British Assessment Bureau: Covid-19 Remote Working Looks Successful Until the Data Breaches Hit

One of the biggest changes that has come about due to the Covid-19
pandemic is the pivot to remote working, with the majority of
people across the country working from home. However, with this
transition also came a lot of friction, with cybersecurity at the
forefront of many peoples minds.

Mark Nutburn is the Group IT Director at the
British Assessment Bureau. He has over 20 years of
experience within the Certification industry and has developed
cloud-based software solutions supporting a variety of assessment

Here he shares his thoughts on remote working and its effects on

Mark Nutburn, Group IT
Director, British Assessment Bureau

Of all the changes the coronavirus pandemic has forced on
businesses, the abrupt lurch from office to remote working within
the space of a few weeks early in 2020 must rank as the most

Remote working isn’t new, of course. But, until 2020, most
businesses were largely supporting a small subset of mobile
employees working in the field. As pretty much every business that
tried it has since discovered, there’s a big difference between
this and offering the same remote access to every worker with no
investment, planning cycle, or ‘what might go wrong’

Anecdotally at least, plenty has gone wrong. Early on, many
employees didn’t have the right equipment for home working, or
even a desk to work at. Others couldn’t authenticate themselves
to the network, or access important applications too old to be
hosted in the cloud. Many organisations lacked enough VPN capacity
to support lots of people. Then there’s been the unproductive and
sometimes insecure toil of Zoom unleashed on employees who still
rate video conferencing as a last resort.

But there’s a bigger anxiety out there that’s yet to be
fully processed:
the effect of remote working on cybersecurity.
It’s easy to
assume that the effect has been negative because it’s not hard to
believe employees aren’t less secure when accessing a corporate
network from their backroom across a public network, even when
using an encrypted VPN. However, to date, the evidence is largely
an extrapolation of lessons drawn over many years supporting small
numbers of employees remotely plus a handful of PR-driven

For example, a
May survey
by security company Pulse Secure
found high levels of concern among US-based executives that remote
working would increase data leakage and weaken compliance with
regimes such as GDPR, PCI-DSS, and HIPAA. An
August report
by Malwarebytes confirmed much
the same message, with one in five of those asked believing remote
working would lead to a security breach of some sort. These
conclusions sound plausible, but we need to remember that security
companies are not disinterested observers. If there’s no problem
to solve, there’s no sale.

In the end, it’s about preparedness and planning, which takes
longer than most people realise. On any computer, only one thing
needs to go wrong for that to lead to disaster, be that a
successful phishing attack, rogue link followed, or malicious app
inadvertently installed. There’s no reason why this is harder to
defend against for remote workers than those in the office if
companies have invested in the right security systems to react
quickly to missteps. The problem is that not enough have because
they have been conditioned into seeing remote working as a
specialised user case that attackers are less interested in.

That assumption doesn’t scale well when you’re defending 10
or 20 times as many workers seven days a week. Where does this
lead? Given that there is now plenty of reported evidence that
attackers have modified their attacks to target home offices
(plausible lures including ‘please reset your application
password’ and ‘watch this CEO video on redundancies’), the
answer is, tragically, more data breaches.

Breach déjà vu, all over again

The world is already overrun with data breaches as it is so the
idea of adding more to the list is hugely depressing. Cyber-attacks
have numerous complex outcomes but it is hard to imagine one that
is more long-lasting than a data breach. If malware hijacks a PC,
that can be cleaned. If ransomware locks data, companies have the
possibility of recovery. A server hit by a DDoS attack can be
restarted or the traffic sent to a sinkhole. Data breaches don’t
work like that – once a criminal knows someone’s name, social
security number, home address, or has stolen company IP, that data
becomes public forever.

In the last decade, data breaches have grown into something that
happened a few times a year to something so commonplace it barely
elicits comment. In the early days, the world reacted to these with
horror but this quickly turned into mesmerised indifference as
their number surged. Breached companies haven’t helped with too
many relying on complacent platitudes about customer security being
a top priority just after suffering an attack that suggests the
opposite. Others, meanwhile, have entered a state of denial,
claiming that ransomware attacks aren’t the same as data breaches
on the absurd basis that they failed to find any notifiable
evidence data was stolen (the rapid rise in double extortion
attacks during 2020 trashes this daft assumption).

The problem with data breaches is that you can’t see them
until it’s too late. Indeed, in many cases, the victim
organisations don’t discover breaches at all and only realise
something has gone wrong when third parties spot data on the dark
web or processors phone up with bad news about strange spikes in
credit card fraud. Too often they’re invisible until suddenly,
horribly, the truth dawns.

Right now, for a world unprepared for mass remote working,
it’s hard to imagine a worse environment for oversight than a
workforce that’s sitting at home struggling to follow rules and
policies, assuming they understand them at all. Many organisations
can’t easily monitor what their employees are doing or not doing,
nor constrain where data is shared, saved, and viewed.  Pandemic IT
was never going to be a pushover but if history offers us any
learning it’s that the worst might still be to come.

The post
British Assessment Bureau: Covid-19 Remote Working Looks Successful
Until the Data Breaches Hit
appeared first on The Fintech Times.