The Future of Cybersecurity: The Hybrid Workforce Is Up Against a Much Larger Threat Vector
As cybercrime spikes along with higher work-from-home staff levels, companies need to step up security.
May 23, 2022
By Vinod Paul
Vinod Paul
Cybersecurity has shifted beyond being a recommended best practice; it’s quickly becoming a legal requirement for organizations across industries. The Securities and Exchange Commission has recently proposed a series of new cybersecurity compliance, reporting and disclosure rules for the investment management industry, which can be reviewed here.
As the hybrid workforce continues to carve a place for itself in the corporate world, the attack surface for cyberthreats has gained ground with equal fervor. Threat actors are quicker than ever in exploiting whatever vulnerabilities they can grab. And with recent data from Microsoft showing that 81% of enterprise organizations have begun the move toward a hybrid workplace, with 31% of those surveyed already fully adopted, cyber criminals have a whole new plane of opportunities at their disposal.
According to the FBI, there’s been a 300% increase in cybercrimes since the beginning of COVID-19. To keep up with the ever-evolving cyber dangers, organizations are applying various security controls to strengthen their security perimeters.
To make matters more pressing, following the Russian attack on Ukraine, the CISA has recommended that U.S. organizations apply “Shields Up” heightened security precautions due to the high probability that we will continue seeing cyberattacks against Ukrainian allied governments and interests. While there have yet to be any credible attacks on the United States, CISA predicts it’s only a matter of time before adversaries leverage cyberattacks.
Cybersecurity Tips
What’s the solution? Here are some cybersecurity tips at both the enterprise and employee level.
What Your Company Should Do:
Implement a model cybersecurity program. This also includes regular cyber training and security awareness updates, which will not only help employees adopt best practices in their day-to-day activities such as good password hygiene and management, privacy settings, end-user verification, and more, but will also help them learn how to identify dangerous and potentially costly scams. For example, some of the most nefarious threat attacks cleverly leverage social media to attack a firm via phishing. A routine cyber test in this regard could help identify employees that need additional training.
Adopt a “zero trust” strategy. This strategy follows a “never trust, always verify” approach. Organizations can no longer just rely on network firewalls and VPNs to isolate and restrict access in a workforce that operates beyond traditional network boundaries, especially when using cloud-based services.
Deploy multifactor authentication (MFA). MFA can help weed out threats by requiring an additional layer of end-user verification across various employee activities, including remote and administrative access.
Prioritize vulnerability management: Traditional patch management cycles are creating too large of a window for potential threats. Modern, risk-based vulnerability management tools include prioritizing vulnerabilities on reducing the biggest risks to your business to address any new or known exploited vulnerabilities via the CISA.
Protect personally identifiable information (PII). Use a secure file transfer system to encrypt PII such as Social Security numbers, bank account number, or email address combined with the password or security question and answer and only allows the authorized recipient to access it.
Know where your data is. Your data may be “in the cloud,” but the importance of knowing exactly where your data is stored and where it travels to cannot be overstated. It’s critical to “gate” data from leaking outside of a corporate infrastructure, whether this be cloud or physical service based.
Approach cybersecurity risk management with layers. There is a misconception that deploying one technology stack or set of tools puts firms in a better cybersecurity posture. The best defensive strategy leverages technologies and services that augment and complement a cybersecurity program designed to protect a firm’s data within the new hybrid workforce.
What Employees Should Do:
(continued on next page)
A 2020 report found that 88% of data breaches are caused by human error, and 43% of people have made mistakes at work that could compromise cybersecurity.
Use a complex password in conjunction with a user verification policy. Include both upper and lowercase letters, numerals, special characters, and make sure the password is at least 10 to 11 characters long. Most importantly, understand that the strongest passwords can still be compromised, and leveraging two-factor or multi-factor authentication will further protect an organization ’s distributed workforce.
Never connect to public Wi-Fi on work devices. There is no scenario in which you should connect any devices — work or personal — to a public Wi-Fi network. If you have to get work done in a public space, use a VPN to create a secure connection to a trusted network, which will shield your browsing activity from prying eyes and potential threats.
Lock computers and devices. Lock the screens on any work computers and other devices when away from your desk or when not in use to prevent unauthorized access.
Apply privacy settings on personal social media accounts. When it comes to Facebook, Twitter, etc., make sure your contacts can only see limited personal information. This will reduce the effectiveness of spear-phishing attacks.
Do not leverage corporate/business computers for personal use. Employees can inadvertently cause a breach when using a company computer for personal needs. Whether it be for streaming videos, doing the kids’ homework, or just surfing the web, understand your responsibilities to the company when leveraging company issued equipment.
Do not store personal files on work-issued equipment. Every security expert will agree that storing your personal files risks opening the threat vector for the employer. Often, personal files have not been scanned for malicious content and may compromise data security and/or introduce new threats into the environment.
Report all lost or stolen devices, or if you suspect a cybersecurity issue. Communication is the first priority when dealing with a possible cybersecurity event. The quicker your employer can react to a cybersecurity incident, the better their chances of minimizing any potential damage. You can be part of helping to secure your firm from a larger threat event.
Centralize Security in a Decentralized World
Digital acceleration and global distributed workforces will continue to drive shifts across the cybersecurity threat landscape, but the power to fight back lies at the local level just as much as it lies in new cloud technologies. Organizations can empower their professionals by correlating security training and standards within a larger, model cybersecurity program, and by instilling best practices that continue to keep their first defenses resilient.
Vinod Paul brings over 20 years of in-depth financial services and technology experience to his role as Align‘s chief operating officer. His responsibilities include the oversight and strategic development of Align’s managed services offerings, including Align Cybersecurity, the company’s comprehensive cybersecurity risk management solution. He serves on the Forbes Technology Council. You may follow him on LinkedIn or @alignitadvisor on Twitter.
You May Also Like