Facilities Management Journal March 2021

FMJ.CO.UK CYBERSECURITY FOCUS MARCH 2021 33 When the workforce moves to their home o ices, enterprises should provide them with all the working equipment needed. If that’s impossible, predetermined security policies governing the use of personal devices for work purposes should be implemented. One of the imperatives for workers should be constant patching of their devices. Hackers are constantly on the hunt for so ware vulnerabilities, whereas vendors are trying to fix those bugs as soon as possible. However, if the end users fail to update their devices, exposures remain, and all it takes is one click or an opened file for cyber criminals to gain access. With a compromised device they are able to reach sensitive data on the corporate network. Insecure infrastructure. Employees access data on company servers and the cloud using their insu iciently secured home networks. Even if enterprises demand sta to use virtual private networks (VPN) for a secure gateway, they are incapable of solving hardwarerelated issues. Consider Wi-Fi routers, for example: even if the connection is secured with a strong SSID password, the access to the router’s settings might be protected by a simple ‘admin’ parole alone. Also, domestic devices are usually protected by weaker protocols, such as WEP instead of WPA2/3, thus hackers can get their hands on the network tra ic easier. The shortest password allowed on WPA2 protocol is eight characters, yet it should be 14-15 characters long to defend the network against brute force guessing. Most devices come with predefined eightcharacter alphanumeric passwords which are easy to hack. Increased data-sharing. Working on-site, employees share important data over the intranet and other internal network structures. Now all the information travels through the public internet with malicious actors around, increasing the risk of exposure. Cyber criminals can utilise numerous weak spots that appear along the way from the end user to the company servers. Employees share most important (or even confidential) information through emails and phones without being aware of it, and this calls for a secure digital perimeter. Workers should be encouraged to use VPN services and share files only through secured channels. Many businesses now rely on cloud-based solutions; however, they should also be warned that hackers leveraged increasing remote workloads and performed 7.5 million external attacks on cloud accounts in Q2 of 2020. To mitigate the risks brought on by the increased online tra ic, enterprises should implement zero trust privileges. This means that a user is granted access privileges for one particular task and they last only for the time needed to complete it. Therefore, if hackers compromise the credentials, they wouldn’t do much harm as they could only access a small fraction of sensitive data. Susceptibility to social engineering. The 2020 Data Breach Investigations Report by Verizon finds that almost a third of the data breaches incorporated social engineering techniques. While antivirus so ware, firewalls or VPNs can take care of your infrastructure, they cannot be installed on the human brain and prevent social engineering attempts. Hackers forge emails from other institutions or impersonate colleagues (even the CEOs!) to get employees to open the corrupted file or click on a malicious link. At home, there’s no one to consult with and the load of digital information is bigger, thus people fall victim to these scams more frequently. Cyber criminals tend to trigger certain behaviours and emotions to encourage the victim to act: consider, for instance, ‘the urge’, which is characteristic of most social engineering methods. Complicated IT support. In o ices, the cybersecurity team and IT support are always at hand, so they can fix a problem immediately. Remote employees also require IT support, especially when considering the security measures, they should take. Yet logistical challenges prevent the IT team from always being present. In the event of data breach, it is harder to act immediately, as security experts cannot stop all cyber-attacks remotely. This can lead to devastating consequences. A report from Kaspersky on data breaches in the US shows that a data breach costs $28K if dealt with immediately, and $105K if undetected for more than a week. Some of the breaches might go unnoticed for a long time, with ransomware gathering a company’s data, or malware compromising internal networks. On the other hand, sometimes an ongoing attack can be indicated by newly appearing programs which were not deliberately installed by the user. In some cases, the computer slows down, strange pop-ups flood the screen, or the user loses control of the mouse or keyboard. If any of these signs appear, employees should immediately inform the security team. COVID-19 has set a new baseline for e ective and secure remote work and many cybersecurity leaders have adapted to a ‘new normal’. Now it’s time to involve each employee in building an organization’s digital resilience and creating business value. Even if a company plans to move back to the o ice as soon as possible, WFH policy should remain intact. The investments made in these turbulent times, and the lessons learned, will contribute to lasting cyber resilience. Both IT professionals and employees have had a final rehearsal in shi ing to the workplace of the future.