We wanted to understand the full impact the change to hybrid working has had on information security, so we spoke to a leading industry expert, Tim Rawlins, Senior Adviser and Director Security of the NCC Group. NCC Group is a global cyber and software resilience specialist and partners with Canon to deliver information security services.
How has hybrid working changed the threat landscape and how can companies adapt?
Information Security in Action
Do you think information security has been prioritised enough in the recent shift towards hybrid working?
“The simple answer is no. The move to hybrid working involved a rapid change and has created something of a security debt. Security short-cuts were taken to keep the business going at a time of crisis. Now that debt needs to be paid back to keep organisations resilient.
One of the key challenges is the ability to detect an attack and recover effectively – being able to detect negative activity across a network that’s no longer ring-fenced by everybody being in the office. The perimeters of your boundary have become blurred, and it’s much harder to work out what’s inside and what’s outside the network.
Organisations need a new mindset: assume your network is going to be breached, so your job is to figure out how you're going to detect and respond to that breach and recover effectively.”
You talk about a security debt – what does this consist of?
“During the rapid change of the first lockdown, all staff were invited to log in remotely, whereas in the past, you would have limited and controlled this process. Meanwhile, more employees started using their own devices, because many organisations had invested primarily in desktop computers for the office and didn’t have enough laptops to go around.
With all this going on, security standards sometimes slipped. Many organisations didn’t have a fully developed process for securing files. They were using tools like Dropbox, which wouldn't have happened in the past because everything would have been contained within the network.
There was a rush to put VPNs in place, but multi-factor authentication (MFA) was seldom used. Those that did introduce MFA didn’t always do it in the right places.”
You mention multi-factor authentication. Are there any other changes you've seen businesses adopt to ensure information security with hybrid working?
“We've seen a gradual increase in things like network segmentation. That’s dividing up your internal network so you can place more controllers and more protection around your key assets. With network segmentation, you can't move across the network in the way that you might do if you were inside the office. It’s a really good security measure.
Some companies have introduced software restrictions, limiting what software can run on the network. We’ve also seen organisations wake up to the fact that passwords need to be more complex. There’s been an increase in the use of password managers, which is a sensible way forward.
Of course, we’re now seeing a lot more cloud use and Software-as-a Service. This raises the challenge of critical third parties that have a reach into your network. These are often service accounts that were set up years ago with a high level of access but with less secure passwords and no MFA. We’ve been encouraging firms to review all their service accounts, making passwords more complex and introducing MFA. This is basic cyber hygiene but it’s just as important as some of the hi-tech innovation everyone talks about.”
So, how have things changed for companies in terms of increased security risks with hybrid working?
“Business e-mail compromise is one escalating problem. Hybrid working exacerbates the issue because you’re having sensitive conversations over email that you would previously have had in person. The bad guys can intercept emails, change the contact number and then you can find you’re giving things like bank account numbers to the wrong person. Solicitors have been caught out after being directed to put deposits into alternative accounts that turned out to be false.
With all these things, there is no magic bullet bit of tech that will solve your security problems. It’s all down to a combination of people, processes and technology.”
And what about new methods of attack prompted by hybrid working?
“So, we've seen an increase in social media attacks. LinkedIn has become a big one. You might get approached by a consultancy that wants to talk to you about your particular area of expertise. And with the rise of deep fakes, it's harder to spot a villain.
A lot of these individuals are using valid credentials to get in. They are looking at where usernames and passwords have been compromised in the past. Looking to see whether those have been reused. Looking at profiles on things like LinkedIn to create spear phishing emails aimed at that individual based on information they have gathered from Facebook or Instagram.
With the growth of hybrid working, we've also seen approaches on platforms like WhatsApp on mobiles. Many employees have Outlook and Teams on their mobiles now. So, if their mobile is compromised because they've clicked on a phishing link via WhatsApp then the whole network could be compromised.”
How important are the behaviours of people in the business for maintaining security in a hybrid world?
“They’re vital. You can always improve the security of your workspace, wherever that might be, which is something that we need to continuously remind employees about. Things like making sure sensitive business conversations don’t take place in unsuitable environments like cafes, trains or pubs. In public places, don’t walk away from your phone, wallet and laptop. Instead, make sure you use Windows Key L to lock your password before you go off and get another cup of coffee.
And, because people don’t have an office phone anymore, they've been getting calls on their personal mobile numbers from active adversaries posing as network engineers, or similar, using slow internet speeds as a way into a conversation.
The other thing is, of course, if you are working from home, you need to remember, every so often, to connect to the corporate network to make sure you've got the latest group policies, the latest updates, and that you're backing up from your own system back into the corporate network.”
Why Canon
Canon partners with the leading industry specialists in information security, including NCC and McAfee. In the new era of hybrid working, Canon solutions and services help to secure documents and sensitive data throughout every stage of their lifecycle in your organisation: wherever information is accessed, managed and processed, it’s protected. No matter where you and other staff are working, our approach ensures security, information is protected from the office to the dining room table.
Canon is a leader in the IDC MarketScape for print and document security solutions and services, as well as in the Quocirca Print Security Landscape. Our technologies are built to be secure by design, taking the hard work out of keeping information safe by preventing attacks, protecting data and, maintaining and safeguard compliance.
Information Security in Action
Find out how Canon technologies prevent everyday malicious attacks and accidental vulnerabilities – read Information Security in Action now.
Related Products and Solutions
imageRUNNER ADVANCE DX 4800 Series
Improve the productivity of your business environment with a smart and sustainable A3 mono multifunction device.
Therefore™ Online
Efficient document workflow software with powerful features – transform the way you manage and share business documents.
uniFLOW Online
An advanced secure print and scan solution, allowing organisations to manage their entire print environment harnessed through the cloud.
Explore Further
Information Security in action
Our comicbook showing real-life IT security challenges. Practical fixes for your data problems, illustrated in style.