Cybersecurity risks lurk in the rapid shift to working from home

Organisations have quickly adapted to remote working arrangements, but boards must be aware of the greater exposure to cyber risks.

Until the COVID-19 crisis, 47 per cent of Australians had no home working experience, and those who could work from home (82 per cent) only did so for up to one day a week, according to research (Leesman Index) by digital consultants James Dellow and Matt Moore of Chief Technology Solutions. As organisations have been forced to settle into a longer routine the novelty has quickly worn off and challenges have emerged, such as mental health and wellbeing considerations.

Peter Harmer MAICD, CEO of Insurance Australia Group, says a vital message for board and management is on the importance of care for mental health and physical wellbeing.

“We can tell from logon/logoff details that people are working much longer days and we’re also finding that people are describing a day that is far more intense, where there are fewer distractions and ways of re-energising themselves.”

However, the need for staff to work remotely and virtually during the pandemic will change how we work in the future, according to Tommy Viljoen, leading partner, cybersecurity strategy and governance at Deloitte Australia.

“COVID-19 will make people more comfortable working virtually. As we take up 5G and more technologies come out that support virtualisation, we will become much quicker at adopting those,” says Viljoen. “Isolation means that people are looking for guidance, leadership and collaboration — and new tools and apps are providing platforms for that. There’s a lot of workplace creativity coming out of it. We’re also now using those techniques to connect with our clients — virtual workshops and seminars. These collaborative tools give us the opportunity to carry on business. They’re also an opportunity to rethink how we did some things in the past.”

Paul O’Rourke, global cybersecurity leader for PwC Australia, says for organisations that have been hesitant about allowing people to work from home or having a large mobile workforce there are opportunities to embrace this down the track, which could lead to better staff work/life balance.

“It will depend heavily on the culture of the business and its individual teams as to whether they can adapt,” says O’Rourke.

Watch cybersecurity

The World Economic Forum (WEF) has warned that criminals and hackers are exploiting the crisis, with a significant rise in coronavirus-themed malicious websites. WEF says more than 16,000 new coronavirus-related domains have been registered since January 2020. Hackers have also been selling malware and hacking tools through COVID-19 discount codes on the darknet, many of which are aimed at accessing corporate data from home workers’ laptops, which may not be as secure outside an office environment.

Vigilance is essential

The Australian Signals Directorate’s Australian Cyber Security Centre (ACSC) has warned organisations and individuals to remain vigilant against the threat of coronavirus-themed scams, phishing emails and malicious websites.

Since early March, there has been a significant increase in coronavirus-themed malicious cyber activity across Australia. The Australian Competition and Consumer Commission (ACCC) Scamwatch had received more than 100 reports of scams about COVID-19 in the past three months. Yet between 10–26 March, the ACSC received more than 45 cybercrime and cybersecurity incident reports from individuals and businesses, all related to coronavirus-themed scam and phishing activity. It warned that the true extent of this malicious activity is likely to be much higher, as these numbers only represent cases reported to the ACSC and ACCC.

Viljoen says that boards need to consider cybersecurity more carefully. “With COVID-19, there’s been a massive increase in scams. Boards need to ask if they have given additional guidance and support around security in home environments to staff. Something someone does at home can introduce a cyber risk into the workplace.”

O’Rourke agrees.“We have seen mass workforces become mobile, which is not something that a lot of companies had envisaged or prepared for,” he says. “Nevertheless, it is an acceleration of what is naturally happening anyway.

“This has pulled forward the cybersecurity considerations for a largely static workforce becoming mobile. For example, remote access/VPN security and performance, and ease of access of cloud-based systems. These have just been significantly stress tested. Out the other end of this, we will see organisations that were previously hesitant around remote working potentially embracing it — hopefully with improved security around their remote workforce.”

O’Rourke says complacency around monitoring of system access and login locations is a risk. “Just because we cannot physically see everyone, doesn’t mean the same level of system access has dropped.”

Chief Technology Solutions report, Pandemic of Under-Preparedness: A status report on digital workplaces and the organisational response to COVID-19 in Australia. Based on a survey of 46,057 respondents in Australia and NZ.