NSFW(FH): How the shift to flexible work is transforming the cybersecurity landscape



You stare at your computer dumbfounded. Your accounts manager must be wrong! What do they mean, someone posing as you changed your direct deposit information? And why would I get hacked? For my measly expense reimbursement?

It almost sounds unbelievable, but this is precisely the kind of “cybermugging” leveled at small and midsize businesses across America. It’s the other pandemic, the digital twin to COVID-19.

Even before the pandemic began, some experts have maintained that we are entering a period of increased focus on cybersecurity akin to counterterrorism efforts in the years following 9/11.

Javed Ali, a professor of practice at the Gerald R. Ford School of Public Policy and an expert on counterterrorism and cybersecurity, has watched this trend for years. “I would argue, (counterterrorism) was the dominant national security issue for the United States, at least for a decade, if not more. And then, over time, other issues started to rise to the fore to include cybersecurity. And we're sort of in that same kind of catch-up mode on those topics the way we were in those early days after 9/11.”

Cybersecurity in a pandemic

Cyberattacks aren’t new by any means. Research by Hiscox shows that cyberattacks on businesses were growing before the pandemic. But the most recent report shows many are now suffering multiple attacks in a year.

Then what’s going on here? Working from home has forced a level of reliance on technology that was unprecedented before the pandemic, increasing the amount of information and data subject to attack. You probably don’t have the same level of security on your personal devices or networks  such as firewalls or password protection – that your company had.

Stress is also a factor. And who hasn’t felt the stress over the last two years? A recent study by Verizon shows physical information leakage has decreased dramatically, while social information leakage has increased. Work by Deloitte reveals that 47% of those surveyed had responded to a phishing scam during the pandemic. You guessed it. Many said that increased stress had been a factor in their mistake.

"It seems daunting, doesn’t it? Well, let’s be real. It is. But it’s not impossible. And not doing anything is an option none of us can afford."

And unfortunately, playing ostrich won’t solve the problem, despite what some of us hope. According to a 2020 IBM study, 8 of 10 workers believed their companies would be able to handle a cybersecurity attack in the remote workforce, even without having received any additional security training or instructions.

Whatever the cause, the results are too pricey to ignore. Deloitte notes that the average cost of an attack to a business is around $137,000. And work by Hiscox shows that these costs have been increasing since even before the pandemic.

Corporate cybersecurity meets national security

Sometimes the response to an attack causes more damage than the attack itself. The ripple effects have unintended consequences, Ali says. The Colonial Pipeline ransomware attack last year was an excellent example of this. The lasting damage was not caused by the attack; instead it came from a decision made by the CEO. “He shut the pipeline down without informing the federal government or anybody else. I’m not sure they thought about these . . . second and third order effects that were created.” Shuttering the pipeline for four days caused fuel shortages and airport disruptions nationwide.

This unilateral decision-making, and the consequences of those decisions, has made the government understandably nervous. Recently the federal government has taken steps to work more closely with the private sector on responding to cyberattacks. But Ali says the need to maintain a competitive edge in business makes companies reluctant to report. “The government would like to know in a more timely manner when all these stakeholders are being affected by cyber-operations,” says Ali. “But when you're dealing with the private sector, how you got breached could potentially open you up to liability, it could open you up to competition.”

The federal government has put into place guidelines and recommendations throughout its agencies. The Internal Revenue Service recently released a report on how the department’s thinking about cybersecurity has changed for remote workers. The Governmental Accountability Office has announced that while the shift to remote work has gone smoothly at other governmental agencies, security concerns now need to take precedence.

While the National Institute of Standards and Technology (NIST), the group in charge of creating standards and guidelines for all federal agencies, has created some guidance, unfortunately their latest official recommendations for using your own devices, remote work, and other related practices are from 2016. In other words, the dark ages.

The NSA has more up to date recommendations and best practices.

What can we do about it?

It seems daunting, doesn’t it? Well, let’s be real. It is. But it’s not impossible. And not doing anything is an option none of us can afford. Here are a few places to start.

Developing your own best practices to secure your organization against cyberattacks requires both contextual and technological strategies. Contextually, it’s important to make sure that wherever you’re working is secure. For example, remove any potentially sensitive information visible in your background if you are on a video call and remember that internet security is probably reduced when you’re working from a car or other public places.

Technology is your friend. Use password managers, secure connections, and software that has been verified by your organization on devices that have been approved. When in doubt always defer to the security experts within your organization.

Ali says that while where and how we work may be changing, the foundational security question remains: How much risk can you buy down by implementing security measures? Because just like with terrorism, “you're never going to eliminate the risk to zero.”


Nick Yribar and Hannah Davis provided editorial support for this story."