Company News

Working from home during COVID-19: Three challenges for data security we’re seeing right now

by Neil Larkins
Published on 30th Mar 2020

To help prevent the spread of COVID-19, over one-quarter of the world’s population is currently in lockdown. Governments are actively encouraging people to work from home wherever possible. Our teams are no longer just grouped in different office locations – but working individually from kitchen tables, spare rooms and (for the lucky ones!) home offices.

And this prompts an array of different data security issues. Here are three things the Egress Team is seeing right now.

“We just need to get our jobs done!”

Although most organisations have business continuity strategies, a significant proportion are discovering the challenges of putting them into practice, particularly at this scale and at short notice. What’s more, while your organisation’s plan might be working well, you also have to contend with the fact this might not be the same for your partners, supply chain and clients.

We’ve recently heard from a number of organisations that don’t have VPN access set up for some or all of their employees, don’t have enough laptops or mobile devices for their staff to work with, or rely on paper-based processes and physical media to share data.

So they now have a significant job on their hands of getting their teams operational – and as they work on this, productivity in the wider business feels threatened. And it’s a known fact that when productivity is at risk, security can often take a backseat. So as they wait, employees are finding workarounds, for example by sharing files using FTP sites or sending data to personal devices to work on. And while we at Egress will always champion productivity – we’re also speaking to the Security Teams now struggling to keep sensitive data safe. So as ever, it remains crucial that organisations find the right balance between productivity and security. 

The blurring of boundaries

Working from home at this scale and for longer length of time is also a challenge because people are complex. The way we behave can vary minute-to-minute, especially at a time of global heightened anxiety.

And our behaviour inevitably affects the way we handle data.

We know from our 2020 Insider Data Breach Survey that over half of employees don’t think their organisation has sole ownership over company data – instead believing that it is in-part or entirely owned by the individuals and teams who created it.

And we also know that people are more likely to take risks with data they feel belongs to them than data they believe belongs to someone else. When they don’t have access to the right tools and technology to work securely – or they think the tools they do have will slow them down, especially at a time when the need for productivity is at its highest – they’re more likely to cut corners.

(People’s behaviour and psychology impact data breaches in many ways – if you’re interested in learning more, we’d recommend you join our webinar with Lisa Forte, Partner at Red Goat Cyber Security, on April 16th. Lisa will be digging into this theme in much more detail. Find out more.)

The influx of emails – legitimate and phishing

If we weren’t living in our inboxes before – we certainly are now!

As people flex their office hours, data is being shared via email at all times of the day and night. Again, the blurred boundary between home and work is leading to more people emailing beyond their normal working hours and from smaller screens (mobile devices, laptops, etc.), trying to maintain productivity to usual standards or having to amend their routines around personal circumstances like childcare.

So the likelihood of people making a mistake – emailing the wrong person, attaching the wrong document, or forgetting to encrypt sensitive data increases.

We’re also seeing cybercriminals taking advantage of the heightened anxiety around COVID-19, trying to lure people into clicking on links with promises of information, updates, and medical solutions and supplies.

Of growing concern are the number of “conversation hijacking” attacks. In these types of attacks, cybercriminals monitor the emails flowing in/out of a compromised mailbox for weeks or months. Once they have gathered enough information, instead of using the compromised account and quickly drawing attention to themselves, the attacker instead sets up a similar domain name (domain impersonation) and uses that to email their victim(s). The end result of this type of attack is to typically then send fraudulent invoices for payment or convince the victim to change bank details for regularly scheduled payments.

Attackers are now using the widespread upheaval due to COVID-19 to their advantage by putting a rush on payments or stating that bank details have changed due to new working circumstances.

Six tips to improve data security while working from home due to COVID-19

We can all agree that times are incredibly tough right now. For security professionals looking to mitigate some of the risks, here are six practical tips taken from the conversations we’re having with other organisations right now:

  1. Look for security software that doesn’t hamper productivity. It’s generally the aim of the game anyway – but right now, employees are feeling increased pressure to prove their productivity. If you’re finding yourself selecting new solutions, it’s never been more crucial to select technologies that don’t add difficult extra steps for them or anyone they’re working with outside the organisation.
  2. Choose collaboration/productivity solutions that have security baked into them. The other side to the coin of the point above, really: when choosing any new solution to implement at this time, make sure that security measures are part of a product’s standard design, and not an after-thought.
  3. Automate security wherever possible. If it’s possible, take decisions out of end users’ hands to ensure the security of sensitive information in line with policy, reducing the risk of someone accidentally or intentionally not using security software.
  4. Engage employees over security best practices. Phishing is a good example of this. Some inbound risks will evade the filters on your network boundary and end up in users’ mailboxes. Effort to proactively engage employees through e-learning and other educational measures can help them to know what to do with emails they think are suspicious (for example, hovering over links before clicking on them).
  5. Look to AI and machine learning to help solve advanced risks. Use cases like conversation hijacking, misdirected emails or people attaching the wrong files to documents can now be mitigated by intelligent technology like contextual machine learning, which determines what “good security behaviour” looks like for each individual, and alerts them and administrators to abnormal incidents – effectively stopping breaches before they happen.
  6. Implement no-fault reporting. People often don’t report security incidents because they’re concerned about the repercussions. Where it’s appropriate to do so, implementing no-fault reporting to encourage individuals to report incidents in a timely manner, so you can focus on remediating the problem as quickly as possible.

How can Egress help?

We empower people to share data effectively and securely.

Our Secure File Sharing and Collaboration platform can help with the following top use cases during COVID-19:

  • Share large files and multimedia with internal colleagues and external third parties
  • Receive ad-hoc file uploads using a customisable form and without file size restrictions
  • Collaborate via any internet-enabled device, including mobile
  • Improve productivity by editing documents within a secure browser, rather than sharing via email and losing version control
  • Preserve security policy by recalling access to shared documents as required

Our Intelligent Email Security platform can:

  • Prevent emails being sent to the wrong recipient(s)
  • Stop the wrong files being shared as an email attachment
  • Automate email security based on the level of risk, including the use of message-level encryption or TLS (where appropriate).
  • Reduce friction for recipients accessing encrypted emails, based on the level of risk, to increase adoption
  • Provide a detailed overview of risk levels across your email network, so you can pinpoint and fix areas of non-compliance

If you’d like to speak to a member of the Egress Team about any of the problems we help to solve, please click here.