterthought. Many organizations hobbled together different technologies to make remote work possible. If you haven’t reassessed your tech stack based on what you’ve learned in the last two years, it’s time to do so.
Accessibility does not cancel out security. It’s possible to balance both. The new tech stack you build can help you achieve this. Putting more secure, stable, and integrated platforms for your staff to use is the first step. Next, your team needs to rethink guidance and protocols. This should be a collaborative discussion with your team. Again, this is a time to support seeing the threat landscape as gray versus black and white.
Some may resist this new paradigm. You can work to change this, but not everyone is adaptable. If that’s the case, those people may no longer be the right fit for your organization’s future cybersecurity strategies.
When you have consensus and buy-in from your cyber specialists for remote workers, share it with them in several ways. For others to embrace this, an all-hands meeting is a good option. Having some of your team present this information and why it’s crucial makes them part of the solution and thus more emotionally invested in your company’s cybersecurity efforts.
Continue to reiterate with training that’s more than just off-the-shelf modules. You can create your own with the voices of your people as the instructors and presenters.
Is Your Organization Prepared for Remote Work Long-Term?
Enabling remote work and ensuring it’s successful and secure should be a strategic pillar for your company. It will require adaptation, reframing, and change. It won’t always be easy. There will be setbacks and hurdles, but it’s not impossible. Being a champion of this philosophy supports the business, your IT team, and all employees.
To take the first step and reset your cybersecurity ideas, get a copy of my book, The Smartest Person in the Room. Inside, you’ll find new inspiration for creating a strong and robust cybersecurity ecosystem.