New hybrid work arrangements are one of the true boons of the pandemic, allowing millions of Canadians the freedom to do their jobs remotely, at least part of the time, cutting down on the commute to the office and its associated stresses.
But that long dreamed-of work-life balance achieved by employees doing their jobs on phones and laptops from pretty much anywhere is an IT nightmare for organizations that can no longer easily protect employees behind firewalls and other security measures on in-office networks.
“As soon as people were able to use their own machines, we now have put all company access and resources at risk,” says Cat Coode, founder of data privacy consultancy Binary Tattoo.
The Waterloo, Ont.-based cybersecurity and privacy expert doesn’t blame hybrid workers who were already adjusting to virtual office life. “How could you be expected to be an expert in everything and now all of a sudden you have to be your own IT manager on top of everything else?”
With hybrid working now likely a permanent situation for most organizations, there are a number of specific steps that can be done to limit cyber vulnerabilities.
Some are hardware-based, such as providing company-owned computers, smartphones and other devices to senior employees and those who routinely handle sensitive information. These machines can carry robust security with strict limits on who can use them and what they can be used for.
“If you own it, you are allowed to dictate what can be done with it,” she explains.
Cyber attacks are increasing in frequency and sophistication, according to recent KPMG Canada surveys of both large companies and small and medium-sized businesses. KPMG says smaller companies have made cybersecurity a priority while for many big organizations the issue often falls behind more immediate economy-related issues.
A recent Statistics Canada report found that 18 per cent of Canadian businesses suffered cybersecurity attacks in 2021, with large businesses hit hardest (37 per cent) compared with small (16 per cent) and medium-sized companies (25 per cent).
Companies cannot expect their employees to become cyber warriors, but education on digital security best practices, or “cyber hygiene,” should be shared with all employees.
The starting point is the institution of multi-factor authentication, or a two-step verification process for employees to log in to a company server or other digital resources, says David Shipley, chief executive officer of Beauceron Security based in Fredericton, N.B.
“If you don’t do your multi-factor authentication properly and you don’t educate your users to alert you when weird are things are happening, you can end up with spectacular hacks like the Uber breach a couple weeks ago or Okta’s contractor breach back in the spring.”
Ride-share company Uber, which has suffered massive attacks in the past, and tried at least once to cover up a breach, suffered a more embarrassing attack this year through one of its contractor’s personal devices, likely infected with malware.
And increasingly, hackers are targeting cyber defenders, such as identity and access management provider Okta. Hundreds of its client accounts were accessed in an attack this year. In Okta’s case, it used multi-factor authentication, but employed a less-robust “push” or pop up notification as a second step, says Mr. Shipley.
“We actually recommend that people move away from that and implement something that Microsoft calls number matching. Once you log in, your app will generate a number that you have to log in on your phone. It is much more secure.”
The costs of lax security can be high. Users may abandon providers after learning of a hack, and a company can lose key clients or face denied claims for damages from insurers.
Those factors have made companies reluctant to admit to being hacked or to paying ransom to cyber criminals. StatsCan recently found just 18 per cent of corporate victims of ransomware said they paid off their attackers, a percentage experts believe is far too low.
“No company wants to admit that they paid ransomware,” says Cara Wolf, CEO of Calgary-based cybersecurity firm Ammolite Analytx. She notes that successful ransomware raids are posted on the dark web, making them prime targets for new attacks.
She advises companies to educate employees on the risks that come with remote work and beef up their security generally. “It’s much better to prevent it, fortify your organization and network, and train your employees to prevent the ransomware attack in the first place.”
Her to-do list includes educating employees to adopt strong passwords and to not click on links contained in emails from outsiders, implementing two-stage authentication access, keeping devices password protected, and installing anti-virus and malware protection on all devices. “Phishing emails,” which try to look authentic and encourage you to click on a fake link, continue to provide hackers with easy entry through digital defences.
For companies, Ms. Wolf’s to-do list includes installing firewalls and perimeters for devices and software, establishing e-mail filtering and encryption protocols, ensuring data encryption of critical information as well as keeping an inventory of all devices used by employees for work such as laptops, phones and even Internet-enabled machines such as photocopiers.
“It is surprising how many companies don’t even do just these simple things. Taking care of the low hanging fruit and just doing these simple things gets you quite a bit further,” she says.
“The hackers are going to go where it is easier to break in.”
What specific steps can virtual workers take to become more cyber secure?
- Realize that public WiFi is public, and do not use it to log into existing accounts. If you must use public networks, use a virtual private network (VPN), says Ms. Coode.
- Use company-provided software and security tools and if those are not provided, use a VPN which can hide your IP address and send data more securely.
- When sending company emails or files, encrypt when possible.
- Install a password management program to create hard-to-break passwords. “A significant portion of people say they are just remembering their passwords, which means they are creating passwords that are just a couple characters different and a really easy to crack,” says Mr. Shipley.
- Guard your conversations and online activity at home and on the road. “It’s not just the digital eavesdroppers, there’s also physical eavesdroppers. They can be looking over your shoulder they can be listening in on your phone conversation, you really have to be aware of your surroundings in airports or hotels,” says Ms. Wolf.
- Consider how much Internet you bring home. All those smart devices can let hackers in, and some even record your conversations or “accidentally” turn on cameras.