Remote working and Cyber Security: Georgia Crossland and Amy Ertan

Introducing the project
The shift to remote working represents a huge shift for employees and organisations alike, introducing significant implications for cyber security. Amy Ertan and Georgia Crossland are currently working on a research project, in collaboration with the Research Institute for Sociotechnical Cyber Security (RISCS) and funded by the UK National Cyber Security Centre (NCSC), on the impact of remote working on cyber security and wellbeing. This blog post will give an overview of a section of this project, how remote working impacts cyber security.

In response to COVID-19, in March 2020, organisations across the world made the rapid shift away from physical office working to remote working, wherever possible. This shift has had a significant impact across many aspects of organisations. This blog post will offer a high-level overview of how the cyber threat landscape was impacted for many organisations and may further change organisational cyber resilience.

Remote working and cyber risks
In terms of connecting to the organisation’s network, the rise of employees’ using their own devices to carry out their ropes (particularly if the organisation had been desktop-based), raises the potential for less secure devices to introduce vulnerabilities.

Incorrectly configured VPNs can create a false sense of security at best and expose the organisation’s networks to insecure personal devices at worst. The use of virtual machines or secure corporate devices, when properly configured, can mitigate the threats to confidentiality as users connect their devices to the network. With the rise of a huge variety of online collaboration tools, new vulnerabilities are created in which data may leave the firm in various ways (for example, through file-sharing applications). Therefore, there has been an increase in attack vectors that could lead to the exposure of information. There is a balance for organisations in balancing security and flexibility; locking down on the use of any collaborative tools, for example, prevents data leakage outside of trackable means such as emails - but runs the risks that employees will feel overly constrained and resort to their own workarounds. These workarounds, which might include using their personal devices to join meetings on platforms not supported by corporate devices or using tools that are not approved by the organisation’s security function, are termed ‘shadow IT practices’ in that they are informal and not viewable to security staff - who are then unaware of the vulnerabilities that may arise as a result.

Other risks relate to more human-centred issues, such as proximity to others. Employees should, in the organisation’s eyes, not share sensitive information with people around them. However, many people now live in house shares, posing the problem of others overhearing confidential information. This could be of particular issue for certain professions, for example if lawyers from competing firms live together

With the blurring of an employees’ work and home space, employees may have different security habits (for example, not locking their laptop when they leave their desk).

COVID-19 and the cyber threat landscape
There are many actors across the cyber threat landscape. From sophisticated state actors to cybercriminal groups ranging across the full spectrum of capabilities, to terrorists/ ‘hacktivists’, to a disgruntled employee with access to sensitive information or applications. Through COVID-19, there has been a steep increase in reported ransomware attacks, with users typically tricked into infecting their devices by COVID-themed emails with malicious executables. Similarly, COVID-19 ‘phishing’ emails have tricked users into entering their credentials onto malicious domains. There is also evidence that malicious cyber actors have been attempting to leverage remote access vulnerabilities, targeting both the end-user’s devices and connectivity points (ie through VPN software) to gain access to organisations’ networks.

Graphical user interface, text, application, email Description automatically generated

A screenshot of a scam email. Upon ‘accepting’ the email to register for the vaccine, users were asked to pay a fee. Image Source: Twitter 


Impact on employees  

In addition to the threat landscape and the move to remote working which required technological changes for many companies, there have also been behavioural and mental impacts for those in the cyber security area. Previous to the pandemic, surveys have demonstrated concern for Chief Information Security Officers (CISOs) stress and wellbeing (Nominet, 2019). The majority of the 800 CISO’s in the Nominet survey reported being moderately or tremendously stressed in their day-today job. CISOs report working beyond contracted hours, not taking holiday or sick leave. Furthermore, the board consistently underestimates the impact that stress and long-hours are having on the CISO. This then negatively impacts the organisation, as stress prevents CISOs from performing efficiently and can result in burnout (Nominet, 2019). The average tenure of a CISO is just 26 months.  


Given the increased technological concerns and changing threat landscape discussed in previous paragraphs, the COVID-19 pandemic has likely aggravated the stress issue for CISOs and security teams. In fact, according to a ‘Cost of a Data Breach’’ report by IBM (2020), 76% of respondents say remote work would prolong the time needed to identify and contain a security breach, while 70% said it would increase the cost of a breach. Moreover, CISOs now need to anticipate new and evolving opportunistic attacks, motivate their teams and motivate employees to behave securely. 


There is limited research into how cyber security awareness training might need to be changed and developed to better aid employees. Cyber security practices in the home are different from those in the office, for example connecting to VPNs. Employees trained in new behaviours and practices they may need to adopt. Studies have found that remote employees differ from office employees in their perceived levels of security and privacy policy awareness and compliance intentions (Johnston et al., 2010). These findings suggest that the lack of direct support in remote environments reduces remote employees’ ability for awareness of security. Hence, this is another pressure for security awareness teams and the organisation as a whole. 


Going Forward  

To date, the existing literature isn’t able to account for how employees react to prolonged mandated remote working in times of crisis. Research published before COVID-19 assumes that remote working is a positive attribute in representing an optional opt-in employee benefit, and there is little research examining the impact of prolonged crisis on employee cyber security approaches.  

 

The research so far highlights the importance of recognising employees’ experiences through the pandemic, including but not exclusively security colleagues. Our current study involves interview outreach with CISOs across a range of sectors, looking at how their organisation has been impacted by remote working, in terms of cyber security, employee wellbeing, and perceived changes to organisational resilience. A white paper with the full findings of this project will be published in Spring 2021. 


References 
 
ENISA -  European Union Agency for Cybersecurity. ENISA Thread Landscape 2020 - Ransomware. ENISA. https://www.enisa.europa.eu/about-enisa  
 
IBM. (2020). The Cost of a Data Breach. IBM 

https://www.ibm.com/security/digital-assets/cost-data-breach-report/#/  
 
Interpol. (2020). Global Landscape on COVID-19 Cyber Threat. Interpol.  https://www.interpol.int/en/Crimes/Cybercrime/COVID-19-cyberthreats 

 

Johnston, A. C., Wech, B., Jack, E., & Beavers, M. (2010). Reigning in the Remote Employee: Applying Social Learning Theory to Explain Information Security Policy Compliance Attitudes. In AMCIS (p. 493). 
 

Nominent. (2019). The CISO stress report. Nominet https://media.nominetcyber.com/wp-content/uploads/2020/02/Nominet_The-CISO-Stress-Report_2020_V10.pdf 

 


Comments

  1. PIKUJune 21, 2021 at 5:14 AM

    I like the valuable information you provide in your articles. I'll bookmark your blog and check again here regularly. I am quite sure I'll learn many new stuff right here! Good luck for the next! .information security policy

    ReplyDelete
  2. Sourav showSeptember 1, 2021 at 9:33 PM

    thanks. Cloud IT Consultants Milwaukee

    ReplyDelete
  3. Nila dharshanNovember 22, 2021 at 4:08 AM

    Nice Blog, it is very Impressive. keep sharing good information with us.

    Best Cyber Security Courses Online
    Cyber Security Training in Chennai
    Cyber Security Training In Bangalore

    ReplyDelete
  4. HarshanDecember 21, 2021 at 1:58 AM

    Nice blog, it is very impressive.

    Roles and Responsibilities of a Cyber Security Analyst
    Responsibilities of a Cyber Security Analyst

    ReplyDelete
  5. MuzhumathiMarch 3, 2022 at 10:28 PM

    Useful blog, it is very impressive.

    Challenges of Cyber Security
    Cyber Security Challenges

    ReplyDelete
  6. Streym IT SolutionsJuly 12, 2022 at 12:06 AM

    The information which you have provided in this blog is really useful to everyone. Thanks for sharing.
    Remote Access Solution
    Network Infrastructure Design and Build

    ReplyDelete
  7. Moshe StruganoAugust 26, 2022 at 9:01 AM

    Israeli Lawyer Moshe Strugano says, The tendency for employees to connect to the company network using their own devices (especially if the company was desktop-based) increases the risk of vulnerabilities being introduced by less secure devices.

    ReplyDelete
  8. rocksec groupsAugust 29, 2022 at 8:45 AM

    Free and available Wi-Fi is always a nice bonus of visiting public places. In today’s world, almost every cafe, airport, restaurant, bar or club has the opportunity to use free Internet access using a smartphone or laptop. best cybersecurity company in United kingdom

    ReplyDelete
  9. Aditya RanaOctober 12, 2022 at 4:45 AM

    The information you are disseminating is excellent since you should think about how to secure your data from cyber attacks before beginning a new business. Skyline IT Management offers services like IT support and cyber security Edmond OK if you want to understand more in-depth.

    ReplyDelete
  10. Emma JasmineNovember 18, 2022 at 5:00 AM

    You provide really valuable information about cybersecurity topics. Cybersecurity is a field that deals with ways to protect systems and services from cybercriminal activities including spammers, hackers, and cybercriminals. While certain cyber security components are built to launch an assault right away, the majority of modern specialists are more concerned with figuring out how to safeguard all assets, from computers and cellphones to networks and databases, against attacks. You have really good knowledge about this topic. I am looking for managed cybersecurity services for my small company, please suggest to me.

    ReplyDelete
  11. daedalus industrialNovember 28, 2022 at 9:00 AM

    I really appreciate the hard work you have put into this blog. Thank you! You can check our cyber security solution services.

    ReplyDelete
  12. Aditya RanaDecember 16, 2022 at 3:19 AM

    Excellent work, but it's really challenging to locate a managed IT service provider Edmond OK, given the rising need for IT help.

    ReplyDelete
  13. Aditya RanaDecember 16, 2022 at 3:28 AM

    This comment has been removed by the author.

    ReplyDelete
  14. ashishApril 4, 2023 at 5:53 AM

    In today's world of digitalization, the need for cybersecurity has become more important than ever. As technology advances, so do the threats and risks of cyberattacks. This is why Cyber Security in Gurgaon
    APTRON is essential for individuals and organizations to keep themselves protected.

    ReplyDelete
  15. James ZicrovMay 19, 2023 at 5:47 PM

    This comment has been removed by the author.

    ReplyDelete
  16. James ZicrovMay 19, 2023 at 5:48 PM

    This comment has been removed by the author.

    ReplyDelete
  17. Sapna SOCMay 31, 2023 at 10:23 AM

    Protect your business with top-notch cybersecurity solutions and 24/7 monitoring from a trusted Managed Security Services Provider (MSSP).


    WyDur's Managed Endpoint Security solutions offer advanced protection against cyber attacks. With our cutting-edge technology and experienced team, you can rest assured that your devices and network are fully protected. Trust WyDur to keep your business safe and secure.


    Managed Security Services in Hyderabad

    ReplyDelete
  18. Chuck BushAugust 19, 2023 at 2:28 AM

    I appreciate you providing this useful blog piece. In our current digital landscape, the significance of Managed Cyber Security Services and remote work in Cybersecurity is rapidly escalating. It's fascinating to see how organizations are navigating the delicate balance between enabling flexible work arrangements and ensuring robust cybersecurity measures. I'm eagerly anticipating the full findings of the research project as well.

    ReplyDelete
  19. silverlightmarketing1January 12, 2024 at 12:32 AM

    Thanks for sharing your blog.
    remote staffing solutions

    ReplyDelete
  20. Thanisha NairJanuary 29, 2024 at 3:25 AM

    Nice article, thank you for sharing the valuable information.
    Best Cybersecurity Services.

    ReplyDelete
  21. MariaFebruary 16, 2024 at 2:32 AM

    Thanks for sharing this article about the cyber security and trendzguruji.me cyber. I really enjoy reading and also appreciate your work. You are provided very good knowledge.

    ReplyDelete
  22. E Square System and TechnologyMarch 28, 2024 at 4:08 AM

    Comprehensive Cybersecurity Solutions for Business Continuity

    Cybersecurity services offer comprehensive protection for businesses, safeguarding data and systems from cyber threats. This encompasses proactive measures like vulnerability assessments and employee training, alongside reactive incident response to swiftly recover from attacks.

    ReplyDelete
  23. Eyelock SecurityMarch 31, 2024 at 3:12 PM

    This is one of the most incredible blogs I've read in a very long time. The amount of information in here is stunning,penetration testing company india

    ReplyDelete
  24. JacobsApril 4, 2024 at 3:45 AM

    Explore the intersection of remote working and cyber security with insights from Georgia Crossland and Amy Etan. Learn how SAITECH INCORPORATED is at the forefront, empowering businesses to navigate the evolving landscape of remote work securely, safeguarding data and networks against cyber threats.

    ReplyDelete
  25. Outsource SharksApril 10, 2024 at 11:49 PM

    Remote working is seamless with experts like Georgia Crossland and Amy Ertan ensuring top-tier cyber security. Their dedication makes remote collaboration safe and efficient Outsource Sharks Corporation







    ReplyDelete
  26. Give back to gurugramMay 18, 2024 at 10:48 PM

    It is a good post to read. if you looking an information about cyber scams in gurugram please check it.

    ReplyDelete
  27. Thanisha NairMay 20, 2024 at 5:40 AM

    Thank you for sharing the valuable information.
    Trusted Cybersecurity Services.

    ReplyDelete
  28. Let Us Dream MarketingMay 22, 2024 at 8:03 PM

    Insightful collaboration on remote work and cyber security! Georgia Crossland and Amy Ertan provide invaluable perspectives for navigating today's digital landscape. A must-read! Let Us Dream Marketing

    ReplyDelete
  29. rockey24June 26, 2024 at 2:57 AM

    Thank you for such a informative article Top-notch Cyber Security Services

    ReplyDelete
  30. Saba Khan SudozaiJune 26, 2024 at 9:48 AM

    Feshop Feshop facilitates the illegal trade of stolen credit card information. Engaging in any transactions on this platform is illegal in most jurisdictions.

    ReplyDelete
  31. MartinJuly 18, 2024 at 11:41 PM

    Thank you, Georgia Crossland and Amy Ertan, for this insightful post on remote working and cybersecurity. Your research highlights critical vulnerabilities and the immense pressure on CISOs during the pandemic. It's a timely reminder of the evolving cyber threat landscape. FYI Solutions offers cyber security services to help organizations mitigate these risks.

    ReplyDelete
  32. E Square System and TechnologyJuly 31, 2024 at 4:28 AM

    What is hacking in cyber security?
    Hacking in cyber security services refers to the practice of exploiting vulnerabilities in computer systems, networks, or software to gain unauthorized access or cause harm. Hackers can use various techniques, such as phishing, malware, or exploiting software bugs, to infiltrate systems. While hacking is often associated with illegal activities, ethical hacking, or "white-hat hacking," is used by cybersecurity professionals to identify and fix security weaknesses to protect against malicious attacks.

    ReplyDelete
  33. rockey24September 6, 2024 at 3:39 AM

    Nice Blog thank you for sharing an informative blogProduct Development
    Cloud Security
    Cyber Security

    ReplyDelete
  34. komalOctober 8, 2024 at 1:29 AM

    very nice… i really like your blog. Very useful informations. Thanks, we also provide service for cyber security companies near me.For More Information visit our website.

    ReplyDelete
  35. sowmiya sowmiyaOctober 13, 2024 at 7:50 AM

    It's clear you've put a lot of effort into ensuring readers can take away valuable insights.
    Amazon Store in Dubai

    ReplyDelete
  36. VRS TechNovember 19, 2024 at 3:34 AM

    Insightful discussion by Georgia Crossland and Amy Ertan on securing remote work setups. Essential read for modern cybersecurity strategies! very gald to read this information. Cyber Security Dubai

    ReplyDelete
  37. JJC SystemsDecember 24, 2024 at 9:24 AM

    Thanks for making things so clear.

    Cloud services

    ReplyDelete

Post a Comment

Popular posts from this blog

New Publication: Remote Working and (In)Security?: Amy Ertan

Image
A recent research report by CDT researchers Amy Ertan and Georgia Crossland has been published with the Research Institute for Sociotechnical Cyber Security (RISCS). The report examines ‘The Impact of Pandemic-Driven Remote Working on Employee Wellbeing, the Psychological Contract and Cyber Security’, with research carried out through a series of interviews with senior cyber security colleagues between January and April 2021. The full report can be found on the RISCS website: New publication: Remote Working and (In)Security | RISCS. Context In the UK and around the world, the impact of COVID-19 represented a total shift away from what was considered ‘normal living’. One aspect of this change was the rapid transition to remote working as people were encouraged to work from home and limit contact with others as far as possible through repeated lockdown conditions. Fellow CDT colleague Georgia Crossland and I were curious to explore how remote working has impacted the experiences - and se...
Read more

The Artificial Intelligence Monster: Nicola Bates

Image
Christopher Booker in 2004 wrote of the seven basic plots to any story, one of these being ‘overcoming the monster’. Within Hollywood, such ‘monsters’ often reflects the zeitgeist balancing commercial requirements with the political and societal preoccupations of the age. The monster evolves over time - from Russia in the Cold War years through to lone actors and terrorists and now to seemingly shadowy figures controlling intelligence. Whilst generally lighter in tone, such monsters also exist within children’s cinema. In recent years this monster has become increasingly defined by their use of highly sophisticated technology, finally becoming the technology in ‘The Mitchells vs. the Machine’*. Lethal technology and subversive machines aren’t new concepts in children’s movies. They can, for example, be found in ‘Short Circuit’ back in 1986. This movie begins with five United States military robots in a training exercise against tanks and focusses upon one of the robots becoming ‘alive’...
Read more