When we reflect on the past two years, we think of lockdown, restrictions, working from home, and the frustrations associated with balancing Zoom calls while having our children running around our makeshift office in the middle of the kitchen. We tend to forget the impact that working from home has caused on the larger cyber security space - both personally and within organisations.
We thought we were safe at home
Prior to 2020, working remotely was seen as a ‘luxury’. However, the change in circumstances resulted in the need for a transformation of the workspace. A change that resulted in a remote workforce or even the adoption of a hybrid working environment. Each of these factors, or working environments, have both pros and cons. A big con is that a remote working environment places an organisation in a vulnerable position. How does this happen? Well, let’s discuss this further.
According to Justina Sava, research conducted in 2021 found that enterprise companies in the United States of America had spent up to $178 billion on cloud infrastructure to protect organisations and employees against cyber attacks. As a result of the remote workforce, Microsoft Teams saw its daily active users rise to over 145 million worldwide during the initial period of 2021. Naturally, managers and executive management needed to monitor the performance of their workers while working remotely. This proved to be extremely difficult. Additionally, the disconnect between managers and their teams saw a spike in spearphishing activity between 2021 and 2022.
According to the FBI's Internet Crime Complaint Centre (IC3), the United States noted that spearphishing was the most prevalent of all cyber attacks in the US and resulted in 241 342 victims. This was followed by non-payment/non-delivery (108 869 victims), extortion (76 741 victims), personal data breach (45 330 victims), and identity theft (43 330 victims). The IC3 further discovered that most of these attacks were preventable, however, 81% of organisations around the world have experienced an increase in email phishing attacks since March 2020. Despite organisations' best efforts, almost one in five organisations only deliver phishing awareness training to their employees once per year. Yup - you read that right - one in five! This lack of awareness is a large contributor to the fact that phishing remains one of the larger threat types most likely to cause a data breach. According to Verizon’s 2021 DBIR, around 25% of all data breaches involve phishing and 85% of data breaches involve a human element.
It’s well known that human error accounts for the majority of the successful attempts of cyber attacks. However, and sorry to break it to you, that is not the only strike of attack. Business Email Compromise, or BEC, is on the rise. BEC saw an increase of 15% during Q2 and Q3 of 2021, and we’re increasingly seeing malicious data breaches being caused by stolen credentials, rather than the installation of malware. According to IBM, one in five companies that suffered a malicious data breach in 2021 was infiltrated due to lost or stolen credentials.
You may be asking yourself, “So what does this have to do with working from home?” And the answer to that is simple: It has everything to do with it and nothing at all.
Confusing right? Let’s unpack the reasoning behind this.
When working from home, employees are in a ‘safe and familiar’ environment and so naturally we let our guard down. We are more prone to opening attachments, giving our credentials to ‘our boss’, clicking on suspicious links, and multitasking (aka browsing social media). All of these not only play a role in the spike of successful cyber attacks in the past two years but highlight the flaws in organisational cyber security infrastructure and considerations.
Is it safe to return to the office?
There is a real risk when employees return to the office. There is no way to gauge what employees did on their company laptops when they were working remotely. With this being said, we are seeing that organisations are starting to invest heavily in cyber security measures (refer to the below graph). Due to the new cyber insurance policies, organisations need to enforce cyber security awareness training to prove their efforts to reduce risk.
Where do we go from here?
The only real way to protect your organisation is to educate, train and reinforce your first line of defence - your employees. In order to ensure that your organisation remains secure, it's wise to invest in employee training in order to develop a cyber-savvy workforce. It is not a matter of if, but when will your organisation be attacked. And when this happens, you’d want your employees to be ready, right? It’s important to do regular phishing campaigns and invest in cyber security awareness training. This keeps your employees up-to-date on the best password habits, what phishing is, and how to stop cyber criminals from exploiting and accessing company-sensitive information.
So, where do we go from here? We develop a cyber-savvy workforce!
Get in touch for more information: firstname.lastname@example.org