Earlier this summer, the employees at law firm Paris Smith received an email. Although it looked innocent, the email wasn’t what it appeared to be – and clicking on the link it contained didn’t take users where they expected. 

According to recent figures, 47% of employees have fallen for a “phishing” email while working from home, so it’s hardly surprising that some of the company’s employees clicked on the suspicious link in their email. 

Luckily for them, the email was actually part of a training programme designed by the company’s IT department as part of a, “Safe at Work, Safe at Home” programme. With employees now working from home for three days each week, the company wanted to remind people of the importance of following security guidance wherever they happen to be working. 

“We wanted to give people a very realistic idea of what a phishing email might look like, and what the consequences were of clicking on unknown links,” says Martin Lake, the company’s head of IT. “While lots of people knew not to click on the link, it certainly wasn’t everyone.” 

The move towards agile and hybrid working brings substantial benefits in terms of costs, flexibility and work/life balance, but it does present organisations with increased security headaches. Many employees will be working at home, with limited security systems, or in coffee shops and shared workspaces where they may be using public WiFi networks. 

When you have employees taking their devices out of the office or home, it’s not just online threats you need to worry about. The increased possibility of a lost or unattended device falling into the wrong hands adds an extra layer of risk. This is where endpoint security features such as biometric authentication and privacy screens can add an essential barrier, without frustrating employees.

According to the HP Wolf Security Blurred Lines and Blindspots report, 23% of office workers globally expect to work from home much of the time, post-pandemic, and an additional 16% expect to split their time equally between home and office. The report also showed that between February and April 2020, there was a 238% increase in global cyberattack volume – showing cybercriminals took the opportunity of the pandemic with both hands, to target new, remote workers. In an increasingly perimeterless working world a new approach to security is needed.

At Paris Smith, the company has adopted a zero-trust approach to hybrid IT security. When your business involves handling highly sensitive personal data, then security has to take priority over convenience for employees, says Lake. The company issued laptops to all employees which they are required to use for work, so that everyone has appropriate device controls including two-factor authentication, local firewalls and AV software. 

However, there is a balance to be struck. While safety trumps convenience, if security measures are too intrusive and prevent employees from carrying out tasks efficiently, they will probably find a way around it.

The challenge of securing hybrid workers doesn’t just come down to security technology or intrusion detection systems. It’s about making sure people are informed and aware of how to protect corporate data in new settings, and are actually following this guidance. 

“Covid-19 created one of the most challenging periods ever for IT departments, with a wave of new cybersecurity threats against home workers. The level of breaches and confusion among employees shows how disorganised and fragmented the cybersecurity landscape has become,” says Nigel Thorpe, technical director at SecureAge. A survey conducted in 2021 by SecureAge found that 48% of companies in the UK hadn’t invested in any additional training for new home workers around security threats. 

Covid-19 created one of the most challenging periods ever for IT departments, with a wave of new cybersecurity threats against home workers.

That’s a problem because taking people outside of an office environment into a cosy coffee shop or familiar dining room changes our attitude to risk dramatically, says Mark Brown, founder of security consulting firm Psybersafe. “When we’re at home it feels safe and comfy, and the normal security signals of an office environment aren’t there. Our whole approach to security settings can fall away,” he says. 

This can mean that employees who are usually diligent about security take more risks at home – sending that document to their personal email so they can print on their home wireless printer, for example, opening up email attachments without checking the sender first, or allowing others to use their work devices for personal tasks. “We don’t individually see ourselves as targets, because we’re not the CEO, so we don’t feel responsible for security in many cases. In the office, there are posters and colleagues and a work computer that reminds me to comply with security guidance, but at home, it’s harder, and companies need to take steps to make people feel responsible,” says Brown. 

That’s the approach taken at Paris Smith, where the company launched a training programme designed to help security protocols feel ‘routine’ wherever an employee happened to be working. “We know employees aren’t security specialists and we can’t expect them to be aware of the nature and types of attacks so the “Safe at Home, Safe at Work” programme is about instilling a sense of cybersecurity awareness, whether someone is buying something online or logging into a corporate email account. It’s encouraging good habits and trying to make them second nature,” says Lake.

Cybercrime has emerged from an obscure risk discussed in the IT department to a top boardroom priority in recent years. A seamlessly endless parade of high-profile data breaches keep even the most seasoned execs awake at night, threatening not only their bottom line but their reputation too.

The race to digitalise systems to enable remote working during the pandemic hasn't helped. Amidst the rush to keep employees connected to work systems from home, many businesses inadvertently dropped the usual security standards, policies and safeguards they deployed in the office. A study by Tenable found that 94% of companies have suffered a cyberattack in the last 12 months, and three-quarters attributed them to vulnerabilities in technology put in place during the pandemic. 

Of course, vulnerabilities don’t just lie in technologies but in humans too, which means protecting against threats must involve an appropriate balance between advanced cybersecurity solutions and employee education. Here we examine the five biggest cyber risks facing all organisations today. 

1. Ransomware

One of the most dominant and common cyber risks today is ransomware attacks, with analysis by McAfee showing such threats increased by 69% last year. Cybercriminals typically look to exploit the simple mistakes that humans make everyday with their ransomware, as well as the frequent failure to keep systems and software up to date. This means staff education is key. The more they understand how to spot something dodgy, and the importance of keeping systems updated, the stronger an organisation’s defence will be. “Technology can also help limit the damage when defences are breached, through endpoint detection and response and minimising access to data,” says Simon Hepburn, CEO of the UK Cyber Security Council.

2. Phishing

Phishing and spearphishing attacks have evolved dangerously into sophisticated attack vectors.  Once bad actors gain entry, they seek to establish some form of persistence in the network through the likes of malware, web shells or privileged account takeovers. An initial intrusion may go unnoticed until the full attack is triggered, giving the hackers time to exploit their access and gather data from the network. Cybersecurity strategies should be both reactive and proactive. “On the reactive side, there are great strides in endpoint detection and response systems that detect anomalous behaviour on devices and provide valuable telemetry to incident responders,” says Alex Urbelis, senior counsel in law firm Crowell & Morning’s privacy and cybersecurity team. “On the proactive side are activities like the ingestion of threat intelligence and threat hunting.”  

3. Business email compromise

Business email compromise is the tactic most often used to defraud organisations of millions of pounds and remains the largest source of cybercrime losses worldwide, according to the FBI. Threat actors spoof a company domain or hack a legitimate email account, posing as a trusted individual in an organisation to reroute funds or access privileged data. Due to the ever-growing sophistication of these attacks, even the most robust cybersecurity training and protections are unlikely to keep out 100% of attempts, so organisations should introduce verification systems for certain requests. “This simple step can undo weeks, if not months, of hard work for an attacker and keep your funds out of their hands,” says Adenike Cosgrove, cybersecurity strategist at Proofpoint. Additionally, companies should identify and equip their most vulnerable users with the knowledge and tools to be vigilant about all forms of email communications.

4. Weaponised deepfakes

Last year saw one of the first workplace cases of deepfake weaponisation discovered when a senior official was tricked into transferring money after receiving a call from a fraudster impersonating the CEO’s voice using deep learning technology. Rapid growth in remote connectivity during the pandemic has since seen deepfake techniques, both audio and video, boom in popularity. “While the majority of cyberattacks continue to involve ransomware, hacking and phishing,” says BlackBerry EMEA VP Keiron Holyome, “threat actors may increase the weaponisation of deepfakes as video conferencing becomes part of the new world of work.” More worrying, in fact, is the prospect of bad actors combining deepfake technologies with traditional phishing or business email compromise scams, resulting in even more effective cyberattacks. 

5. Fighting blind

Poor security baselines and a lack of visibility leave too many organisations handicapped in the fight against cybercrime. Unpatched systems, under-protected or over-privileged accounts, exposed services, misconfigurations – when companies fail to get the basics right, they’re simply gifting an open goal for attackers to breach their network. “Fixing these weaknesses can be a low-effort and low-cost way to bolster your security foundation,” says John Shier, senior security advisor at Sophos. Companies that lack visibility enable bad actors to hide in plain sight. Amidst the vast, noisy ecosystem of cybersecurity solutions, organisations able to deploy technology in a way that enhances visibility across their systems and network are best suited to remain protected.

Managing and keeping visibility of the cyber risk landscape is no easy feat – especially in the increasingly complex digital working world. Threat actors are constantly working on new ways to exploit vulnerabilities and ensure malicious emails can bypass email gateways and detection tools so they can arrive in inboxes and increase the chances of being opened. In the remote working age, the lack of physical visibility over how devices are being used and by whom has also left IT teams working with clouded vision – another blindspot that hackers are all too happy to exploit.

Half of office workers surveyed by HP said they now see their work device as a personal device, and 27% admitted that while they know they are not meant to share work devices, they ‘have no choice’. In another HP study, 83% of IT teams in the UK reported a rise in employees opening malicious links or attachments. This has left 85% of IT decision makers worrying that such behaviours are increasing their company’s risk of a security breach.

“Security is not a destination – it’s a journey,” says Dave Prezzano, UK and Ireland managing director at HP. “We must be constantly flexible, proactive and reactive to protect against evolving threats because cybercriminals are bypassing detection tools by simply tweaking their techniques. There are more opportunities now for petty criminals to connect with bigger players and download advanced tools that can bypass defenses and breach systems. We are also seeing hackers adapt their techniques to drive greater monetisation, selling access onto organised criminal groups so they can launch more sophisticated attacks against organisations.”

The endpoint continues to be a huge focus for cybercriminals, with seven in ten breaches starting with an endpoint compromise, according to IDC. As cybercrime techniques continue to evolve, endpoint security must evolve too. It is crucial to have resilient endpoint infrastructure and cyber defense, utilising features like threat containment to minimise the attack surface by eliminating threats from the most common vectors: email, browsers and downloads.

Security is not a destination – it’s a journey

Traditional detection-based approaches are no longer effective in a world of auto-generated polymorphic malware, designed to evade detection. A more architecturally robust process is needed to secure remote workers, supported by a zero trust approach which means trusting nothing at face value and verifying everything. Users and devices should be continuously assessed and authenticated, in line with the principle of least privilege, to reduce the opportunity for hackers and contain attacks. Zero trust must also extend to different aspects of the endpoint itself: the firmware, application security, the integrity of the OS, and the account accessing data.

Security should fit as much as possible into existing working patterns and flows, with technology that is as unobtrusive as it is user-intuitive. The future of endpoint security must be secure by design, supported by technology systems that are intelligent enough to not simply detect threats but also to contain and mitigate their impact, and to recover quickly in the event of a breach, which could happen at any time to any organisation.

“By focusing on protection instead of detection, organisations can defend themselves and their employees from targeted attacks, without compromising on security or productivity,” says Prezzano. “Defending and mitigating cybersecurity risk for the increasingly perimeter-less organisation will require a focus on the endpoint as the first line of cyber defenses, and a new layered approach to cybersecurity which applies the vital engineering principles of zero trust.”

HP Wolf Security, which is built on over 20 years of research and innovation along with some strategic acquisitions, unifies all of HP’s endpoint security into one formidable force to help organisations stay ahead of evolving modern threats. Leveraging HP’s expertise across PC and print, HP Wolf Security delivers a truly integrated offering across devices. The solution hardens layered defences and provides enhanced protection, privacy and threat intelligence by gathering data at the endpoint to protect the business at large. Starting at the hardware level and extending across software and services, it helps defend organisations against both known and unknown threats.

Rooted in zero trust principles, HP Wolf Security harnesses state-of-the-art technologies to reduce pressure on IT. From self-healing firmware and in-memory breach detection to threat containment via virtualisation and cloud-based intelligence, HP Wolf Security shrinks the addressable attack surface, delivers high fidelity alerts and enhances threat data collection. By leveraging this threat collection data for intelligence gathering, organisations can turn the endpoint into a strength that is able to withstand the future transformation of the workplace.

“Adopting a layered approach with hardware-enforced isolation technology can help prevent undetectable threats from escalating their access, which may not be stopped by other security software,” Prezzano adds. “Through integrating our security offerings we are making it easier to navigate the threat landscape. A layered endpoint system offers the best protection in the hybrid world, and turns a traditional weakness – the endpoint – into an intelligence-gathering strength.”

Discover more about HP's endpoint security solutions

When you opened your laptop this morning, the chances are you entered a password, and logged on to the corporate network via a secure connection, or a VPN. Your laptop might be monitored for intrusions or threats using a number of specialist security products. 

Laptops and traditional endpoint devices aren’t the only devices that should be keeping IT security managers awake at night – they should also be thinking about the growing number of smart devices in our homes and offices. 

“When everyone at our agency started working from home, it wasn’t the laptops that worried me because I knew they were locked down. It was the thought of what happens if someone accidentally broadcasts something confidential on an Alexa speaker, or a device has recorded some data about passwords in a platform that could be hacked,” says Daniel Lovegrove, IT director at communications agency Cybrus Technology.   

The agency’s staff have been working at home for 12 months and the corporate policy is simply that smart devices should be turned off. “To some extent, we can only ask people to follow our advice and turn devices off, because they are in their own environment, and these aren’t company devices. But it’s a worry.”

It’s a worry that could spiral, with an estimated 20 billion smart devices expected to exist by 2023. “We will soon be at a point where there are two or three IoT devices for every employee, and that’s potentially a very big headache,” says Sarb Sembhi, chief information security officer at AirEye, and part of the British Security Industry Association (BSIA). “Some of these will be corporate devices like trackers, fieldwork devices, entry systems and alarms. But many will be personal devices, such as medical devices, consumer appliances and smart objects. And they all exist outside the current IT security infrastructure.” 

The first challenge with IoT is that devices like smart printers and TVs are often set up and then forgotten about, says Armin Buescher, technical director at Norton LifeLock. While it’s common practice to apply patches and updates to laptops and PCs, many of us forget to update other devices, and manufacturers may not offer good long-term support through services such as security patches and software updates.

“This means IoT devices can be a prime target for hackers, and malware is also a concern,” says Buescher. “Today’s hackers are highly aware of insufficient IoT security, and many pre-program malware with commonly used and default passwords, allowing them to easily hijack IoT devices. Victims may not even know they have been infected, but such attacks can be very disruptive and impact your ability to control systems such as heating or lighting.” 

The humble printer is an unsuspecting device that many security teams forget to prioritise. 2020 research by KuppingerCole found that more than half of printers are accessible via often-used open printer ports that could be hacked. Unlike other IoT devices, which can be largely out of your control, some smart printers are available with the same levels of protection as PCs and laptops.  If you bring printers into your security infrastructure, and only allow devices with first-class security features, they needn’t be a headache.

The BSIA has recently developed new guidelines for enterprises on IoT security, but Sembhi points out there is a long way to go to create common standards for IoT products. “In the EU, we’ve identified 15 recommended security features for IoT devices, but we only require manufacturers to meet three of those,” he says. “It’s not that we don’t think all 15 security features are important, it’s about what’s considered achievable. Added to this a lack of standards in how IoT is installed and maintained, and there is a significant potential security threat from IoT.” 

Although it’s still early days, the BSIA says there is guidance available for enterprises deploying IoT. “It’s developing fast, but we are seeing more and more practical guidance from the IoT Security Foundation, the BSIA and other organisations,” says Sembhi. “The most important thing is to understand what protection is available, and make sure that you’re using – and monitoring – that protection in your environment.”