All the talk about hybrid work largely comes down to one big question: What will happen when workers return? Companies should already know plenty about what happened when they left. If they don’t, they’re in big trouble. But the return is what hybrid is all about. And now that many businesses are starting to bring them back, or are delaying plans to do so in deference to the Delta variant, TAG Cyber sent out a survey to ask about their views of cyber security in the hybrid environment.
Karen Painter Randall had interesting reactions to the results. She found many of the responses revealing, but she immediately homed in on who filled them out: IT and security professionals. “When people start asking enterprises questions about their security and best practices,” she said, “they forget about the people who are actually holding the purse strings.”
In explaining what she meant, she pointed to the last question, which asked respondents whether they expected cyber security budgets to rise. Yes, they agreed: about 30 percent of them said “significantly,” another 42 percent said “somewhat.” “Well,” said Randall, “they’re not going to be able to do that unless they have the stakeholders on board, and the stakeholders understand what the mission is.”
Randall is actually somewhat optimistic on that score, following the ransomware attack on Colonial Pipeline. The repercussions of that event, and the vast publicity it attracted, seem to have awakened CEOs to the dangers, she noted. At least she hopes it has.
Randall is a senior partner at the law firm Connell Foley in New Jersey, where she chairs the cyber security, data privacy, and incident response group. She’s been steeped in this area for years, and has a special expertise in ransomware. Looking out on a remote workforce preparing to return to the office, she sees flashing red lights on the road ahead.
What should companies be considering at this juncture? “I think it’s very important to understand where their assets are,” Randall said. Where have their employees been? Have companies “taken an inventory of their devices? Have they rolled out the rules of the game, as I call it, with regard to what is appropriate and what is not appropriate usage of work devices?”
And then she added the big one: “What’s the rule on using personal devices?” Have employers been thinking about a possible day of reckoning when devices return to the office? Randall suspects many have closed their eyes. “Not knowing makes them sleep a little better at night,” she said, “but they’re going to be in for a rude awakening when their workforce returns.” Many employees have been working remotely since March 2020, often on personal devices that could have been infected with malware during that time, she suggested.
The survey found that 48 percent of the companies allowed employees to access managed applications from personal devices when working remotely. (The actual result may have been higher, since 10 percent of the respondents were unsure of their companies’ policies.) And 69 percent acknowledged that they were concerned about employees bringing infected devices into the office. Fifty-three percent of respondents expected an uptick of security incidents in the new hybrid environment.
If companies have not yet established return-to-work policies that cover devices and data protection, now is the time, Randall advised. The survey suggested that they’re off to a slow start. Only 22 percent have finished updating or reissuing their cyber security handbooks for hybrid work. Another 43 percent said they have done so, but only in part, while 10 percent said they plan to but have not yet started.
If it were up to Randall, her first rule would be this: “You cannot use your personal device while conducting business.” She believes the risks are simply too great. Employees will use chat apps, “which are a perfect conduit for an attacker,” she said. They will fail to update and patch devices. “Microsoft is rolling out patches all the time,” she noted.
At least on paper, there’s more support behind this idea than you might think. In our survey, 38 percent of the companies said they did not plan to allow employees to use personal devices in the office going forward. Thirty-four percent took the opposite position, and 28 percent hedged their bets by answering “it depends.”
What about enforcement? The concept is important, Randall acknowledged, but it’s not a word companies want to use with the workforce. “You want to cooperate,” she said. You want employees to “feel comfortable with the security awareness training.” You want them to report to IT if they click on a sophisticated phishing email.
But the company also needs to know about bad behavior. She cited a recent example that was brought to her attention. Randall was working with a client’s incident response team, and an IT employee had seen lax security practices from “some pretty key people in the organization.” The chief financial officer, who was also present during this conversation, was concerned, but the IT person was “dismissive,” Randall observed, even though he called the employees “repeat offenders.”
Randall found it disturbing. “You really need to hold them accountable,” she said. “It might be through performance reviews. It might be through a policy like three strikes and you’re out. Some organizations have that,” she noted, “especially health care and financial institutions.” Repeat bad behavior “puts the organization at risk.”
One way to mitigate that, of course, is through insurance. But cyber policies are all different, and underwriting standards are tightening quickly, “primarily because of ransomware,” Randall said. Companies will want check to be sure they’re covered for hybrid work. This would be a good time to sit down with an experienced broker, she suggested, and take the opportunity to ask about ransomware supplements. Our survey showed that ransomware and phishing were viewed as the two threat vectors of greatest concern (by far) in a hybrid environment.
Insurance companies are spending more time examining security practices and verifying information, so it behooves companies to make sure they’re ready before they go out shopping. Multi-factor authentication is something underwriters expect to see, yet only 53 percent of our survey respondents said they had it. “If you don’t have that deployed at your organization,” Randall warned, “you’re not going to get that insurance.”