Hybrid working is the future. That, at least, is the message being broadcast by the government and businesses as the UK slowly unlocks its economy after the pandemic. If the misery of lockdown has taught us anything, it is that office work doesn’t need to be completed in a building owned by your employer. Indeed, many prefer working from home. One survey reveals that 57% of people who were working before the pandemic intend to continue with flexible working patterns. As a result, almost two-thirds of businesses have said that they aim to facilitate staff working from home for at least part of the week.
There are obvious benefits to this approach for staff and their employers. An embrace of hybrid working, however, will weaken businesses in one key area, experts warn: cybersecurity. Already, three successive national lockdowns have broken the traditional model of defending against hackers by placing staff outside the hard outer shell of their corporate firewall. Many employees needed educating fast about how to properly secure their networks, a lower priority for IT departments amid the rush to set up the infrastructure to facilitate home working.
Scammers have shown themselves to be opportunistic throughout the pandemic.
Sarah Lyons, National Cyber Security Centre
“We all know that many people don’t look after their own devices with simple procedures, such as antivirus, or even understand the compromise that can come with putting private data from the company on personal machines,” says Jake Moore, a security specialist for ESET UK. This, in turn, created whole new attack vectors for hackers, who no longer had to contend with strong corporate firewalls.
The result was an increase in cyberattacks of all kinds, on all types of businesses. “Overall, scammers have shown themselves to be opportunistic throughout the pandemic,” says Sarah Lyons, deputy director for economy and society at the National Cyber Security Centre.
Data is beginning to reveal quite how opportunistic they have been. According to one report by BAE Systems, 74% of 902 financial institutions in the UK surveyed experienced a rise in cyberattacks. The frequency of phishing, ransomware, botnet attacks and Covid-19-related malware, meanwhile, rose by a third. This situation was mirrored in other countries. In Germany, cybercrime rose by 8%, with just under a third of them being solved, while in the United States the FBI saw complaints about hacking double from 2019 numbers.
As businesses acclimatise to hybrid working, they will also need to develop a new model of defence against cyberattacks. A company can, after all, dictate rules on security hygiene to remote workers, but there is little that IT departments can do to enforce them, let alone know how many staff are abiding by them.
Cybersecurity risks of hybrid working
The same applies to cybercriminals. “Quite a lot of the time, these attackers have a day job,” says Vince Warrington, chief executive of cybersecurity firm Dark Intelligence. Lockdown gave cybercriminals the opportunity to hack during normal working hours, free from the prying eyes of office managers. It has also given them more time to research their targets, and how much ransom they’ll be willing to pay.
This has also led to an increase in another type of attack: the double extortion hack. If cybercriminals “can get inside the network beforehand and exfiltrate a lot of data, then they can hold that data to ransom as well,” explains Warrington. If an organisation company refuses to pay the ransom releasing their systems, the attacker also has the option of selling what intellectual property they have captured to interested parties on the dark web. “It’s almost the perfect cybercrime,” adds Warrington. “You’re almost always going to get some sort of result for your efforts.”
The imposition of home working at the start of the pandemic made it much easier for cybercriminals to sneak into corporate networks. Security hygiene among staff, for example, began to deteriorate. “Whilst you’re inside the hard shell, you can prevent people visiting dodgy websites,” says Warrington. “Suddenly, they found that their technology wouldn’t allow them to do that when they’re outside the office.”
Then came the pressures of home working itself. Numerous surveys have found that the mental health of staff suffered as employees came under pressure – sometimes self-imposed – to work longer hours than they ever would in the office. Others, meanwhile, found it difficult to balance work against childcare commitments and financial pressures arising from a partner losing their own job. In such an environment, people make mistakes: clicking CC on an email instead of BCC, for example, or clicking on links in phishing emails that they otherwise would have flagged as suspect.
“When we’ve got a home-schooling second-grader who is screaming about algebra, and how much they hate their teacher, and your dog, and you’re sharing your office, I guarantee you’re not paying attention,” says Dr Margaret Cunningham, a behaviour specialist at cybersecurity firm Forcepoint. “Because you can’t.”
Homeworking has also exacerbated another headache for IT departments: shadow IT. In March, a survey of 2,000 office workers by Forcepoint found that use of personal devices for work purposes was rife. “When we asked respondents the question, ‘Do you ever use a personal cloud to store corporate data?’, I was thinking max, 10% or 15% would say they did,” says Cunningham. “But we hit over 50% on average.”
This can fatally undermine the cybersecurity strategy of most IT departments. “You don’t know what anyone’s doing, you don’t know where any of your data is,” explains Cunningham. As a result, “you have a parallel company, and parallel IP, living in the free market”.
When asked why they use non-company tech, respondents often cited the poor reliability of the equipment and platforms they had been assigned. “That hits 30% in the UK and 46% in Germany,” says Cunningham. “That’s either because the company has no idea what [employees] need, because they don’t pay attention to human behaviour at all, or there have been some unanticipated impacts of being in a distributed workforce.”
IT departments may be tempted to implement a security stack that’s much stronger and controlling, says Cunningham. Doing so, she says, is only likely to inflame the situation if the hardware dispensed is still worse than what employees can source on the open market. “You can go ahead and impose your constraints and go as strict and compliance-oriented as a financial institution might, but all that does is limit your visibility on what people are actually doing,” says Cunningham. “Because I guarantee they’re text messaging each other pictures of screens.”
Addressing shadow IT usage, says Cunningham, will require continuous consultation with staff about what hardware and software suits their individual needs, in addition to fostering a more stable work/life balance. Putting the results of that into practice may prove expensive, but the move toward hybrid working means that the ground has already shifted under employers, says Cunningham. “There’s this big issue where we’re holding everybody to the same standards, but their actual environment is very, very different,” she adds.
Post-pandemic cybersecurity training
Cybersecurity training also needs to get smarter. Before lockdown, reminders to secure data could be found all around the office, from posters outlining data protection rules and company policies on what websites are suitable to visit, to the simple act of swiping a card key to gain entry into the building.
That psychological reinforcement disappeared with home working. Restoring it has proven difficult for some businesses. Earlier this month, West Midlands Trains provoked outrage among its workforce when it sent out a phishing test email disguised as an announcement about staff bonuses. After a year of financial volatility for so many workers up and down the UK, says Moore, there are more sensitive and effective ways to train staff.
“Short, 10-20 minute exercises in the form of fun quizzes and simulations” are often the best way for businesses to accomplish this, says Moore. Even so, acquiring the best third-party training software can be expensive, he concedes. Bad habits that workers have formed during lockdown may also be hard to shake.
Another concern is that, by disrupting established patterns of behaviour and interaction, hybrid working will open the door to new social engineering techniques. “One of the reasons we spot bad people is because they deviate from what our normal day-to-day routines are,” says Cunningham. With hybrid working this will become so much easier for attackers posing as IT departments to ring an individual, ask them to log into their VPN and share their screen. “And a lot of people are going to say, 'Yeah, sure'.”
The economic chaos wrought by the pandemic also had a part to play in increasing corporate vulnerability to cybercrime. The number of so-called ‘crime-as-a-service’ packages rose during the pandemic, as IT professionals found themselves furloughed or out of work. It also became more tempting for those who were still employed to let cybercriminals infiltrate their organisations. “People are feeling a lot more insecure about their jobs, and about their lifestyle,” says Warrington. And it has never been easier to access such services, often found on hacker forums on the dark web, easily accessed through the Tor browser.
Law enforcement: preventative, not proactive
Meanwhile, employees feel little danger that they will be caught granting criminals access to their employers’ systems. As cybercrime has risen, investment and focus among law enforcement in tackling the problem has remained low. As a result, the UK has become ‘a target destination for global fraudsters,’ according to a recent report from the Royal United Services Institute.
“The police try their best to take a proactive approach,” says Moore, who served as an IT security consultant with Dorset Police's digital forensics unit and cybercrime team. “Being proactive in the police force, I know first-hand, costs a hell of a lot of money.”
As a result, law enforcement has concentrated on prevention at the company and individual level, rather than proactively pursuing hackers. This approach does have merit, argues Moore. “If they get prevention right, they would be able to stop the majority of cybercrime offences happening,” he says.
Indeed, the NCSC has been successful in thwarting several cyber threats at the macro level, while providing businesses with useful advice to help protect themselves against smaller threats. “We have also worked with sector trade bodies and other leading sector organisations to provide bespoke tailored advice and guidance to their communities,” says Lyons. “Where possible, we have utilised our website, CISP platform, industry forums and board-level briefings to reiterate the challenges faced by organisations who are now working in a virtual environment.”
Even so, the perception that cybercrime is a relatively risk-free endeavour persists, helped by the low number of prosecutions for hacking. That isn’t likely to change any time soon, says Warrington. Simply put, he explains, it is harder for politicians to convincingly argue for proactive policing of cybercrime, which can seem abstract and distant, and not also increase funding to tackle burglary, sexual assault or murder. “Unless you’ve lost that money, you almost have no opinion on what law enforcement should be doing in terms of cyber,” he says.
As a result, the future appears grim to many of Moore’s contacts in the police. “Law enforcement are, quite frankly, scared of what the future holds, because there are so many tools out there helping criminals evade capture,” he says.
It remains to be seen whether the UK’s decentralised approach to cybercrime prevention will be sufficient in overcoming the deep structural weaknesses revealed during the pandemic, and extended by hybrid working. For the moment, though, it appears that the advantage has been squarely seized by cybercriminals, says Warrington: “We’re in the early phases of the hackers being dominant.”