One of the strangest photos to emerge from the lockdown in March was the image that circulated on social media of people lined up outside their workplace with PCs and office chairs waiting for taxis to bring them home. Six months later and most of them are still at home and some of the quick fixes that solved initial concerns around remote working, such as cybersecurity, are beginning to look less than fit for purpose.
Earlier this week, the Irish Computer Society published a report highlighting a major gap in Irish company boards' oversight of cyber resilience in their organisations. It called for immediate action to address this, with president of the society Prof Mike Hinchey saying: "The responsibility to address these concerns is enormous and the consequences of not doing so [are] potentially calamitous.
“Cyber risks affect us all – as individuals and in the organisations where we work. But in organisations, the consequences of a cyberattack can be far more serious in terms of the losses suffered, operations paralysed and reputation damaged.”
Singing from the same hymn sheet is Brendan Kiely, managing director and co-founder of Irish software security company, ThinScale. He says data breaches and information leaks have been happening a lot more while people have been working from home than anyone is owning up to.
“There was a certain level of chaos in March with companies trying to get people out of the building as fast as possible. This resulted in machines being taken out of the office network and, in some cases, not being properly tracked or updated since,” he says.
“The second thing we saw was a shortage of hardware, so people were told to use existing personal devices for work. The problem with this is that these devices may not have been ‘clean’ to begin with.
“There’s an assumption that if you have all of your security in the cloud or on your servers that you’re sorted,” Kiely says. “There’s also an assumption that, if you give someone a VPN [virtual private network] the connection is secure. The reality is that while the VPN is secure, the potential problem is access to that connection.
“Take the example of an employee living in a house with three other people. Your employee may not be the bad actor but someone else in the house may be and could gain access to the endpoint. You may think you have secured your employee’s endpoint at home but if they are using their own device they could have compromised its security months before.
“VPNs are one of the biggest security misconceptions as people erroneously think they can solve most security issues. Businesses must think of security in terms of the endpoint, not just their overall system.”
Cybercrime
The global policing body Interpol has repeatedly flagged concern about the rise in cybercrime since the pandemic began, with criminals taking advantage of people working from home to target organisations. There has been a spike in spam, phishing, malware incidents and malicious URLs.
The organisation’s secretary general, Jurgen Stock, has said: “The increased online dependency for people around the world is also creating new opportunities, with many businesses and individuals not ensuring their cyber defences are up to date.”
While most employers prefer to operate on trust, Kiely says organisations need to cover key security points to minimise risk. These include preventing employees using their own devices to cut and paste sensitive information, to download files on to memory sticks or access the internet while they’re working.
“If an employee has full access to the internet and they’re going on to other websites then that is a security concern,” he says. “We deal with a lot of BPOs [business process outsourcing] and contact centres whose entire business model centres around them safely handling clients’ sensitive data. Such companies can be targeted by individuals who deliberately get themselves hired to do things like harvest credit card numbers.
“We’re aware of organisations that have experienced this type of security breach so companies really need to ensure that if an employee is using their own device they have no access to it in a personal context while they are working.”
ThinScale was set up in 2013 and fortuitously launched its second product, Secure Remote Worker, with perfect timing to benefit from the pandemic. The company’s focus is creating cyber-safe environments for remote working and the majority of its clients are large entities and multinationals involved in BPO.
The company has seen a dramatic rise in revenues (up by more than 200 per cent) since the lockdown began and employment is set to double to 60 within the next year.
Kiely says it is highly likely that companies have already had security issues during lockdown and he believes the ensuing problems should be aired, not covered up.
“I think organisations need to be open with their teams when mistakes have been made so everyone can learn from them,” he says.
“Employees need to be talked through the issues that have arisen and they need to know the impact of their unwise action on the business and its customers. In turn, companies need to provide the necessary training for people and to heighten their awareness so that they think twice before they click on a link or open a file.”