Now, as we start to settle into a new way of working, it’s time to assess if we need to carry on this way for 3 months, 6 months or longer. The answer will be different for each organisation, but one thing that will be common for all will be getting to grips with how their threat landscape and risk posture have changed.
Now’s the right time to explore which roles in your organisation have changed substantially in terms of how and what they can access and process. For example, someone in your legal team may have been used to have all their work locked away in a safe in the office at the end of every day, and now, these papers are scattered across their kitchen table. You may have contact centre agents who’ve always been office-based, but now they’re juggling their responsibilities in their home.
Cybercriminals are tirelessly looking for these changes to try and exploit them.
When it comes to selecting which employee or group in an organisation has the highest likelihood of success and / or value for an attacker, not all roles are equal.
Some roles are valuable due to the assets they have access to; some roles are valuable due to the span of control and influence that they have; and some roles are valuable because of what they do or what they know and / or as way of gaining access to other more valuable roles within an organisation.
More generally, many roles are valuable, simply because the person has wealth, access or assets outside of their working environment. Even haphazard targeting of people personally via scams or phishing can often result in hard to remove attacks on companies.
In many cases, organisations deploy a variety of controls and mitigations to prevent, detect, limit, and restrict the impact of attacks, but as users move outside of their business environments, the controls often become less focused and the risks of attack can increase.
Many of us have seen an explosion in scams and fraud as criminal and attackers look to exploit the situation and leverage natural fears and anxiety to manipulate their victims.
Equally, many organisations have taken decisions to relax security polices to make working remote more effective; improve capacity for their remote access infrastructure; and allow data to be processed in locations that it may not have been previously.
To some extent, the journey to remote working had started before 2020, but due to the Coronavirus pandemic, many had to expedite and accelerate plans with some transforming significantly in a very short space of time.
When considering home or remote working, clearly the security controls on the users devices, their connectivity and visibility of their security posture have an important part to play. Education and awareness as to the risks are also important, especially when asking users to undertake activity that previously would never have been considered to work remotely - e.g. commodity trading; health consultations; R&D analytics, etc.
One observation is that often individuals feel a lot safer and more relaxed in their own homes and this can lead to a different risk appetite and less concentration in terms of clicking on links or validating connections and emails.
When looking at the question of which users carry the most the risk when working at home, then clearly this is potentially a subjective question that depends upon your business and the roles that you employ.
So, I come back to the value of a role within the organisation, combined with users maybe having a lesser focus on the risks. Some threats like scams and phishing have increased, and some organisational controls are perhaps no longer in play or visible to your security operations.
Generalising a little, any employee who has access or authority to transfer funds or assets; authorise payments or gain organisation-wide access or has access to valuable information or research is at increased risk when in this environment.
This includes executives, such as the CxO roles, and may also include the commercial and legal teams or those working in procurement. Equally, supporting roles such as personal or executive assistants often have delegated access and authority and as such, can also present an equal or even high risker when working remotely.
Roles which are traditionally office-based, such as contact centre, R&D and trading desks also represent an increased risk, especially when some of the process or regulatory controls have been relaxed to enable temporary remote working. We’ve seen criminals trying to exploit contact centre agents by abusing temporary processes to try and trick the agent into doing their bidding.
Finally, roles such as system or IT admin which may normally be restricted to rigid access procedures can be very useful to an attacker. Extra care should be taken to protect these roles with more visibility and control than some more general roles.
Although there are some obvious examples, clearly any valuable role working remotely has the potential to expose an organisation to a greater level of threats than perhaps they would if working in the office, As we settle into a future that may see many of us working differently, this is an excellent time to reassess, react and reset our strategies and assumptions on the cyber risks and threats to our employees.
Whether it’s practical help or reassurance, we’re here to help.