Written by: Emily Mossburg, Deloitte’s Global Cyber Leader
As COVID-19 spread globally, companies had to quickly grapple with moving to a fully remote workforce. Some had infrastructure in place to support these changes—according to the US Bureau of Labor Statistics, from 2017-2018, about 29 percent of Americans had the ability to work from home – but few had maintained a mobile workforce at such scale. Others were left fully unprepared, adjusting to mobile work on the fly.
In this evolving environment, the cybersecurity landscape for organizations has been dramatically complicated, and cyber risk has never been higher. How organizations handle this challenge will determine their ability to maintain operational normalcy in the present and scale up capabilities once work-from-home policies are lifted.
Adapting to an expanded mobile workforce
Despite the expanding scale of digital threats, a key piece of the cybersecurity puzzle are individual endpoints. An endpoint is an end-user device linked to a company’s network, and each is vulnerable to a cyber breach that could expose the company’s data. If you evaluate a typical office setting, endpoints are rather easily traced—computers, mobile devices, servers, smart devices, etc. With all of these endpoints under one roof and IT help on-site, organizations can ensure good cyber practices and stay ahead of risks.
But the unprecedented expansion of the mobile workforce has thrown a wrench into the equation. The more endpoints there are, the more complexity around the security needed to manage the volume and various types. With millions of workers linking laptops, mobile devices, and tablets to their employers’ networks, cyber risk is growing exponentially. Many personal devices do not have the cybersecurity protections of company-issued devices, and many organizations may not know what devices are on their systems.
Knowing what assets you have, where they are, how they are protected, and what they need from a security perspective is key for protecting your organization. What’s more, a large knowledge gap exists – frequently, with employees have little understanding about the nature of cyber threats and how some of their actions can create unintentional cyber vulnerabilities. Ultimately, this spells major risk for organizations.
As organizations adapt to this unprecedented challenge, they should consider three fundamental questions:
• Does my organization have the capability to detect, respond and recover from cyber threats, and does that capability include evolving threats against the mobile workforce?
• What assets are most critical to our organization (what do we need to protect – is it customer data, intellectual property, critical hardware systems, etc.)?
• Does my organization have a cyber-secure culture? Are our employees educated on recognizing and preventing cyber incidents regardless of their “work” environment?
Raising cyber awareness among employees
Many organizations have cyber policies and capabilities to manage well-known threats, and as a result, some may choose to simply “get by” with existing tools and practices, which will not suffice in deterring an ever-growing threat landscape. Between March 13 ~ 26, 2020, there were over 400,000 incidents of spam emails pertaining to COVID-19. In response, US and British intelligence authorities released a joint alert on 8 April, warning cyber criminals are exploiting the pandemic, targeting individuals and organizations with ransomware and malware.
One ill-fated click from an unknowing employee could threaten the entire company’s data, making it imperative for organizations to reevaluate all existing endpoints for vulnerabilities. Furthermore, newly adopted cloud tools to support mobile work such as video conferencing tools should be properly secured from a cyber perspective. Without proper security controls, cyber criminals may join virtual meetings and/or access sensitive information in the cloud.
A key factor to a successful remote workforce ecosystem is ensuring employees understand their role in keeping the company cyber secure. Personal responsibility and know-how are essential components of every organization’s cyber risk management program. Cyberteams need to work with organizational leadership to encourage proactive communication and training about best practices, company cybersecurity policies and incident response plans.
A well-prepared organization will recover more quickly and resiliently from a cyber attack. Suggested actions include:
• Develop and practice a cyber incident response plan to educate and train employees to prevent cyber incidents and avoid the spread of misinformation
• Raise awareness of cyber threats related to email exploits among employees who may be receiving a relief payment of phishing campaigns
• Restrict unapproved personal devices from corporate networks, and assure corporate security software is installed on approved devices before they are connected.
By raising awareness and understanding of threats among individuals throughout the organization, enterprises can improve day-to-day cyber practices, while creating a culture where cyber is an active process, not a passive response.
Embracing a “cyber everywhere” reality
The COVID-19 crisis has put extreme economic strain on many organizations as they adjust to the “next normal.” With millions of employees working from home, it would be understandable for business executives to be focused solely on maintaining operational capacity and functionality at all costs. However, if cybersecurity is not built into their plans to recover from COVID-19, organizations could be seriously compromised in the short-term, and ill suited to thrive in the world ready for the next challenge or opportunity.
More important than ever before, organizations need to embrace a “cyber everywhere” reality and view it as the connective thread that weaves their organization, customers, vendors, and communities together, enabling them to integrate cyber into the strategic decisions organizations make each day.
In many ways, mandated work-from-home policies have supercharged digital transformation. It’s possible this period could usher in a new era of work where lines between in-office and at-home work are blurred. Those organizations at the cutting edge of cybersecurity now will be well positioned for future growth in the months and years to come.
|About the Author:
Emily Mossburg serves as Deloitte’s Global Cyber Leader. A 20+ year cybersecurity professional, Emily has supported a range of clients and industries helping them to transform and evolve their cyber programs. This includes implementation of new processes and solutions in areas such as data risk, incident and breach response, and cyber resilience.
Prior to this role, Emily was the Advise & Implement Solutions leader for Deloitte’s Cyber practice in the United States where she led the development and delivery of cyber solutions designed to better align cyber risk strategy and investments with strategic business priorities, improve threat awareness and visibility and strengthen ability to thrive in the face of cyber incidents.
Emily is a recognized leader and authority on cybersecurity and was recently named one of the “100 Fascinating Females Fighting CyberCrime” by Cybersecurity Ventures.
Visit Deloitte on the web at: https://www2.deloitte.com
The opinions expressed are those of the author.