Upon the onset of COVID-19, many organizations went from protecting a few offices, to protecting anywhere from hundreds or even thousands of satellite offices as employees headed home to work. IT and security teams were challenged to quickly – and securely – enable their colleagues to work outside of the office perimeter.
According to a recent Glassdoor survey of employed U.S. adults, 72 percent said they are ready to return to their company’s office, with 45 percent expecting to return to the office in some capacity this summer.
What does ‘in some capacity’ mean? Well, the pandemic has reimagined where and how work gets done. PwC’s US Remote Work Survey found that employees are anticipating a hybrid work model, in which they will be required to go into the office no more than three days each week. With the growing hybrid workforce, comes its own IT and security challenges, including managing security patches and updates, ensuring security within home environments, and monitoring user behavior.
In a CIO round table discussion, Microsoft security architect Wayne Anderson pointed to user behavior as one of the biggest cybersecurity risks of today’s hybrid workforce. I couldn’t agree more. As with any crisis, the COVID-19 pandemic has created a mass amount of confusion among employees – and in turn an increase in social engineering attempts. Just look at the results of the 2021 Verizon Data Breach Investigations Report. Over the past year, 85 percent of breaches involved a human element and social engineering attacks topped the list of attack patterns.
Now, the hybrid workforce and the imminent return to the office presents new opportunities for sophisticated social engineering attacks. Successful social engineering scenarios could include:
- A malicious link or attachment embedded in emails outlining realistic return to office protocols.
- Contacting the help desk to enroll a new multifactor token for the VPN.
- Gaining physical access after an attacker convinces the office manager or colleagues that it is their first day at the office.
To help prevent employees from falling victim and maintain secure social interactions, here are five considerations to pay close attention to:
- The hiring process did not stop over the past year. When your employees return to the office, there will be new faces and names. During this time of transition, there should be a heightened sense of awareness for your physical security. Remind employees of physical security protocols and have an established method of identity verification to confirm employment of new faces. Follow the same identity verification methods regardless of the communications channel: phone, email, and in-person.
- Audit your physical security procedures. Who owns physical keys to the office space, access credentials, employee badges and ID cards, etc.? Audit who has access to what and ensure you disable access that is no longer needed.
- Practice the principle of least privilege. Least privilege means enforcing the minimal level of user rights that allow an employee to perform their role. For example, marketing should not have access to client financial data. Restrict access for each employee to limit the breadth and impact of a social engineering attack.
- Allow only authorized devices on your corporate network. As people go back and forth from home offices to corporate offices, ensure that personal or BYOD (bring your own device) devices are enrolled into your IT asset management program and only provision access where necessary.
- Regularly test your employees with social engineering penetration tests. Real adversaries attempt to trick employees into exposing sensitive information every day. Make sure your employees are receiving the proper security awareness training and understand your organization’s procedural security controls. Social engineering penetration tests can include phishing assessments, vishing assessments, and on-site social engineering.
NetSPI’s social engineering security consultants practice empathy and collaboration during every assessment. Empathy is critical in social engineering because it is important to recognize that the employees being tested are human, and social engineering aims to manipulate human behavior. It is imperative to not punish an employee for clicking on a malicious link, rather, inform them to correct the behavior in a proactive, positive way. Collaboration is key to a successful engagement. At project kick off we work with our clients to identify key social engineering scenarios to avoid as well as employees that should or should not be targeted.
While user behavior may be one of the biggest risks to a hybrid workforce, it is also one of your greatest assets to defend against adversaries. If you can inform employees on how to practice the best behaviors to prevent social engineering attacks, you will stay one step ahead of adversaries at a pivotal point in time: the return to the office.