Over a matter of days in March this year, millions of people’s working environments changed utterly. Since then it has become clear that the global transformation triggered by COVID-19 is not going away any time soon. Businesses are now confronting a climate where employees are likely to spend significant portions of time working from office locations and remotely, posing unique challenges for information security professionals.

In a distributed-by-default environment, which techniques and strategies will protect organizations and employees? Which tools and systems are no longer fit for purpose, and what will the next essential security technology be? Management teams have faced unparalleled challenges so far in 2020, but businesses have now been battle-tested like never before.

Make no mistake: there are significant opportunities ahead for the organizations that adjust and pivot with confidence into new and different kind of working patterns.

Confronting an expanded threat landscape

Since the spring, cyber criminals have moved just as fast as organizations in responding to the disruption caused by COVID-19. The threat level of many different attack types has increased since the beginning of the pandemic.

• Phishing, smishing and vishing attacks are growing in frequency and severity. Email remains a critical threat vector, but the level of trust in phone communications means that smishing and vishing – phishing attacks conducted through the SMS or voice channels – are being exploited by attackers in a COVID-19 context.
• Social engineering attacks and other types of fraud are also on the rise including federal financial relief scams as well as organized crime gangs carrying out large-scale fraud against different state unemployment insurance offices. Business Email Compromise and ransomware scams are being specifically designed to maximise urgency and stress around COVID-19 itself.
• Vendor / supply chain vulnerabilities are especially risky when organizations are confronting significant operational disruption. Attackers have also focused attention on large Managed Service Providers (MSPs) as high-potential targets, with their compromised customers being an additional incentive. Increased security diligence of third parties is recommended at this time.
• Nation-state system infiltration is a perennial risk and inevitably becomes a heightened threat in the lead-up to big political events.

As if this wasn’t enough, organizations have to contend with internal risks as well as external attacks. Thanks to COVID-19, enterprise perimeters are more porous than ever. In a hybrid working environment, for instance, employees may have to take sensitive documentation from the office to a less secure remote-working situation, or respond quickly to sensitive matters with one eye on events at home. 

In a hybrid environment, management teams also have to contemplate the security gaps generated by people seeking more efficient ways of working when the technologies and facilities of the office are not available. Split tunneling, for example, is on the rise as users look to conduct some web activity through corporate VPNs while keeping other browsing private. In cases like these, employees simply optimising for speed and ease of use can inadvertently jeopardize an organization’s security. It is important to distinguish genuine malicious activity from honest endeavour and create guidance that appropriately deals with both circumstances.

When confronting potentially dangerous behavior that put IP and data at risk, cybersecurity leaders should focus on education and enablement rather than creating restrictive rules that may only make it harder to get work done. As we’ll see, punitive enforcement can create just as many problems as it solves.

Empowering people at home and in the office

A theme of 2020 that resonates with many is the increased blurring of our personal and professional lives. Millions of people have lost the familiar sense of inhabiting their professional self once they finish their commute and get into the office. This has a tangible impact for organizations. Whether it is Bring Your Own Device policies at work, or employees accessing corporate mail on their own smartphones, companies are grappling with the consequences of people drawing fewer distinctions between work time and personal time. 

Our workplaces will be far less reliant on face-to-face interaction, with virtual meetings and remote conferences becoming the norm for many businesses. Additionally, organizations have realised that they need to confront a newly digitised workplace. Management teams have responded by investing in new digital technologies, often deploying software at pace. These necessary operational decisions nonetheless dramatically expand the range of cyber risks to which organizations are exposed. 

Some may feel that the best way to mitigate these threats is by robustly enforcing strict rules. In our view this is a non-starter. Creating cybersecurity policies is one thing, but enforcement should not be about religiously policing everyone’s activity across an enterprise. Instead, Chief Information Security Officers (CISOs) and Chief Information Officers (CIOs) can inspire people to make good decisions by being, in effect, cyber storytellers. Identifying examples of best practices – and war stories where things go wrong – can underscore the role each member of staff plays in keeping an organization safe from malicious threats.

Over-communicating is better than under-communicating. Educating people as to how they can do rich, fulfilling work from a home environment as well as in the office will prepare workforces for a range of scenarios for the months and years ahead. 

In Cybersecurity Awareness Month, the onus has been on each of us to #BeCyberAware. But employees that feel security is being done ‘to’ them, rather than ‘with’ them, are more likely to make bad decisions and put organizations at risk. Mass remote and hybrid working – regarded as a temporary band-aid back in March – is the new reality, and leaders resisting this are swimming against the tide. The risks associated with the ‘new normal’ can be mitigated, but only with empathetic and collaborative communication.