The events of 2020 could very well have a lasting effect on the way in which small- and mid-sized businesses (SMBs) work and do business. In a June survey of 127 company leaders representing HR, Legal and Compliance, Finance, and Real Estate, for instance, Gartner learned that 82% of respondents intended to permit remote work for their employees at least some of the time during the transition back to their offices. Approximately half (47%) of survey participants went on to say that they’d allow employees to work remotely full time going forward, while slightly less than that said that they planned to offer flex days (43%), and flex hours (42%).
To accommodate full-time remote employment and flexible work options, many organizations are re-evaluating their plans to migrate to the cloud. A majority (87%) of global IT decision makers admitted their belief that the events of 2020 will accelerate organizations’ migration efforts, reported GlobeNewswire. This view could explain why nearly three quarters (74%) of respondents thought that 95% of all workloads will be in the cloud within the next five years.
Changes Beget Digital Security Challenges
The changes discussed above promise to revolutionize what an ordinary workday looks like for many organizations. Along the way, however, they also introduce digital security risks with which all organizations, including SMBs, must contend going forward. Indeed, the interconnection and integration of modern networks is at the same time both a great strength and a great weakness to organizations. The wealth and volume of information that can be passed between systems creates vast areas of efficiency, but because so many more systems are involved, the number of potential unauthorized entry points is increased. Also, more systems can be affected by an event when they are connected, with the effect of those incidents being compounded as a result.
Remote work and an accelerated migration to the cloud are contributing to this growth of systems and potential unauthorized entry points, a development which feeds the dissolution of the traditional network boundary. People are attempting to connect using various types of devices that are connected to a variety of Wi-Fi networks. This makes it difficult for security professionals to use trust as a means of safeguarding the organization against digital attackers.
Not only that, but many IT leaders think that remote work might affect employees’ levels of security awareness. More than four-fifths (82%) of IT leaders told Tessian that their employees were at greater risk of a phishing attack in a remote work environment, for instance. Those decision makers weren’t wrong; three-quarters (75%) of employees admitted to receiving a phishing email between March and July 2020, and slightly less than that (68%) said that they clicked on a link or downloaded an attachment in the email.
Part of the issue here is that digital attackers ramped up their efforts to prey upon organizations’ remote workers and cloud services during the pandemic. According to PR Newswire, the FBI’s Cyber Division received as many as 4,000 complaints of digital attackers through the first half of 2020—up 400% from what investigators saw the year before. Similarly, when organizations increased their use of cloud services and collaboration tools, malicious actors followed suit. Health IT Security wrote that nefarious individuals’ attacks against those platforms grew by 600% between January and April 2020. Most of those attacks involved excessive use of an anomalous location and “suspicious superhuman” attempts where malicious actors attempted to authenticate themselves from multiple, geographically distant locations.
Physical Security Also Affected
Digital attacks aren’t the only types of threats confronting organizations during times of remote work and increasing migration to the cloud. Physical security also comes into play. To be sure, with more people working from home, necessary physical security controls might be lacking on the corporate network. There could be fewer security guards preventing unauthorized individuals from physically accessing executive offices and other areas of the organization, as an example. Consequentially, if employees are working more flex hours and days, they might not think twice about holding the door for someone they don’t know at the office. That individual could be a new hire who they haven’t met yet, as far as they know.
There’s also the issue of data security if employees end up taking their corporate devices home with them or use their personal devices to do their work. As noted by Hicks Morley, employees might lose their devices if they happen to misplace them, or they could create the possibility for malicious actors to steal their devices if they leave them in an unlocked car. In either scenario, nefarious individuals could use those devices to gain access to an organization’s network.
These, and other types of physical security incidents weren’t theoretical in 2020. One in five respondents to a 2020 survey said that their organizations had experienced more physical security incidents than the previous year, reported Dark Reading. An additional one-third of survey participants voiced their belief that they would see incidents increase in 2021, while two-fifths of respondents said that they were planning on changing their physical security strategy to include more video cameras and security guards in their fight against break-ins and theft.
How SMBs Can Defend Against These Types of Threats
Protecting these systems from threats outside the authorized portion of the SMB involves both vigilance and practical controls on the boundaries that protect them. First, SMBs might be inclined to move away from a perimeter-based network model to a trust-based network model. They could seek to build a zero-trust network, for instance, that relies on Single Sign-On (SSO), multi-factor authentication (MFA) and micro-segmentation, among other security controls.
As for their physical security, SMBs need to consider implementing solid monitoring and process validation controls to assist in supporting the continued effectiveness of physical access to cyber assets, especially key data and networking assets, if these are not already in place. Also, they can consider looking for incremental process improvements and increased efficiency gains in other areas of boundary defense. This could involve issuing guidelines and awareness training to employees about their employer’s physical security, wrote DZone.
This is a lot for SMBs to do on their own. Fortunately, they don’t have to go it alone. They can work with a managed services provider. In particular, ITEGRITI’s vCISO services can help organizations with their strategic planning, governance, and oversight, in their efforts to align their security initiatives with their business risks and objectives. ITEGRITI is also capable of helping organizations build an asset inventory, reduce their attack surface, converge their physical and cyber security controls, as well as developing digital security awareness training materials.
To get started, SMBs need to gain an understanding of their risks. They can understand their current risk exposure by taking our Cybersecurity Risk Assessment. These risk assessment questions are based on the essential cybersecurity controls that help companies avoid hacks and minimize business impact during cybersecurity events. They will receive a copy of the risk baseline report along with a cybersecurity maturity score based solely on this attestation, along with control implications in areas where cybersecurity controls may need improvement.
Organizations can learn more about their risk baselines by taking ITEGRITI’s assessment here.
This SMB Guide is part of a series to assist small and medium-sized businesses with their cybersecurity needs. You can read others in the series here:
- Cybersecurity Guide: The Role of a CISO
- Cybersecurity Guide: Security Awareness & Training
- Cybersecurity Guide: Asset Inventory
- Cybersecurity Guide: Asset Baselines, Hardening and Change Management
- Cybersecurity Guide: Vulnerability Management
- Cybersecurity Guide: Access & Account Management
- Cybersecurity Guide: Supply Chain Management/Third Party Vendors
- Cybersecurity Guide: Incident Management & Review
- Cybersecurity Guide: Information Management & Protection
- Cybersecurity Guide: Boundary Defense, Electronic & Physical Security