March 29, 2021

Home working cybersecurity: A huge issue which has not been tackled

By Lewis Page

A new survey has highlighted the cybersecurity risks remote workers face in the new era of home working, against a constant background of breaches and attacks.

The survey, carried out for cloud provider Doherty Associates, covered 3,000 IT decision makers (ITDMs) and 2,000 general workforce members across companies in private equity, investment, asset management, insurance/underwriting and legal services. It was carried out in December 2020.

In the months since the survey was carried out there have been many high and low profile cyber attacks. Russian state-linked hackers breached SolarWinds network management technology, compromising thousands of companies and government offices. Different nation-state hackers, this time assessed as being Chinese-backed, developed methods of entering and taking over on-premises Microsoft Exchange Server kit, allowing the compromise of entire networks. Initially these exploits were used only against specially targeted organisations, but once details became public cybercriminals sought to take over systems en masse, with the idea that later it would be possible to select the most valuable victim organisations from among those hacked.

Data breaches and intrusions can be damaging on many levels, as UK-based retailer FatFace has found in recent months. The Conti cybercriminal gang gained access to its systems in January, managing to steal much of the company’s data and encrypt its files. FatFace was forced to pay a $2m ransom to retrieve its own data, and to confess the data breach to the Information Commissioner’s Office (ICO), the UK data regulator – as it was obliged to do under the General Data Protection Regulation (GDPR), the data rules adopted both by the EU and Brexit Britain. As if this wasn’t enough, the retailer inflicted even more reputational damage on itself by dragging its feet for months before informing customers that their information had been compromised, and unwisely attempting to make them keep the fact of the breach quiet.

The Conti gang, like others, is known to attack companies and public-sector organisations across many business sectors, and it’s clear that the financial and legal firms covered by the Doherty survey would be tempting targets for cybercriminals due to the considerable sums of money they handle and the highly confidential nature of much of their data. The survey makes it clear that ITDMs have to juggle competing realities in the workplaces of today and tomorrow.

For instance there’s the long-running struggle between security and useability, which often manifests itself in very strict management of company-owned end user devices such as laptops. It’s rare nowadays for users to have admin privileges on such devices, meaning that they can’t add software. Other functions may be locked out or down, and it’s not uncommon for people to find a work device unusable for their personal activities. This typically means that they will have another computer of their own. This machine is likely to be preferred by the user and may well wind up being the primary device used for work, rather than the company-supplied one.

Fully 85% of the non-IT workforce in the Doherty survey said they had done work on personal devices, and 57% said they had saved corporate data to non-corporate devices or cloud systems. It’s possible to prevent such practices by blocking personal devices from company systems, but understandably there seemed to be little appetite for such a practice among ITDMs, or at any rate among their users: only 15% had used such policies.

There are plenty of methods which can allow people to use personal devices but yet keep company data safe. Some company systems will only allow remote access from devices which have certain security features enabled, for instance, using Cloud Access Security Broker (CASB) systems. Another method which makes life harder for hackers is two-factor authentication. It’s also possible to deploy software which ringfences and encrypts corporate data on personal devices. But these methods weren’t commonly used by the ITDMs in the survey, with just 25% reporting CASBs implemented at their firm and 25% reporting the use of encryption.

These concerns are clearly not going away. According to GlobalData Thematic Research’s “Tech, Media and Telecom Themes for 2021”

“Keeping remote workers cyber safe” will remain a major business concern across all sectors in 2021. The report states:

“With many workers planning to work from home for at least part of the week for the foreseeable future, security companies will be busy throughout 2021.”

The GlobalData report also goes into detail on some of the issues raised in the Doherty survey, stating:

CASBs and Cloud Data Protection Gateways (CDPGs) will continue gaining momentum due to growth in the software as a service (SaaS) market. The acceleration of digitalisation will also lead to security vendors redefining and introducing SASE solutions, which combine wide area networks (WAN) and networking security functions, delivered in an as-a-service model to support secure access needs in future digital environments.

Lastly, a rise in cloud-native applications will create more cloud-native security solutions. These will allow development and infrastructure teams to use microservices, through a combination of containers and Kubernetes, with security as an overlay in the development lifecycle.