Pandemic and smart working: multiplied the risk of cyber attacks
Employees working at a distance are an opportunity for increasingly organized and funded cybercriminals to exploit and gain access to sensitive networks and information.
Adriano SPADARI Giugno 10, 2021
With the pandemic underway, both private companies and the public administration have chosen to resort predominantly to smart working: the employee was forced to work from home, connecting if necessary to the intranet of his workplace, to carry out the tasks assigned to him.
It should consist of an activity to be lent with an absence of hourly or spatial constraints and an organization for defined phases, cycles and objectives, but often smart working translates into teleworking: a remote job with the same hours as when you physically went to the workplace.
In spite of the business environment in which, theoretically, all those physical and logical security measures are implemented that serve to ensure a high standard of protection and a capacity of resistance and resilience to any IT accidents or data Breach, in the domestic environment often and willingly miss most of the measures that best practices provide.
The current state of emergency has in fact amplified access from the outside to the system and corporate networks, prompting workers to use, for the most part, home networks and their own devices, not always safe, multiplying in practice the risk of cyber attacks.
To carry out the work at a distance would involve – and here the conditional is necessary – an indispensable internal reorganization and obviously the use of computer tools, in the absence of which infrastructure is exposed to new and different information security risks.
The insurance companies have in fact recorded over the last two years a significant increase in computer accidents, partly caused by the impact of increasing interconnectivity, partly – and predominantly – because of smart working: Employees working at a distance are an opportunity for increasingly organized and funded cybercriminals to exploit and gain access to sensitive networks and information.
In this very worrying scenario, human error is always around the corner: just an unscrupulous employee who opens the attachment or link to an attractive email and in a moment the entire system is compromised. The cost of managing a large data breach is increasing dramatically with the complexity of computer systems and with the growth of the cloud and third-party services.
Insurance can undoubtedly be a remedy, but the policy must be seen as the last in a series of acts and not as the only one that allows the customer to protect himself.
It is necessary to create a policy of smart security: it is the provision of new garrisons or, in the alternative, the readjustment of those already existing to be able to guarantee in any case the operational continuity of the company, so as to redesign some processes.
First of all, we must regulate the connection to the company system.Given the massive use of its own devices – according to what was once the BYOT model – their use must be regulated as well as the use of external peripherals.
Where appropriate two-factor authentication systems are not in place, which require the use of security codes or tokens in addition to the normal password, the degree of complexity of the keywords used should be increased so as to make their discovery more difficult “random” to potential crooks.
In addition, it is essential to ensure that work is adequately isolated from daily work, thus avoiding the need to download extraneous applications onto the devices used for the provision of work and to carry out continuous content transfers, that could well be infected, between smartphones and Pcs.
The employer must train the employee, or at least grant him suitable means so that he can continue to work from home, and can then monitor his work performance by making all employees aware.
The use of systems of analysis and verification of the actual presence of employees in front of the computer to assess their performance, if not fully and fully regulated, flanks the risk of non-compliance with the principle of proportionality in the use of the same, leading to an over-monitoring that could weaken their confidence in the company until a possible infidelity.
Finally, it seems necessary for the company to continuously verify the adequacy of the security measures prepared, those planned and those to be implemented always having in mind that, especially in a similar scenario, They must not only concern the technical aspects but must inevitably regulate the behaviour of operators.
They are in fact the weak link of the system and often do so unconsciously, for lack of expertise and prudence. A large proportion of security incidents and cyber-attacks by cybercriminals originate in some kind of human error.
According to the Observatory Cybersecurity & Data Protection of Polimi in 2020 cyber attacks on large companies have increased by 40% compared to the previous twelve months. There have been about 85,000 attacks on the weakest subject in the chain, the employee who works from home, hitting the endpoint.
Companies do not see security as an industry in which to invest with long-term benefits and this is reflected in the inability to cope with intrusions and vulnerabilities to the point that they often do not even realize that they have been victims of a given Breach. Today we no longer talk about the niche of companies active exclusively in ICT but, with the transition to Iot and 4.0 the risk is to bring industries to their knees too.
On the one hand companies have the duty to secure – computer – the workplace of the employee, albeit remotely, providing adequate hardware and software, on the other hand, he has a duty of diligence towards the company so that he must comply with all the requirements and take all the necessary security measures.