Close to a year on: the impact of furlough on cybersecurity

Open communication, support and guidance are all fundamental in building an efficient as well as security-conscious workforce, says Javvad Malik

We are rapidly coming up to a full year since the imposition of lockdown measures. That is, in the UK at least.

In that time, millions of lives have been significantly disrupted. Employees across the country have been furloughed; some have returned to work since, others have not returned at all, and some have returned only to be sent back home again. This back and forth of transitioning in and out of employment as well as the general uncertainty that shrouds our lives at present has made for a rather tumultuous year.

Indeed, a KnowBe4 survey of a thousand recently furloughed professionals, highlights how the return to work after a period of time away has provoked an emotional rollercoaster in itself. While a third felt happy or excited to return, another third admitted to feeling stressed or anxious. Often times, whether an employee felt one way or another had in part to do with how much support they received from their employers. For example, for those who conceded to feeling stressed or anxious, over half (57%) expressed that they did not feel supported by their employer, received little to no information or guidance and/or were not in regular communication with them.

Company loyalty

Inevitably, this is where company loyalty is tested. Without offering the necessary support to alleviate an already difficult situation, employers risk breeding fear, frustration and feelings of resentment among their staff. In fact, we are seeing this today, where as many as 28% of respondents have confessed to feeling less loyal to their employers since furlough. The implications of this could be dire, not solely for the general well-being of employees or the organisation’s operational performance, but for their cybersecurity too. They may neglect to keep their corporate devices secure, for instance, or be more willing to share passwords, perhaps they take company data straight to a competitor. Whether with malicious intentions or a new-found indifference towards the company’s security, less loyalty makes employees a notable insider threat.

To add fuel to the fire, many organisations have scarcely taken steps to harden their security posture despite a surge in cyber threats. One report after another have proven the persistence of cybercriminals this past year, as they leverage the chaos of this unprecedented pandemic. In the last six months alone, 25% of recently furloughed professionals have received a phishing email. Moreover, this only takes into consideration phishing emails relating to Covid-19 or furlough and it only accounts for emails that have been spotted; chances are, many have been missed altogether.

Indeed, throughout the entire fourth quarter of 2020, KnowBe4 noticed an increase in phishing emails being reported to IT departments related to remote working. Among the most popular subject lines, were titles referring to corporate policy changes such as ‘Changes to your health benefits’. While users appear to be getting more savvy at identifying ploys centred on the theme of Covid-19, many are being duped by security-related or HR-related notifications. In fact, 11% of employees have fallen victim to a phishing email titled ‘Vacation Policy Update’, another 11% to ‘Covid-19 Remote Work Policy Update’, and 10% to ‘Important: Dress Code Changes’.

Growing concerns

This is to say nothing of the adaptable nature of bad actors, who constantly seek new strategies to dupe individuals. Social media, for instance, is becoming a greater concern, where LinkedIn messages including ‘You appeared in new searches this week!’, ‘Please add me to your LinkedIn Network’ and ‘People are looking at your LinkedIn profile’ have made up 47% of social media phishing subject lines.

Facebook-related subject lines such as ‘Your friend tagged you in photos on Facebook’ and ‘New Sign-in To Your Facebook from Samsung Galaxy S4’, follow at 26%.

More recently though, as we become ever more dependent on video conferencing, we have seen a sharp rise in calendar invites as a carrier for malicious links. On average, it was found that individuals have been receiving unexpected meeting notifications twice a week. This is concerning as it only takes one malicious link and one mis-click for an organisation to be brought to its knees. Just in September 2020, one of the co-founders of an Australian hedge fund had opened a fake Zoom invite, which allowed hackers to install a malicious software programme that enabled them to access the company’s email system and issue fake invoices. This ultimately led to the fund’s downfall and a near loss of $8.7 million dollars.

Yet, in spite of these threats, only a mere 25% of organisations have added additional security controls such as Multi-Factor Authentication (MFA) in the last six months. Worse still, 41% of employees have revealed that their organisation has never offered security awareness training. Of those who have been offered training, 29% shared that it had been at least six months or more since the last session. With social engineering representing the most popular attack type, consistent and ongoing training is pivotal to reinforcing a strong human firewall. Training would prepare employees to better recognise suspicious correspondences, be it by email, phone call or text message, and to appropriately deal with them. Regrettably, it appears businesses do not currently view this as a priority.

Returning to the office

There is no doubt that the pandemic and furlough have made the past year a particularly challenging one for most. Some employees may be anxious about returning to the office and leaving the safe confines of their home, others may be overwhelmed about the influx of work after time away. Some may be stressed, pushing themselves to meet high expectations for fear of losing their jobs. Whatever the case, good or bad, cybercriminals will be quick to take advantage of heightened emotions, a sense of urgency, distraction and curiosity. Businesses need to be aware of this, recognising that cybersecurity can no longer be an afterthought but a key pillar in their operations. It should not be viewed as a hindrance either, but an endeavour that will add value as well as a competitive edge.

Every effort should be made to embed cybersecurity into the organisation’s objectives and structure. Technical controls should be reviewed on a regular basis, and organisations should be quick to adapt their security strategies to meet the ever-changing threat landscape. More importantly, it is critical that security awareness training is introduced with a regular cadence. A one-off training session is not nearly sufficient as cybercriminals constantly innovate. What’s more, it is becoming more essential than ever to train employees whilst they work from home because it is often in their home environments where they feel safest and adopt a lax attitude towards security protocols. There is a range of training resources available online that organisations should leverage and what is beneficial too, is that these courses can be completed at the preferred pace of the individual.

Finally, businesses need to remember that their employees are human and thus, should be treated with empathy. It is inevitable that mistakes will be made but it is the organisation’s responsibility to create the safety nets and plan for every eventuality. Open communication, support and guidance are all fundamental in building an efficient as well as security-conscious workforce.

Javvad Malik is a Security Awareness Advocate at KnowBe4, a blogger event speaker and industry commentator who is possibly best known as one of the industry’s most prolific video bloggers with his signature fresh and light-hearted perspective on security that speak to both technical and non-technical audiences alike. 

You may also like...