Imagine you’ve spent years building a castle with ramparts that tower high above you. There are archers all along the battlements; the drawbridge is up, and the moat bubbles with a festering mess of smelly toxic water.
The village folk are safe inside your walls, and the bad guys are kept at bay. Then, one day, you’ve got to abandon the castle. A pandemic has hit, times have changed, and you must isolate yourself in your home. Suddenly, everyone departs and heads to their sleepy farmsteads and straw huts.
Yes, they’re still working hard, and productivity is great. But they’re now all completely and desperately vulnerable to attack.
This medieval analogy may seem a little quaint, but the point is deadly serious because it’s exactly what’s happened to cybersecurity. The pandemic forced businesses to pivot overnight towards remote and hybrid working. Sure, the worst is now behind us, but in this new post-pandemic era, employees continue to work from home or in public spaces such as libraries and cafes.
What’s more, they’re most likely accessing unsecured WiFi networks on personal computers that may or may not have up-to-date cybersecurity software. The probability of them being caught by a hack or cyber attack is now exponentially higher than ever. A survey of IT and mobile security professionals by wireless network company Verizon found almost 80% thought post-pandemic changes to working practices had adversely affected their organisation’s cyber security.
These attacks can take several forms. They could be hit by a spear-phishing or whaling attack - highly targeted scams designed to lull unsuspecting people into carrying out a specific action, such as transferring funds or handing over a password.
It could be an email that appears to be from the leadership team that uses personal information known only to people inside the company. While they look safe, in reality, the Information has been gleaned from social media or scraped from the company’s website.
These attacks are also used to dupe staff into downloading malware designed to make their computer vulnerable. They can take many forms, from a PDF or a word document with a tiny piece of code embedded into it that opens the door to an attack.
Human error was much less of an issue when your staff were behind the perimeter of your office’s security systems and using company computers. At that time, you could dictate what could and could not be downloaded. This is no longer the case when someone is working remotely.
The bottom line is once their computer has been compromised, a bad actor can get inside your system and wreak havoc.
This has become even more of an issue with the dawn of AI tools like Chat GPT. While much has been made of its coding capabilities, the big question is, how will people choose to use it? Chap GPT can turn an army of laymen and women into potential hackers, augmenting their skills to enable them to attack company systems from outside and – in the case of disgruntled employees – from within.
In addition, Chat GPT allows less experienced coders to create software. This will enable people who do not have the knowledge or experience needed to root out vulnerabilities in their code. As time goes by, companies are likely to be exposed to more software which may work well on the surface but has a multitude of potential exploits littered within it.
This is a new era of potential threats, and with post-Covid remote working architectures still playing catch up, it could be a recipe for disaster.
Adapting is an even bigger headache for small and medium-sized businesses (SMBs) that don’t have the staffing, money and resources to adapt to this rapidly-changing environment - and bad actors know it. A cybercrime study by consultancy firm Accenture found nearly 43% of cyber-attacks are targeted at SMBs, yet only 14% are prepared to defend against them. The point is, whether you have the same resources as enterprise-level companies is a moot point. You don’t have any choice but to be prepared.
The good news is there are multiple ways to achieve your security goals, many of which can be deployed easily by companies big and small.
Business leaders can do their part by rolling out multi-factor authentication, limiting each staff member’s access to only the systems they need, or deploying cloud-based cybersecurity software which is kept regularly updated.
Modern Internet security software makes it much easier for smaller firms to take the steps they need to protect themselves, with solutions that can be easily deployed without relying on big IT departments. However, providing this software has to go hand-in-hand with making staff part of the process.
It’s no longer enough for the company to protect their staff from threats. Employees also have to help protect the company. To enable this, companies should develop clear and robust cybersecurity policies and procedures that fit the era of hybrid working.
So, what does this look like in practical terms?
First, staff should be made aware they can no longer rely on the safety net of the company’s security measures and educated and empowered to make the right decisions regarding what constitutes a threat. Then, they must be kept up-to-date on the threats they face to ensure they remain on guard.
You can do this through simple educational material on how social engineering scams work, how malware compromises their system, and how to take sensible precautions, such as using a VPN when on a public Wi-Fi network. This information should be readily available and constantly updated as new threats emerge.
There should also be strict rules around using personal devices for work. There should be clear information about what they can and can’t download and how to determine whether a link is trustworthy.
You should put in place measures to ensure you can foil social engineering attacks by establishing clear processes around sign-off and safe routes for the movement of funds.
To return to that medieval analogy, when you teach the villagers to stand shoulder to shoulder, they’ll never need a castle again.