Hackers are a constant source of cyberattacks targeting companies and other organizations. However, an even bigger source of hacks and breaches is the threat of negligent or careless employees.
After all, employees are the ones who click on links, set passwords, configure IT systems and write software code. And, unfortunately, employees without cybersecurity training can be prone to making errors and being manipulated by social engineering. Threat actors know this all too well.
This situation naturally introduces the subject of the rapidly growing hybrid work environment trend and its weaknesses, as well as its strengths — a crucial point, given that the hybrid work model contributes to rising cyberattacks as ever-more employees split their time between working in the office and remotely at home. Employees become a significant cybersecurity risk because remote workers are often not as secure in the digital age as workers on company premises.
This is unfortunate, and not merely because no security leaders want more cyberattacks and data breaches. The hybrid work environment came about as the COVID-19 pandemic evolved and sparked the creation of two simultaneous work environments for white-collar employees. Remote work was a requirement from the start because nobody wanted to be exposed to COVID-19 more than necessary. Still, working in the office some days also became popular. After all, in-person collaboration and the sharing of ideas has its advantages. Employees enjoyed their improved work-life balance and most managers were surprised to find that productivity didn’t fall off a cliff.
In some quarters, in fact, this development was regarded as “the best of both worlds” for management and employees alike.
Nonetheless, this isn’t good news in the cybersecurity world. Hybrid work will remain a headache until and unless organizations make a bigger effort to cope with the increased security risks.
Cybersecurity threats of hybrid work
Verizon’s 2021 Data Breach Investigations Report makes the issue abundantly clear. It found that an overwhelming majority of attacks now involve human error, as less secure remote workers spend more time online. A big problem, in particular, is credential stuffing, a type of cyberattack in which stolen account credentials — typically consisting of lists of usernames and/or email addresses and corresponding passwords — are used to gain unauthorized access to user accounts through large-scale automated login requests.
Security leaders know that credential stuffing is a significant problem, but many don’t stop to consider how much it spreads across attack patterns and sets the stage for many different types of data breaches, including spear phishing campaigns, ransomware attacks and the theft of the contents of a target mailbox.
It may be hard to believe, but having even a small presence in the office can create a false sense of safety for many organizations. With some staffers now tied back to the office network, employees might take a more relaxed approach to security behaviors because a feeling of mutual responsibility may disappear. When everyone is remote and facing the same enemies, on the other hand, there tends to be a shared sense of increased vigilance, even though it’s only modestly effective.
The risks of working from home
Early in the pandemic, the primary cybersecurity issue was that home offices weren’t professionally managed. Among other things, this meant many systems on home networks didn’t get software patches regularly, fostering out-of-date software and related vulnerabilities. This remains an issue today, of course, but the biggest headache is now different — employees regularly coming into the corporate environment from their home networks with laptops and USB drives can unknowingly spread malware.
Home networks are typically shared with others in the house, such as children playing online games or spouses working from home, creating additional cyber risks. Some laptops and/or USB drives contain malware and infect the corporate network. Meanwhile, cyber professionals, already overwhelmed by a huge worker shortfall, have to spend additional time looking at more user behavior patterns to spot anomalies and detect threats, undermining other duties.
Something has to be done to mitigate these issues. The number of cybersecurity hacks and breaches has exploded since the advent of the COVID-19 pandemic. The FBI’s Internet Crime Complaint Center (IC3) has reported that its number of cybersecurity complaints has skyrocketed from roughly 1,000 complaints daily in early 2020 to between 3,000 and 4,000 today. So far, the FBI mostly blames this on tens of millions more Americans working from home. As the hybrid work environment continues to grow, however, the numbers are likely to get even worse. A study by McKinsey found that nearly 70 percent of companies have yet to communicate a hybrid workplace plan or put one in place.
What is to be done to mitigate this and related issues? Here are a few suggestions:
- Reconsider lax BYOD policies. A recent survey by Palo Alto Networks found that employees of organizations that allow increased BYOD usage are eight times more likely to ignore, circumvent or disable security than companies that restrict BYOD. At minimum, organizations should mandate that BYOD devices have a strong security posture.
- Improve vendor risk assessment programs. Third-party vendors in general have turned out to be sizable security risks. If they don’t already exist, processes should be established to evaluate current and future vendor security capabilities and demand they be up to snuff. Requirements should include written information security policies and third-party audits and accreditations.
- Share the responsibility of security. Especially in the elevated risk of a hybrid work environment, effective security involves shared ownership across the organization, as well the deployment of tools, controls and policies. It was never enough for only a few people within an organization to monitor cybersecurity threats. All IT professionals in the company should work in unison to ensure robust security practices are in place throughout the organization.
A security-oriented culture can help an organization minimize IT security risk among a dispersed workforce. While people are the weakest link in any cybersecurity program, they can also be its strongest defense.
This article originally ran in Today’s Cybersecurity Leader, a monthly cybersecurity-focused eNewsletter for security end users, brought to you by Security magazine. Subscribe here.