How firms can make a secure shift to hybrid working

The pandemic saw high-profile cyber-attacks in the UK set a new record, with headlines becoming a daily occurrence in 2021 and beyond. As more businesses embrace a hybrid working model post-Covid, managing employees’ security habits is a bigger challenge than ever, explains John Edwards, CEO of The Institute of Financial Accountants (IFA). The link between Covid-19 and unprecedented levels of cybercrime is by no means a weak one, with online fraudsters and scammers taking full advantage of global pandemic fear and a reduced level of security at some companies, resulting from the unexpected and rapid rise in homeworking. When it comes to the alarming statistics and reports around cybercrime, it appears that no industry or sector has survived unscathed, often crippling victims’ IT systems and forcing them to pay out huge ransoms to get back online, or see their data returned. Such is the threat that cyber security was listed as CEOs’ top issue in KPMG’s 2021 CEO Pulse survey – beating regulatory, tax and supply chain concerns. Given the coverage of such largescale attacks, there might be the misconception that cyber-attacks or data breaches are things that only happen to larger companies. Yet both large and small organisations are just as much at risk of suffering a cyber-attack. A perfect storm The disruption of the pandemic, combined with establishing a new remote workforce has resulted in a surge of sophisticated cyber-attacks and breaches. Recent research shows that 86% of UK cyber security professionals said attacks increased due to employees working remotely. Similarly, the rush to establish remote workforces led to organisations inadvertently relaxing security or misconfiguring devices. These gaps in traditional cyber defences, combined with changing working patterns and employee behaviour that make it more difficult to spot potential attacks, meant that Covid-19 created a ‘perfect storm’ for cyber-attacks. As such, two in five businesses and more than a quarter of charities have recently reported having cyber security breaches or attacks, according to figures from the UK Department for Digital, Culture, Media and Sport (DCMS). Now, as businesses return to the office post-pandemic, it has also paved the way for hybrid working, with a mix of staff office-based and/or remote-based. This continues to place firms in a vulnerable position, with a call for them to focus now more than ever on their bespoke security needs as businesses’ IT architecture becomes more complex. According to research by FreeAgent, some 79% of accountants are seeing an increase in flexible working post-pandemic. What can firms do? According to the Department for Culture, Media and Sport (DCMS), the most common breaches or attacks in the UK are phishing emails, followed by instances of others impersonating their organisation online, viruses, or other malware including ransomware. Where a breach has resulted in a loss of data or assets, the average cost of a cyber-attack on a business is £8,460. This figure rises to £13,400 for medium and large businesses. In addition: “Statistics show that 60% of small organisations go out of business within six months of experiencing a cyber-attack, so keeping your business secure is of utmost importance,” says Lisa Ventura, CEO and founder of the UK Cyber Security Association. She says there are a few steps you can take to help protect your business and reduce the risk of a cyber-attack. Back up data All businesses, no matter what their size, should take regular backups of their important data, and ensure that these backups are recent and can be restored quickly and easily. Doing this ensures that businesses can still function following the impact of flood, physical damage, fire, theft or cyberattack. Protect the business from malware Malicious software is also known as malware and is software or web content that is designed to harm businesses. Viruses are one of the most well-known forms of malware, which are self-copying programs that infect legitimate software. To help prevent malware from damaging an organisation, antivirus software should be installed and turned on, all IT equipment must be kept up to date through patching, staff must have controlled use of USB drives and memory cards, and firewalls should be switched on. Keep smartphones and other devices safe Mobile technology is a critical part of today’s business operations, with more of our data being stored on tablets and smartphones. To help secure tablets and smartphones, password protection should be switched on, and employers must ensure that lost and stolen devices can be tracked, locked, and wiped. Devices and apps need to also be kept up to date and devices should never be connected to unknown Wi-Fi hotspots. Mobile antivirus can also provide an extra layer of security. Use strong passwords to protect data Passwords, if they are implemented correctly, are a free, easy, and effective way to prevent unauthorised users from accessing devices. When implementing password policies, it is important to make sure password protection is switched on, two-factor authentication is used when available, use of predictable passwords is avoided, and all default passwords are changed. Prevent phishing attacks In a typical phishing attack, scammers send fake emails to thousands of people asking for sensitive information such as bank details or containing links to malicious websites. These emails are designed to trick people into sending money, or to steal details to sell on. There is a limit to what firms can expect their users to do, but accounts can be configured to reduce the impact of successful attacks. Organisations should also check for obvious signs of phishing, report all attacks to the NCSC via report@phishing.gov.uk and check their digital footprint regularly. NCSC Cyber Essentials NCSC Cyber Essentials is a government-backed scheme that helps firms protect their organisation, whatever the size, against a range of the most common cyber-attacks. A readiness tool asks a series of questions to help prepare businesses to achieve the Cyber Essentials certification. The tool asks questions about use of hardware, software, and boundary devices such as firewalls, as well as use of passwords and protections against malware. Upon completion of the survey, organisations are presented with a bespoke action plan that outlines the steps needed to prepare for the certification process.