Lessons in keeping the remote workforce cyber-secure
With lockdown transforming the way we communicate and interact, the 2020 Hiscox Cyber Readiness Report shows how employees can work from both the office and home in a way that’s safer and smarter.
The cyber security landscape is in a state of flux. The 2020 Hiscox Cyber Readiness Report, which surveyed more than 5,500 businesses, reveals that spending on cyber security has increased by 39%, yet total cyber losses still reached £1.4 billion – an increase of 50% from 2019. And some of the report’s most pertinent findings come into even sharper focus in light of the COVID-19 pandemic and the ‘new normal’ of working from home.
The human firewall
Highly targeted phishing scams are where hackers are focusing most of their efforts. And it’s working. Phishing scams are one of the most common types of cyber attack we witness, with companies deemed ‘novices’ in their cyber security readiness rating suffering more breaches as a result of these methods of attack.
Being in an office brings an element of protection that we don’t get in the homeworking environment: if you receive a suspicious email you can simply ask your colleague at the next desk what they think. “There’s far less of that pack mentality when people are isolated and working from home,” explains Steve Ridley, Cyber Underwriting Manager at Hiscox UK, adding that people should be on the lookout for scams that play to people’s fears amid the pandemic, such as emails offering vaccines or antibody tests, or tax rebates as part of the Government schemes.
For Steve, it’s crucial that organisations understand the value of the human firewall – the end user. Building this means changing employee behaviour through training, which is something that businesses have already started. The report reveals that twice as many firms responded to a breach by spending more on employee training, while nearly three quarters of the companies ranked as micro-businesses (fewer than 10 employees) intend to prioritise training in the next 12 months.
Employees as potential gateways
Companies have increased their cyber security spend by 39%, and the proportion of IT budgets spent on security rose by 75% of countries surveyed. Much has gone into protecting the physical perimeter of networks, but this doesn’t offer the same security when the office is empty. During the pandemic, people are plugging office devices into home networks that haven’t had the same level of security investment. And because those devices have previously relied on network security, the devices themselves are less likely to have adequate protection in place.
“When you have a dispersed workforce pretty much every person becomes a potential gateway into the network, so there are far more points of access,” explains Steve. To an extent this is understandable: the move to remote working was fast, where the focus of most IT departments was to almost instantly establish remote working capabilities. “Now we just need to make sure that the capability of working from home is the most secure it can be,” says Steve.
Small companies remain at risk
While ‘super targets’ – companies that report 500 or more cyber security events – tend to be enterprise-scale organisations, the Hiscox report reveals that a surprising number are among the smallest businesses. This is of particular concern given the upheaval these smaller organisations have been subject to recently.
“We’re seeing time and again that these smaller companies can be a lucrative target for criminals,” says Steve. Companies with 50 or more employees spend around 14% of their IT budget on cyber security; those with 10–50 employees spend just shy of 11% and those with fewer than 10 spend 9%. “For smaller companies it is just a case of upping their spend in general,” he adds.
Businesses of all sizes need to start spending smarter, particularly in light of remote working, and Hiscox sees a shift towards this already. The proportion of respondents planning to increase spending on cyber security technology has fallen in the past three years, while the number planning to invest in more employee awareness training has risen from 34% to 40%, and more than a third of companies plan to increase cyber security staffing – up 26% from two years ago.
Improving response and recovery
To assess a company’s cyber security readiness profile, Hiscox measures companies against the National Institute of Standards and Technology (NIST) cyber security framework: identify, protect and detect – and respond and recover, because breaches do occur.
“Companies need to get much better at responding,” says Steve, who points out that success in these categories tends to be weighted towards ‘identify’, ‘protect’ and ‘detect’. But companies are starting to respond: in 2020 there has been increased spending in all categories, with spending on response growing by 44% and on recovery by 46%.
For Steve, securing the remote workforce doesn’t require a blank slate. Rather, a shift towards investing in employee behaviour, which will remain valuable in whatever form office life returns. Training employees, regardless of organisation size, to recognise, identify and respond to a cyber threat, will make businesses more secure, whether from an office or a living room.