Over the past few months, cyber-attacks have grown exponentially as millions of people work remotely and hackers take advantage of this situation. According to a recent survey from US telecoms giant AT&T, 55% of remote workers have experienced a cybersecurity incident in the last year.
Worryingly, many of these attacks likely came down to issues such as human error, poor cyber hygiene, and a lack of security awareness. In fact, AT&T found that 54% of workers frequently use work devices for non-professional purposes, such as letting relatives borrow them, connecting IoT devices, internet banking, and online gambling.
Despite these problems, lots of businesses are failing to respond. The AT&T study shows that 50% of companies haven’t provided cybersecurity training since moving staff online at the start of the pandemic. Furthermore, 30% of employees feel their employers aren’t taking enough steps to keep them safe online.
To protect employees from increasing online risks, human resources teams must create and enforce effective security policies. But how can they do this? From overcoming common challenges to choosing the right technologies, we discuss all the things HR professionals need to know when developing a cybersecurity strategy for the modern workplace.
Cybersecurity risks in the remote workplace
Since the outbreak of coronavirus a year ago, remote working has become the norm for millions of people worldwide. While technology allows employees to continue working from home and follow social distancing measures, remote workers are a prime target for cybercriminals.
Sean Wright, application security lead at software company Immersive Labs, believes cybercriminals can easily target individual employees:
“Making sure your employees have appropriate training is absolutely vital. This should also cover best security practices such as good password management and use, appropriately updating devices and applications. Also, make sure employees have access to someone to ask appropriate security-related questions.”
“In addition employees could be working on personal devices which may not have appropriate security controls in place (such as automatic updates, security endpoint management), to home networks which may not be as secure as their corporate network,” he explains.
Although cybercriminals have many different hacking techniques at their disposal, phishing is one of the most common attack vectors in the remote workplace. “Personally I’d say attackers have adopted phishing more and more since people have started working from home,” says Wright.
“Employees can no longer simply go over to the security department and ask them if the email is legitimate, or even ask the proposed sender. In addition, as we saw at the beginning of the pandemic, there were several issues around telecommunication. This could become a rather big issue, especially when sensitive corporate-related conversations are taking place,” he adds.
Rick McElroy, principal cybersecurity strategist at US tech firm VMware, agrees that phishing attacks are a major issue for employers and staff today. He tells UNLEASH:
“HR teams should be aware of the increase in phishing attacks aimed at either ransoming or achieving compromise of the email and communications systems. Extortion of organizations is a massive risk that HR departments need to know about.”
Catherine Aleppo, head of cyber at insurance firm Aston Lark, says it’s more challenging for companies to secure their IT infrastructure when employees are working remotely. “Home workers are not all technical experts, they may not understand the importance of updating software in a timely manner, if at all. Where employees are working on their own personal devices, or connecting to public wifi, the lines between their working life and their private life can easily become blurred,” she says.
“In their home environment, an employee is more likely to browse the internet, so more opportunity to visit malicious sites. Plus with the added distractions of family, pets, Amazon deliveries etc, concentration levels drop making employees more susceptible to falling for social engineering scams.”
Virtual private networks (VPNs), which provide online anonymity and bypass geo-restrictions, also pose security implications when used by remote workers.
“Through the use of VPNs, employees can connect to their company network remotely. If this internet connection is not protected with multi-factor authentication (MFA), it becomes a much easier point of entry for a threat actor. Requiring more than one factor to validate a user’s identity provides a network with a second layer of defense. Like any security measure, it’s not failsafe, but it could be enough to deter a threat actor, in a similar way a burglar views a house with an intruder alarm less attractive and harder work than one without,” warns Aleppo.
“All it takes is one mistake and a network can be compromised – a distracted, tired, overworked employee falling for a phishing email, tricking them into sharing their credentials. This enables the threat actor to log into the network posing as a legitimate user. If user permissions are unrestricted, the hacker can roam undetected creating chaos. Typically, this is done by stealing data, installing ransomware or simply sending out emails purporting to be from an employee instructing funds to be transferred. “
Overcoming common challenges
With cybercriminals increasingly targeting remote employees, HR teams must develop and implement robust cybersecurity strategies to protect them. But this can be an extremely arduous task that poses many different challenges.
Jake Moore, a security specialist at cybersecurity firm ESET, warns: “HR teams have struggled with implementing training procedures which were once part of a physical induction. We are now seeing remote initiations which are unfortunately never as detailed.
“Those companies that were already set up for remote access and policies to suit for at least part of the working week were the ones which hit the ground running. However, some older fashioned organisations where home working was possibly seen as frivolous were not so equipped to adapt to the given change and slower off the mark.”
We often hear that “employees are the weakest security link” within an organization and with many workers working remotely, cybersecurity has never been more of a priority.
Aleppo says overseeing cybersecurity protocols and ensuring remote workers follow them are challenging tasks: “In many organizations, there’s still a level of embarrassment attached to falling for a scam, and the fear of getting into trouble makes victims more likely to hide their mistakes. This can have catastrophic consequences,” she says. “HR teams must help encourage all employees to protect the organization and be vigilant, but also issue clear steps as to what action to take when accidents or near misses happen.”
But she warns that there are no absolutes in risk management despite the implementation of different security measures. Aleppo continues: “Threat actors are exploiting any vulnerability – be it targeting technology weaknesses, or forcing human error through social engineering manipulation.
“This is why organizations need to be adopting an approach that reduces their risk with security protocols, and mitigates their risk with cyber insurance. Transferring the risk provides not only financial and reputational protection but also access to the all-important incident response support, along with pre and post-breach risk management assistance, should the worst happen.”
McElroy believes HR professionals can struggle to implement effective cybersecurity strategies because they have access to large amounts of personally identifiable information (PII) and act as the face of an organization during the recruiting process.
He says: “As part of the recruiting process, HR departments should ensure that how they perform background checks is secure. These provide key vectors for attackers to take advantage of. HR teams should also be concerned about insiders who leverage their access for profit, as well as insiders who are taken advantage of by attackers to get access to the company’s systems.”
Choosing the right security solutions
One of the biggest challenges of implementing a security strategy is choosing the right vendor or technology. So, what should HR teams remember when considering a cybersecurity solution for their organization?
McElroy believes how cybersecurity vendors handle data is an essential factor to consider:
“Cloud-first security strategies are helping organizations achieve their data protection goals. As HR teams consider cloud technologies to facilitate HR processes, they should ensure that their cloud vendors are adequately protecting their organizations’ data and the data of candidates and employees. Who has what responsibilities if data is breached? Security SLAs should be clearly defined during contract negotiations.”
He says automation and orchestration technologies are helping to reduce the overhead in cybersecurity, too. “Machine learning provides a great deal of value when it comes to analyzing huge data sets involved in detecting and preventing attacks. If implemented correctly, they can help teams do more with the same amount of human capital and achieve security at scale.”
On the other hand, Wright recommends that HR teams think about end-point device protection and cloud security solutions. “Security people still need the ability to view events from the device and be able to control the device from the point of view of things such as automatic updates, malware signature updates. In terms of cloud security, including Software as a Service (SaaS), security around these services has become even more important with remote working,” he says.
“These services go a long way to help a distributed workforce, but can carry significant risk. Many companies have started moving to this prior to the pandemic and would have likely speeded this up as a result of the pandemic. The risks of getting this wrong though are significant. So making sure that there are the appropriate security controls in place is vital.”
Kevin Curran, senior IEEE member and professor of cybersecurity at Ulster University, explains that emerging technologies like artificial intelligence enable HR teams to address enterprise security challenges. He says: “Increased intrusion attacks are becoming too intelligent to identify differences between hackers and legitimate connections. Therefore, applying AI or machine learning techniques can help detect patterns such as irregular financial transactions and customer profiling techniques.
“Anomalous AI-based detection systems can profile normal patterns and search for outliers and hybrid detection systems. They combine misuse and anomalous detection techniques to improve the detection rate, as well as reduce the false-alarm rate. Scan detection can lead to the earlier deterrence of attacks.”
Future-proofing organizational security
When developing and implementing cybersecurity strategies, HR professionals should ensure that these will future-proof security right across the organization. But what steps must they take to achieve this?
Wright believes that companies should continue investing in employees to future-proof organizational security. He says: “You need employees to configure and run the tools, employees to help prevent attacks. So make sure that you have appropriate training in place, and this is something which happens on a continuous basis. Also make it interesting – there are several gamified platforms which help to do this.”
Moore says future-proofing organisational change must not only come from the top down, but also remain constantly monitored and updated. He says: “Many organisations prepare for attacks but fail to update to withstand the ever changing threat landscape. Those who include quality training and build an awareness culture are often the best at protecting their future.”
Aleppo argues that organizations should view cybersecurity as a priority risk. “The ultimate responsibility must sit at Board level, even if they have delegated the management of cybersecurity to others. It’s critical that organisations understand their threats, vulnerabilities, business impact, and controls, and are prepared,” she says.
“Cybersecurity must become embedded in the company culture. HR and IT must join forces to help build cyber resilience. When employees leave the company, deactivate their account, or at least change their credentials. With an inactive account not being regularly monitored, any suspicious activity will go unnoticed.”
The rise of remote working following the coronavirus outbreak may have exacerbated enterprise cybersecurity risks, but these issues have long existed and will only grow over the coming years. Therefore, it’s paramount that HR teams take steps to safeguard employees.