Remote working and Cyber Security: Georgia Crossland and Amy Ertan

Introducing the project
The shift to remote working represents a huge shift for employees and organisations alike, introducing significant implications for cyber security. Amy Ertan and Georgia Crossland are currently working on a research project, in collaboration with the Research Institute for Sociotechnical Cyber Security (RISCS) and funded by the UK National Cyber Security Centre (NCSC), on the impact of remote working on cyber security and wellbeing. This blog post will give an overview of a section of this project, how remote working impacts cyber security.

In response to COVID-19, in March 2020, organisations across the world made the rapid shift away from physical office working to remote working, wherever possible. This shift has had a significant impact across many aspects of organisations. This blog post will offer a high-level overview of how the cyber threat landscape was impacted for many organisations and may further change organisational cyber resilience.

Remote working and cyber risks
In terms of connecting to the organisation’s network, the rise of employees’ using their own devices to carry out their ropes (particularly if the organisation had been desktop-based), raises the potential for less secure devices to introduce vulnerabilities.

Incorrectly configured VPNs can create a false sense of security at best and expose the organisation’s networks to insecure personal devices at worst. The use of virtual machines or secure corporate devices, when properly configured, can mitigate the threats to confidentiality as users connect their devices to the network. With the rise of a huge variety of online collaboration tools, new vulnerabilities are created in which data may leave the firm in various ways (for example, through file-sharing applications). Therefore, there has been an increase in attack vectors that could lead to the exposure of information. There is a balance for organisations in balancing security and flexibility; locking down on the use of any collaborative tools, for example, prevents data leakage outside of trackable means such as emails - but runs the risks that employees will feel overly constrained and resort to their own workarounds. These workarounds, which might include using their personal devices to join meetings on platforms not supported by corporate devices or using tools that are not approved by the organisation’s security function, are termed ‘shadow IT practices’ in that they are informal and not viewable to security staff - who are then unaware of the vulnerabilities that may arise as a result.

Other risks relate to more human-centred issues, such as proximity to others. Employees should, in the organisation’s eyes, not share sensitive information with people around them. However, many people now live in house shares, posing the problem of others overhearing confidential information. This could be of particular issue for certain professions, for example if lawyers from competing firms live together

With the blurring of an employees’ work and home space, employees may have different security habits (for example, not locking their laptop when they leave their desk).

COVID-19 and the cyber threat landscape
There are many actors across the cyber threat landscape. From sophisticated state actors to cybercriminal groups ranging across the full spectrum of capabilities, to terrorists/ ‘hacktivists’, to a disgruntled employee with access to sensitive information or applications. Through COVID-19, there has been a steep increase in reported ransomware attacks, with users typically tricked into infecting their devices by COVID-themed emails with malicious executables. Similarly, COVID-19 ‘phishing’ emails have tricked users into entering their credentials onto malicious domains. There is also evidence that malicious cyber actors have been attempting to leverage remote access vulnerabilities, targeting both the end-user’s devices and connectivity points (ie through VPN software) to gain access to organisations’ networks.

A screenshot of a scam email. Upon ‘accepting’ the email to register for the vaccine, users were asked to pay a fee. Image Source: Twitter 

Impact on employees  

In addition to the threat landscape and the move to remote working which required technological changes for many companies, there have also been behavioural and mental impacts for those in the cyber security area. Previous to the pandemic, surveys have demonstrated concern for Chief Information Security Officers (CISOs) stress and wellbeing (Nominet, 2019). The majority of the 800 CISO’s in the Nominet survey reported being moderately or tremendously stressed in their day-today job. CISOs report working beyond contracted hours, not taking holiday or sick leave. Furthermore, the board consistently underestimates the impact that stress and long-hours are having on the CISO. This then negatively impacts the organisation, as stress prevents CISOs from performing efficiently and can result in burnout (Nominet, 2019). The average tenure of a CISO is just 26 months.  

Given the increased technological concerns and changing threat landscape discussed in previous paragraphs, the COVID-19 pandemic has likely aggravated the stress issue for CISOs and security teams. In fact, according to a ‘Cost of a Data Breach’’ report by IBM (2020), 76% of respondents say remote work would prolong the time needed to identify and contain a security breach, while 70% said it would increase the cost of a breach. Moreover, CISOs now need to anticipate new and evolving opportunistic attacks, motivate their teams and motivate employees to behave securely. 

There is limited research into how cyber security awareness training might need to be changed and developed to better aid employees. Cyber security practices in the home are different from those in the office, for example connecting to VPNs. Employees trained in new behaviours and practices they may need to adopt. Studies have found that remote employees differ from office employees in their perceived levels of security and privacy policy awareness and compliance intentions (Johnston et al., 2010). These findings suggest that the lack of direct support in remote environments reduces remote employees’ ability for awareness of security. Hence, this is another pressure for security awareness teams and the organisation as a whole. 

Going Forward  

To date, the existing literature isn’t able to account for how employees react to prolonged mandated remote working in times of crisis. Research published before COVID-19 assumes that remote working is a positive attribute in representing an optional opt-in employee benefit, and there is little research examining the impact of prolonged crisis on employee cyber security approaches.  

 

The research so far highlights the importance of recognising employees’ experiences through the pandemic, including but not exclusively security colleagues. Our current study involves interview outreach with CISOs across a range of sectors, looking at how their organisation has been impacted by remote working, in terms of cyber security, employee wellbeing, and perceived changes to organisational resilience. A white paper with the full findings of this project will be published in Spring 2021.  

References 
 
ENISA -  European Union Agency for Cybersecurity. ENISA Thread Landscape 2020 - Ransomware. ENISA. https://www.enisa.europa.eu/about-enisa  
 
IBM. (2020). The Cost of a Data Breach. IBM 

https://www.ibm.com/security/digital-assets/cost-data-breach-report/#/  
 
Interpol. (2020). Global Landscape on COVID-19 Cyber Threat. Interpol.  https://www.interpol.int/en/Crimes/Cybercrime/COVID-19-cyberthreats  

 

Johnston, A. C., Wech, B., Jack, E., & Beavers, M. (2010). Reigning in the Remote Employee: Applying Social Learning Theory to Explain Information Security Policy Compliance Attitudes. In AMCIS (p. 493). 
 

Nominent. (2019). The CISO stress report. Nominet https://media.nominetcyber.com/wp-content/uploads/2020/02/Nominet_The-CISO-Stress-Report_2020_V10.pdf