COVID-19 up-ended security management. For the first time, employees who worked mainly in the office now worked from home.
Those with sanctioned corporate devices, apps and networks were often in the minority. The rest used whatever means they could to stay connected and do their job.
This meant security policies were strained to the limit. For their part, cyber-criminals smelled blood in the water. So many opportunities were too good to be missed.
A bigger target
Cyber-criminals saw that targeting work at home employees could reap a double reward.
For a start, they could steal personal information. Name, age and gender, along with tax file, insurance and Medicare numbers – all were targets. This data is valuable on the dark web.
In addition, stealing sign-in details for corporate systems would provide rich dividends. At the least, it would open the door to theft of intellectual property. In a worst-case scenario, it could lead to business disruption and ransom demands.
More points of entry
At home, many people use personal computers lacking basic precautions like a firewall and anti-virus software, often with unsecured Wi-Fi networks.
Few mobile phones are secured, and standard apps like email or IM present avenues of attack.
Mobile versions of video conferencing tools are also used without any defence against hacking. Zoom bombing is a great example of what can happen.
In fact, the sheer number of mobile apps increases the threat. People today use apps to manage everything from banking, to streaming, to controlling smart appliances.
The problem arises when these apps are allowed to talk to each other. If the app controlling a light is hacked, it can compromise other apps if they're linked.
Add social media and the risk increases. Cyber-criminals can find out who people are and where they work. Since passwords are often based on personal information like a birthday, they may guess them.
The boundary has moved
Traditionally, organisations focused on a strong perimeter defence. Networks were protected. BYOD policies secured personal devices on site. Access and identity controls were enforced.
With COVID that changed. Security personnel now had to deal with multiple employees who may not value security.
Compounding the problem was the diversity of the workforce and with it, different levels of tech literacy.
Regardless of their tech skills, all employees faced the challenges inherent in working from home. When life and work intermingle, distractions are everywhere. And when people are distracted, mistakes can be made.
Put your employees in the picture
To help ensure protection today, you have to convert your employees into security believers.
The first step is to make them aware of the risks involved both to the business and to themselves. Emphasise that the risks are serious.
Complement awareness with training to help employees adopt security conscious habits. Give them guidelines to safer working - a simple do and don't list will suffice. From making sure conferencing cameras are off, to having antivirus software, to helping them recognise phishing attacks.
Above all, you must motivate them. Security precautions are only effective if they are used.
Empathy is the key here. Be aware that you are dealing with individuals, and speak to them as such. Be friendly, encouraging and consistent. Most importantly, reinforce your messaging so that it is always top of mind.
Refocus your security teams
For their part, security teams need to re-evaluate the basics.
Is the network secure? Who is accessing it and from where? Are employees' access to documents and databases consistent with their role? Zero trust is the way to go.
Obviously, security policies have to be refreshed to reflect new realities. Equally important, you need to ensure those policies are executed properly.
Check to see your security tools have kept pace with change. And that triggers are set correctly to respond to new work habits. In fact, now is a good time to review your tools to see if they're what you really need.
It's essential to remember that good security is not just about policy and implementation. It also has to cover software development. If a problem occurs, you're not only open to attack, you also have to go back and rectify the issues. Security can't just be a tick in the box at the end; it's far better to have it baked in at the beginning.
Another key point is to strike the right balance between cohesion and coupling with your systems. Each system should be cohesive, with internal elements having tight interdependence. But no system should be too tightly coupled with others externally. Because if one is compromised, so is the next.
Take steps now
With so many moving parts in today's security environment, a holistic approach that covers, people, processes and technology is more vital than ever.
Help your employees be part of the solution, not part of the problem. Re-evaluate both your security and work processes to ensure loopholes are plugged. And make sure your tools are appropriate.
Working from home is here to stay. The sooner your organisation adapts, the better.