Many businesses will be reassessing the current home working set up that COVID-19 has forced them to embrace. As lockdown restrictions ease and employers are given more autonomy in the decisions regarding employees returning to the office, they must not take their eye off the ball.
Initially, the transition to home working left many businesses at risk of a cyber breach and for those not fully equipped to deal with the threat, the door was left ajar – the same can be assumed as office set ups return back to ‘normal’.
Recent research shows that between April and June 2020, UK businesses saw a record surge in attempted cyber attacks. There were a total of 177,000 separate attempts on each business Beaming tracked, which is indicative of a wider problem across the UK. That’s equal to one attack every 45 seconds – a 13 per cent increase on Q1.
The research is in line with the transitions in adapting to a new work set-up, with employees operating on separate networks with different security considerations – attackers would have identified this as the perfect opportunity to attack and now as most SMEs prepare to transition back, we can expect to see the same.
So as a business that is prepping for the ‘new normal’ and is keen to return to more office-based working, how do you facilitate a safe return?
First, you must be aware of the threats. Research by the NCSC (National Cyber Security Centre) has revealed a big increase in phishing attacks targeted at businesses during the ongoing pandemic, while according to the Cyber Security Breaches Survey: 2020, 46 per cent of businesses overall have identified breaches or attacks in the last year. The survey details that the most common type of cyber attacks are phishing attacks, going on to make the following statement:
Staff receiving fraudulent emails or being directed to fraudulent websites. This is followed, to a much lesser extent, by impersonation and then viruses or other malware. One of the consistent lessons across this series of surveys has been the importance of staff vigilance, given that the vast majority of breaches and attacks being identified are ones that will come via them.
The threat is a very real one and for employees not concerned with cyber security on a daily basis it can be a problem, this is where attackers can take advantage.
Phishing attacks as detailed by the Cyber Security Breaches survey can manifest in many ways. For someone not well-versed in what a phishing attack looks like, they can be easily misled. The nature of the attacks is that they are always adapting and becoming much more difficult to spot because hackers are becoming more sophisticated in how they evolve, embracing changes in society like COVID-19 and posing as bodies such as the World Health Organisation to lure victims in.
A report released last month revealed a ‘mad scramble’ as firms prepped security for remote working, it’s likely similar trends will be seen over the next quarter. There are a lot of security elements that should be considered, like having the right system configuration or having security patches installed. You must consider whether your anti-virus software is up-to-date and connected to the corporate network. These are the questions that need asking as you transition back to the office.
Businesses can prepare now by following some simple structural changes in the way cyber security is viewed in the business, these include:
Educating the leadership team
Adopting a top-down approach
Ensuring you have cyber security representation at the leadership level within your organisation
Introducing a “no-blame” culture ‘ it is more important for incidents to be reported and resolved, than ignored
Empowering staff to be able to report issues they are concerned about
Don’t allow cyber security to be a blocker ‘ any controls implemented should not cause staff difficulties which in turn would lead them to seek a workaround and bypass controls, the solutions should be simple and easy to understand
Have a business continuity plan in place that outlines how your company would continue to operate should the worst happen – in this case, it would be worth reviewing any difficulties experienced in the last quarter, making sure these are addressed and that the plan going forwards can embrace new changes.
All employees must remain vigilant and if they strive to do the right thing and consider their positions as an importance in the overall cyber security of the business, even if not directly concerned with IT, then there could be up to a 70 per cent less chance of being attacked.
Education and training will always be the key and keeping all staff up-to-date on security and the issues that surround it, especially those that they can directly control, like their own digital communications and equipment.
When considering it from a structural point-of-view, investment in coordinated and strategic processes will be as equally important as training, like adopting and installing the Cyber Essentials scheme into the business. Just under 70 per cent of commodity attacks were mitigated by implementing the Cyber Essentials controls and so this will play an incredibly important role in the safety of a company in a time when cyber attackers are on high alert for an opportunity to move in.