The outbreak of the coronavirus pandemic has triggered the greatest upheaval of modern life in generations. In response to the pandemic, governments have enforced lockdowns to place limitations on our movement and reduce the risk of infection. Many businesses have been forced to swiftly transition to remote working models as a result. Such rapid change has created a wealth of new opportunities for cyber criminals to exploit vulnerabilities in a company’s cyber defence system. Whilst this move is challenging for organisations of all sizes, SMEs are particularly exposed as only 46 per cent report having a formal cyber security policy in place. At this time of heightened risk, it is crucial that cyber security is front of mind for businesses of all sizes and they take steps to protect their cyber health.
Risks of going remote
Whilst remote working has been a necessary measure in the fight against COVID-19, it has denuded several layers of security normally provided by the office environment. Many employees are now working across multiple devices, including personal ones connected to shared networks. They have become reliant on video conferencing and collaborative platforms to share sensitive communications.
Home WiFi networks frequently use basic or factory-standard passwords which are more vulnerable to hacking, whilst shared network environments open the possibility of multiple unprotected connections. This risk is heightened by the strain that such a sudden influx of remote endpoints can cause to a company’s infrastructure. Cyber criminals, aware of these vulnerabilities, are using them as fresh avenues for exploitation and extortion. In March alone, there was a reported 400 per cent rise in cyber attacks globally.
Spotlight on SMEs
With remote working causing unexpected strain upon a company’s cyber defence system, SMEs in particular may find their cyber security protocols are no longer capable of supporting and protecting their operations. Firstly, to address this growing problem, businesses should conduct a thorough vulnerability assessment. This will show where the business stands in terms of their cyber security exposure by assessing the current state of their security infrastructure. This will inform of the necessary steps required to secure their data.
The first step is to ensure the use of a Virtual Private Network (VPN), which is a highly effective way to enhance digital security. A VPN establishes a secure, private connection between the organisation’s servers and the home and encrypts all the data sent between the points. This ensures the integrity of the data and that the connection is bona fide. The added advantage is that the connections can be disabled quite easily and so if there is a network problem, endpoints can be isolated and removed from the equation.
Endpoint Detection and Response (EDR) software should be implemented in tandem with the VPN.
EDR software is a relatively simple and cost-efficient way of uncovering and being alerted to potential cyber attacks. Companies with EDR software installed can feel safe in the knowledge that their network perimeter is safeguarded against threats. An added benefit of this measure is that IT teams will have greater capacity to handle commonplace IT problems.
The weakest link
Whilst this is a solid starting point, the greatest weakness in a company’s digital armour is often its own employees. More often than not, a cyber security breach is the result of human error or phishing attacks, which rely on ignorance or naivety for success. Usually taking the form of an email, they can be constructed swiftly and distributed widely within seconds. Such emails deploy social engineering tactics to manipulate the recipient into engaging with links or downloads that contain damaging code. This was already a major issue before the coronavirus pandemic and in 2019, 80 per cent of businesses were targeted.
Now, cyber criminals are harnessing the confusion of the current climate and posing as official bodies such as the World Health Organisation (WHO), the UK government and the NHS. By offering financial aid, relief or information about coronavirus, scammers lure employees into downloading malicious software or revealing sensitive data such as login credentials and credit card details.
The fallout from such an attack can be financially devastating and cause lasting reputational damage. A key part of mitigating this risk is equipping employees with the knowledge and tools to protect themselves, and the business. Robust and comprehensive training empowers employees to spot, report and remove suspicious emails, protecting their company’s digital integrity. Most recently, the Government’s National Cyber Security Centre (NCSC) launched a suspicious email reporting system. This, combined with a strong understanding of the company’s cyber security policies and escalation procedures, will foster the growth of an organic internal security system.
Yet these simple measures are not always implemented. Despite the growing risk and dangerous outcomes, a Make UK survey revealed that one in three businesses do not provide any form of cyber safety training to their employees and 50 per cent lack the means of tracking their security infrastructure. Cyber security is not being taken seriously by board members. This is particularly prevalent in SMEs where only 38 per cent have board members or trustees responsible for cyber security. With the move to remote working and increased reliance on digital structures for communication, operations and financial transactions, it is paramount that cyber security is a top priority for senior management and the board. Just one compromised account could bring productivity and operations to a halt. When this happens, it is the board who will be held accountable. The fact is, the average cost of cyber incidents for a UK company is $243,000. Given the current reliance on digital infrastructure, this cost would likely be even higher today. The question for board members then, is whether this is a risk they can afford to take.
It is critical that SMEs fully consider the steps outlined above and implement them in order to establish appropriate cyber security awareness and protect themselves from the risk of a breach. The move to home working has raised concerns about our digital health, as criminals ramp up operations to exploit the vulnerabilities exposed by remote working. Network insecurities and phishing attacks are preventable threats, but they need to be treated with the seriousness that they warrant. In doing so, businesses protect their cyber health and safeguard their future.