Why WFH Greatly Contributed to Cyber Breaches in 2021
The COVID-19 outbreak significantly changed the way many things were done globally; businesses had to fashion out new ways of meeting customers’ needs; people had to go through long periods of lockdown; the physical workspace could not operate again. Cyber incidents were reported to rank as the third-largest business risk globally.
In the face of all these dramatic changes, it was important to keep the world economy moving and work must be done. This gave birth to WFH (work from home), the acronym given to work that is done remotely.
Before the pandemic, a few organizations were actually practicing some sort of remote working, but the pandemic made it the way of life. WFH became compulsory for the survival of any business.
An effective WFH warranted a good dose of digital transformation since transactions and boardroom meetings would occur online. New technologies needed to be integrated; apps and collaboration tools became essential for the smooth transaction of business; legacy systems had to be revamped, and employees needed to undergo some forms of training to adapt to these new measures.
While it was expedient for these measures to be put in place, organizations did not have enough time and the pandemic had already eaten deep into their finances. The need to meet up with customers’ expectations and survive, created room for vulnerabilities that threat actors quickly exploited.
With the physical workspace, it was relatively easy to protect the office systems with firewalls and blacklisted IP addresses. However, the integration of new technologies has made organizations more vulnerable to cyber-attacks. Since you now conduct your business online due to the WFH model, you are at the mercy of prying eyes who surf the internet for vulnerabilities they can exploit and compromise.
What many have experienced with the ill-prepared WFH model is that the documents you have in the cloud, your emails and attachments, instant message clients, and supply chain services have become vulnerable. Since you are transiting a lot of data digitally, you have created more attack surfaces for threat actors to exploit.
According to Reboot Online in its survey of 1,198 business owners and employees in the UK based on their experiences with data breaches and password security between 2020 and 2021, it was revealed that cybersecurity breaches have increased tremendously as a result of more organizations venturing into WFH. What Reboot Online discovered to be responsible for this was that an overwhelming 79% of businesses fail to change all their security passwords when they disengage employees, and 71% of businesses don’t even attempt to train their employees on how to handle personal passwords.
Level of preparedness
At the time organizations embarked on WFH, what was more important to most of them was how to ensure continuity. Cybersecurity was not given enough precedent, as some employees had to run some business tasks with their personal devices.
While we may want to see this as some form of irresponsibility on the part of organizations, the fact is that they couldn’t do much. The COVID-19 pandemic came suddenly, and the pace at which it moved required that urgent measures had to be taken.
Organizations and their employees had to scramble and quickly adapt to the dramatic changes to ensure survival. The situation truly describes “survival of the fittest.” In certain instances, there was little or no reaction in complying with organizations’ cybersecurity standards and data protection obligations.
Unlike what was observed in the physical workspace where cybersecurity issues were made everybody’s concern, the bulk of tackling the threats fell on CISOs and the different IT teams. This was rather unfortunate, and to compound things, the WFH setting did not give them enough room to diligently do their work.
Data protection guidelines
Every organization must provide its employees with data protection guidelines. While this was already very common practice with the physical workspace, it has become entirely possible with the WFH model. Employees must have clear-cut instructions on how to handle customers’ sensitive information.
The sudden change and the general situation employees found themselves in made it almost impossible. It was even possible that employees would dispose of some documents they consider waste in their personal bins, without considering that such documents could be scanned for titbits of information that can eventually harm the organization.
Going by the discovery from Cybint, that 95% of cybersecurity breaches come from human error, you don’t need a rocket scientist to decipher that if you eliminate human error, you greatly reduce cyberattacks. Unfortunately, however, the sudden need for the WFH model did not give room to fully prepare employees for the task ahead.
Wrong use of work equipment
Work laptops had to be taken home to carry out tasks. While it was completely necessary for WFH, there could have been instances where such working tools and devices are left around carelessly. For example, for employees with kids this can be a very costly mistake, especially where passwords are not strong enough or are carelessly placed.
Some organizations also did not place enough emphasis on multi-authentication, which will make such devices difficult to access even if placed carelessly. WFH does not essentially mean that all the work must be done while your employee is at home; an employee could be caught up in a train or even a café and the need to join a virtual meeting arises, bits of information can, unfortunately, fall into the hands of threat actors who are just eavesdropping.
While the employee did not intentionally divulge the information, it can be used to harm your organization. Another fallout from using work equipment at home is the level of security your employees have with the network.
Once a threat actor secures an entry point, the whole system has become compromised.
Conclusion
WFH was inevitable, the only problem was the level of preparedness before embarking on it. The situation we have does not indicate that we shall soon go back to the initial way of doing things; organizations may have to hybridize, and that means cybersecurity issues will persist.
It has become pertinent that necessary measures such as training and retraining employees for cybersecurity issues have become compulsory. To ensure that your organization does not suffer the ill effects of cyberattacks, you must not see cybersecurity as the business of the IT team, especially with the WFH model.