‘Adapt to survive’ has been the workforce mantra of the COVID-19 era, as staff in firms of all sizes have strived to adjust to new work styles based mainly at home; however, the same mantra has also applied to cyberthreats.
In June US cybersecurity specialist VMware Carbon Black published its latest Global Security Insights Report. Three-quarters (76%) of the respondents said that the number of cyberattacks they have experienced rose in 2020. Within that segment, 78% said that the incident rate had increased as a direct result of the home-working boom, while 79% said that attacks had become more sophisticated.
78% said that the incident rate had increased as a direct result of the home-working boom
In his foreword, VMware Carbon Black principal cybersecurity strategist Rick McElroy writes: “Digital transformation programmes advanced rapidly as the cyberattack surface expanded to include living rooms, kitchens, home networks and personal devices.”
COVID-19 has indeed left an indelible mark, shaking the white-collar workforce free from the traditional berth of the office and reframing the home as the primary site of production. ‘Hybrid working’ is the buzz phrase on everyone’s lips.
But how can corporates avoid leaving a permanently open goal for cybercrime? That question is high on the agenda for Jason Harrell – executive director and head of external engagement at US post-trade financial services firm DTCC. As the company’s cyber resilience lead, Harrell is taking a keen interest in how cyberthreats are evolving in line with the hybrid-working boom. And the past 18 months have already produced some lessons.
“The shift from an ‘everyone at HQ’ model to a ‘corporate office plus an array of home networks’ set-up increases the available surface area for attacking the corporate network,” Harrell explains.
He notes: “At home, we have Internet of Things (IoT) gadgets, streaming TVs, mobile devices, smart-home features for tasks such as temperature control – all of which could be operating on the same network as hardware used to access the corporate office. Domestic devices’ security status is often unknown. And if staff don’t know how to protect those household devices, they will provide a vector for malicious actors to gain proxy access to the corporate network.”
Another factor that Harrell warns corporates to be more aware of is that stressed staff working from home could be more vulnerable to phishing, where hackers masquerade as trusted individuals or parties. “At home, there are more distractions,” he points out. “And with COVID-19 continuing to dominate the news cycle, this event will probably continue to be used as bait for links in phishing messages.”
Harrell advises treasurers: “For your domestic Wi-Fi networks, make sure you choose strong passwords and change them on occasion. That’s one simple way to prevent people from accessing your home network. Another is that if you’re not actually using your corporate device, just turn it off. Don’t have it active-but-idling on the network.”
From a management perspective, he urges: “Carry out checks on any relevant employee devices before they’re allowed to connect to your network, so you have some level of assurance around their baseline security.”
Patrick Verspecht is group treasurer at a multinational firm and a director at the Belgian Association of Corporate Treasurers. In his corporate work, he explains, his department managed to anticipate the COVID-19 era’s requirements for cyber resilience: “Our treasury team was prepared for an era of working from home, because in 2019 the business set up a contingency plan for remote working. Every member of the team now has a company printer, company cell phone and company notebook. Those devices all have network access – but we use a highly secure VPN to connect to people’s homes.”
In addition, he notes: “We launched cyber-fraud training for all our people across the globe. Periodically, we test our processes by simulating issues such as CEO fraud, fake emails and other security risks. The results are improving dramatically and we believe that we have the right tools and processes in place to protect us from those risks. Even while we acknowledge that a 0% risk environment does not, and will never, exist.”
Carry out checks on any relevant employee devices before they’re allowed to connect to your network
In the long term, then, which cybersecurity considerations should be front of mind for treasurers as hybrid working cements its position as the dominant work style?
Verspecht notes: “The budget impacts of boosting cybersecurity may be higher than we expect. Perhaps we, as corporate treasurers, will need to invest in new tools, or review and update existing ones. Another major question that corporates must ask themselves is: do we have broad cyber coverage in our insurance? Very often you will need to purchase a separate policy. Last year I asked our broker if any of our policies would cover cyber fraud, and the answer was not fully positive. We do have comprehensive cyber insurance now – but we expect a double-digit rise in premiums this year.”
Turning to emerging threats, Verspecht says: “I see potential for risks to emerge from some of the new functionalities in cash management, such as instant payments for the euro area. That is something that corporates will need to monitor and prepare for. In parallel, it’s important to educate all of our employees about how different threats work and how they can be stopped or contained.”
On a broader level, Harrell notes: “Organisations must think about how to implement remedies in a meaningful and thoughtful way. Leaders must document the performance of their chosen solutions, and ensure they have understood the risk factors within their new working environment. They must also explore new technologies that boost resilience – for example, tools such as artificial intelligence, distributed ledger and the cloud. How can we better utilise those resources to automate activities and remove the human element?”
He adds: “My hope is that hybrid working will allow organisations to tap into talent that may not be resident near corporate offices, and that it will provide a healthier work-life balance. My concern is that there will be increased compromises of popular IoT devices, and that those devices will create new security breaches for corporate networks.”
Visit the ACT Cash Management Hub at: treasurers.org/research/cash-management-lessons-2021
You can find a Barclays guide on cyber fraud prevention at barclayscorporate.com/insights/fraud-protection
Matt Packer is a freelance business, finance and leadership journalist
Barclays Bank PLC is registered in England (Company No. 1026167) with its registered office at 1 Churchill Place, London E14 5HP. Barclays Bank PLC is authorised by the Prudential Regulation Authority, and regulated by the Financial Conduct Authority (Financial Services Register No. 122702) and the Prudential Regulation Authority. Barclays is a trading name and trade mark of Barclays PLC and its subsidiaries. Find out about the Financial Services Register.
