James Baly, CTO at Nowcomm, offers advice on how organisations can keep communications safe in the ‘new normal’ of remote working.
The outbreak of COVID-19 and the subsequent UK-wide lockdown brought sweeping changes to the workplace. For many organisations, no matter the industry or size, this meant a wide-scale, unprecedented move to working from home. There was no time for vulnerability assessments prior to the mass remote working, nor time to educate staff on how to use the technologies effectively and securely. Operationally this quickly became a very challenging situation to manage.
Even for organisations that already had some remote working policies in place, it is unlikely robust plans were there for the majority of the workforce working and collaborating remotely on a semi-permanent basis almost overnight. Policies and protocols have been drafted and implemented as quickly as possible, to maintain Business Continuity, often with an immediate focus on the bare connectivity and security essentials needed.
Stopgap solutions with security risks
The lure of free cloud-based video solutions
For many organisations, the access to and broad choice and availability of free cloud-based video communications solutions such as Zoom, Microsoft Teams or Google Hangouts has been a lifeline in allowing business communications to continue whilst employees work from home. Likewise, the need for people to video call instead of use mobiles soared, as people were desperate to connect and see each other face-to-face with the absence of physical contact and the usual workplace chat and socialising.
Zoom, for example, saw a global surge in daily users from 10 million in December 2019, to 300 million in April of this year. These technologies have been an immediate and necessary stopgap, they have come with various security flaws, which seem to have been overlooked in favour of keeping businesses running
For example, the most high-profile security flaw has coined the phrase ‘Zoom bombing’ as online trolls have emerged gaining access to meetings with links free of passwords or any security access at all.
The rise of phishing emails by cybercriminals
It’s not just video conferencing software that’s opening up organisations to security risks. Cyber criminals have also been exploiting fear and anxiety around COVID-19 to launch email phishing attacks, spreading fake news and exploiting the fear. Phishing email attacks related to COVID-19 increased by 600% in the first quarter of 2020.
Mobile phone-based phishing attacks are harder to spot on mobile email, social media and messaging applications because of the smaller screen size coupled with the inability to preview links and see full URLs in mobile browsers. Also, by working remotely, checking in with colleagues and asking them if they have received certain emails is no longer taking place.
Remote working in the ‘new normal’
It’s clear that the remote communication technologies and home working policies which have enabled organisations to continue to function through the critical months of lockdown have been a lifeline, but many have been put in as short-term and not long-term solutions. It’s absolutely essential that organisations work to secure their remote working policies, looking at end point security, email security, cloud applications and who is using what. The answer is not to put barriers in place to lock usage, more to find a flexible and agile way to accommodate these applications and their use in a secure robust way using multifactor authentication and an ongoing education programme with all employees to help them keep abreast of cyberattacks and spot the signs.
Nearly half of UK businesses believe their cybersecurity policies are unfit for a permanent remote working model.
People and policy – a two-pronged approach
Organisations must ensure that they have sufficient security protocols and systems in place to support a permanent move to remote working in some capacity. To do this, they must adopt a two-pronged approach. Whilst it’s important to have the right software and systems, organisations must focus on the people aspect of security. Employees are the first line of defence to all cyberattacks and it is a permanent process to keep employees engaged in the risks and ways to avoid attack.
- End-to-end encryption and two factor authentication
It’s time to say goodbye to traditional PBX office phone systems and embrace communication technology with enterprise-class security which keeps employees and data safe whilst working remotely. Cisco Webex Calling, for example, is an app-driven, enterprise level alternative with a robust security architecture which includes true end-to-end encryption and two factor authentication (2FA). 2FA is fast becoming essential protection to help prevent malicious logins due to stolen credentials. However, while it has been more widely adopted it’s still underused.
Using communication platforms with these enterprise-class security features reduces the risk of hacking and attendees gaining access to meetings and calls that include sensitive information that they shouldn’t be a part of.
- Employee cybersecurity education
The cybersecurity landscape is constantly evolving and even the most robust communication platforms and security policies can be undermined by employees who lack an understanding of cybersecurity risks and prevention measures. It is essential that organisations provide up-to-date, comprehensive and continuous cybersecurity training for all employees, from the intern up to the CEO. At the end of the day, a company’s cybersecurity posture is only as strong as its employees’ understanding.
Remote working opens up a particular set of cybersecurity risks, since many employees will be working from unsecured personal devices and across Wi-Fi networks, which are used for both personal and business operations. Organisations need to implement robust policies for using their own devices and accessing the company network from a home connection.
In addition to this, with the evolution of IOT and the rapid adoption of smart home and wearable technology, such as smart watches with running and cycling apps, we are sharing extremely personal information through a connected network daily. Whilst working from home, more and more employees are using these IoT fitness devices during their lunch breaks, sharing data across social media.
Employees need to be made aware of the risks that seemingly harmless accessories, such as a fitness tracker, can pose to company data and networks. IoT devices, which often have much weaker security controls than other devices, are the perfect way in.
The future has come early
Designing and implementing new security protocols and systems requires a necessary time and financial investment. Rather than seeing this as a burden, organisations should see this as a positive opportunity to propel their workplace into the future. Remote working was always going to become an important part of the modern-day workplace, the opportunity has just arisen earlier than expected. Likewise, maybe this is the nudge businesses needed to get rid of outdated and costly legacy office phone systems and implement a more secure communications strategy to protect their data and employees.
