Cyber News Roundup: Flexible Work Poses Cyber Risks, Latest Trends, Creating a Cybersecurity Culture

Editor’s Note: This is your cyber news roundup with the latest cybersecurity news and tips from the Cyber Oregon team to help you and your organization stay safe online and protect your digital assets. We examine cybersecurity news and developments from across the Northwest and the Nation that are important to all Oregonians including individuals, businesses, non-profit organizations, government entities, and educational institutions. Sign up to receive ongoing updates here.

Flexible work options continue to put organizations at risk. The latest work discussion (debate) centers around employees returning to the office, continuing to work remotely, and exploring flexible work options. With the rapidly growing hybrid work trend likely for many, cyber risks are also growing. “Employees become a significant cybersecurity risk because remote workers are often not as secure in the digital age as workers on company premises,” states Robert R. Ackerman Jr. in his Security Magazine article.

While flexibility is great for employees, it isn’t good news in the cybersecurity world, according to Ackerman. “Hybrid work will remain a headache until and unless organizations make a bigger effort to cope with the increased security risks,” he says. The problem with remote work is that many systems on home networks don’t get software patches regularly, fostering out-of-date software and related vulnerabilities, adds Ackerman. Add to that another layer of security headaches: as employees are coming into the office, they bring laptops and USB drives that can unknowingly spread malware. (Home networks are typically shared with others in the house, such as children playing online games, creating additional cyber risks.) Ackerman offers these suggestions:

1. Reconsider lax BYOD policies.  At a minimum, organizations should mandate that BYOD devices have a strong security posture.
2. Improve vendor risk assessment programs. Third-party vendors in general have turned out to be sizable security risks. If they don’t already exist, processes should be established to evaluate current and future vendor security capabilities and demand they be up to snuff.
3. Share the responsibility of security. Especially in the elevated risk of a hybrid work environment, effective security involves shared ownership across the organization, as well the deployment of tools, controls, and policies.

Latest Cybersecurity Trends

Navigating New Frontiers, the latest cybersecurity report from Trend Micro, was released. Here are the key findings:

• Modern ransomware actors continue to target critical industries. Ransomware attackers are shifting their focus to critical businesses and industries more likely to pay, and double extortion tactics ensure that they are able to profit.
• Rising threats to cloud environments. Threats to cloud security were among the most pressing IT infrastructure risks for organizations in 2021, according to the Cyber Risk Index for the first half of 2021. Protecting their cloud architecture is a challenge for companies because many of the technologies that compose this architecture are regularly updated with new features.
• Email threats climb as more organizations adopt remote work. Since the onset of the pandemic, internet and email usage has been instrumental for business continuity and remote work. As email became even more useful tool, malicious actors seized the opportunity to take advantage of remote workers’ increased dependence on online communication.
• Rising vulnerabilities leave unpatched systems exposed to more risks. The intricacies of modern IT infrastructures make patch management essential for business operations to run smoothly, but this is easier said than done. In an ideal world, organizations routinely update the software they rely on and their own security policies. But this is a tall order for IT teams that are already spread thin, especially because tracking updates is but one of their many everyday tasks.
• Pandemic-related threats evolve. The COVID-19 pandemic has driven organizations to rethink their own operations. Many have adopted a hybrid work model that is dependent on remote connection and cloud computing to adapt to and stay afloat through changes. However, research showed that in 2021, 72% of organizations in the U.S. still struggled to defend themselves against attacks that aimed to infiltrate their corporate networks through their employees’ work-from-home setups.

Implementing A Cybersecurity Culture: The Latest Insights

There has been a great deal written about the need to implement and practice good cybersecurity hygiene, including training and awareness programs. Keri Pearlson, executive director of cybersecurity at MIT Sloan, says “the weak link is typically people and behavior — a problem that is only resolved through a combination of technology investment and culture change.” Beth Stackpole’s article, How to build a culture of cybersecurity, provides the latest insights:

• Make cybersecurity part of the organization’s fabric. It’s not just about giving people a playbook on how to avoid phishing emails or providing password management training. Rather, it’s infusing safety into the organizational fabric, so every employee is constantly reminded of their role and responsibility to keep the organization safe.
• Make it someone’s job to be the “culture owner.” This isn’t necessarily the CIO or CISO, but a non-technical executive who specifically owns the actions necessary to change behavior and drive values, attitudes, and beliefs.
• Use language that resonates. If you want to foster change, it’s important to communicate in terms that workers understand. One culture owner at a major insurance company determined that the term cybersecurity wasn’t connecting with employees. The messaging was changed to “protect our data and systems,” an objective team members clearly understood.
• Make cybersecurity part of formal employee evaluation. This will help employees know what is expected of them. When coupled with rewards and consequences, this gives organizations the best chance of driving behavior and culture change.
• Conduct tabletop exercises and fire drills. Pearlson encourages organizations to simulate, either through scenario planning or tabletop exercises, what should happen in the event of a real breach.

In Other News Around Oregon…

The Technology Association of Oregon (TAO), the Oregon Small Business Development Center, and Mount Hood Community College, are continuing the 2022 Small Business Cybersecurity Series. This is a free, virtual opportunity to learn the fundamentals of cybercrime and cybersecurity to better protect your business via one-hour sessions held each month. The next session, Create an Incident Response Plan, will be held, Tuesday, March 29, 2022, 11:00 a.m. – 12:00 p.m. PT. For more information and to register, click here.

Portland-based PKI Solutions, a Cyber Oregon supporter, launched PKI Spotlight, a new type of cybersecurity monitoring software that gives organizations confidence in their identity and encryption systems. “It is the first and only solution to consolidate vital information about an organization’s PKI environment into a single view, at your fingertips,” said Mark B. Cooper, president and founder of PKI Solutions.

Cyber Oregon sponsor blog post of interest: Fortinet: A Brief History of the Evolution of Malware