Hybrid working models come with a number of challenges. IT security is one of them. In an interesting interview with Markus Guenther, IT security consultant at Temet, our co-founder Fabian learned about related risk and what to do about them.
Fabian: 2020 was an exceptional year in many aspects. The pandemic forced many companies to think about hybrid working models. According to our recent study, in which 841 companies participated, 61% of all participants rated IT security as a key challenge related to hybrid work models. Does your experience confirm this number?
Markus: Yes, absolutely. Within a short period of time, many companies had to empower their employees to work from home. Unfortunately, IT security and especially awareness for this topic was often neglected, although it is even more critical when employees work from home. Among others, a recent study by Verizon, which globally investigates security incidents, points this out.
Fabian: Is there a reason why you emphasize security awareness?
Markus: Absolutely. Employees played a key role in 85% of all incidents studied. Too often, organizations focus only on the “machine”, but not its users. Attackers, however, turn the tables precisely the other way around. Why? Because it works – especially in home office set-ups.
Fabian: What specific risks arise in home office set-ups?
Markus: The same as in the office. But they can look different. Social engineering, the exploitation of human weaknesses, is always an issue. This includes phishing, i.e., luring and deceiving by email. But you should also look closer at human errors.
Fabian: Phishing, is that still an issue? What can you tell us about phishing in the context of home office?
Markus: The number of incidents in which phishing played a role increased significantly compared to 2019, which is not surprising as digital communication increased a lot. These were invitations to criminals to try their luck.
Fabian: What is different when working remotely?
Markus: Various aspects come together here. On the one hand, distractions are often greater when working from home compared to working from the office. On the other hand, Bring Your Own Device (BYOD) issues are a big challenge. In a classic corporate world internet access is restricted, the work device is specially secured, and access to private email inboxes is not possible. With BYOD there are often no limits. As a result, anyone who quickly reads a private email can install malware affecting the company. Moreover, with BYOD I have fewer possibilities to notice such incidents. By the way, 60% of incidents with a social engineering background are not detected by my internal IT. And even if employees recognize potential phishing emails, they often don’t know where and how to report them – especially since you cannot just ask a colleague when working from home.
Fabian: But no one can forbid me private usage on my personal devices.
Markus: That is correct. Here, too, it is essential to keep awareness high. Phishing simulations should not be exposed under any circumstances, on the contrary. The probability of phishing right now is pretty high – let’s be aware that employees need to be sensitized. At the same time, phishing simulations must always be conducted at the right level to not overwhelm employees. A so-called teachable moment helps and avoids frustration. Especially in remote set-ups, however, it is a challenge to reach employees. Posters? Don’t work. Newsletters? Just one more mail in the inbox. E-learnings? Must first be accessible from home.
Fabian: I see the problem. In your experience, what are efficient ways to educate employees who work from home on IT security?
Markus: Why not send a DIN A6 reminder to employees’ homes by post? All in compliance with data protection regulations, of course. The topic of “security at home” also offers the chance to find open ears. If I understand how I can protect myself at home – privately – then I can also use this knowledge for my work. Additional offers such as “how to protect my children’s devices” can be provided on demand. Comparative tests for antivirus (AV) solutions can be taken up and commented on in internal communication channels. Why not give away AV licenses for use at home? For a long time, this was quite normal for Microsoft Office. The fact that “home” and “office” are now merging brings new risks but also opens up new opportunities to make people aware of IT security issues.
Fabian: Understood. Let’s move on to the topic of human error.
Markus: Everyone makes mistakes, without third parties necessarily being involved. Everyone has probably forwarded an email to the wrong recipient at some point. But it is also possible to set up incorrect configurations, e.g., with cloud services. Potential attackers are just waiting for such errors and exploit them automatically nowadays, which is also reflected in the fact that 20% of all incidents are due to human errors.
Fabian: 20% sounds like a lot! How can you counter this risk?
Markus: Awareness! First of all, it is important to understand that security incidents do not only occur when smart hackers outsmart us. With human error, there is no third party attacking us – we are the cause. So, it is also our responsibility to avoid these errors whenever possible. Technology is of little help here. Someone once said: “Human problems require human solutions”. On the one hand, there must be awareness of possible errors, on the other hand, employees must be able to report observations and suspicions without fear. Error culture is an important keyword here.
Fabian: And what if something is misconfigured? In most cases, this will probably only be discovered when it is too late.
Markus: Correct, and that’s what you have to be aware of. Mistakes happen, but if you are aware of the potential consequences of the mistakes, you can better prevent them. I therefore recommend that you always ask someone else to check the settings if they are potentially security critical.
Fabian: What would be potentially wrong configurations in the home office?
Markus: In the classical corporate world, we live in a castle. Everything is provided internally. Outside are the bad guys. Today there is neither a wall nor a moat. Especially when working with BYOD at home and the employee configures devices himself, caution is required. I am thinking in particular of routers, wireless connections, but also the PC itself. Is virus protection installed? Is it up-to-date and correctly set up? What about local shares on the PC and on the network? Is some kind of desktop sharing used? It was this particular issue that increasingly led to incidents in 2020. Until now, the rule here was: It might be risky for private use, but good enough. Today, a company’s bookkeeping may run over the same network that children and guests use to surf. On the one hand, I, as a company must use technology that conceals such things. But part of it will always remain in the hands of the employee. Again: Are the employees aware of what could happen or what dangers could arise? In addition, most service desks have so far blocked questions about private IT problems. “Please, no more!” But how does a service desk deal with this today? In times of home offices, in my opinion this is no longer up to date. Part of my IT is now outsourced to employees’ homes and companies have to recognize and support this.
Fabian: So, if I were to summarize our conversation: The home office is a security nightmare?
Markus: Let’s call it another challenge of our digital world.
Fabian: Finally, two quick questions: What is the biggest IT risk related to home office set-ups?
Markus: Insecure BYOD. If the foundation is full of holes, I’m building on sand.
Fabian: And what is the most significant opportunity in the context of IT security?
Markus: The opportunity to draw attention and create awareness using private issues and thus improve IT security throughout the company – regardless of whether it’s the office or remotely.
Fabian: Thank you very much for your time and all the interesting insights!