The office isn’t what it used to be. Where once workers would commute from their homes and make their way into a cubicle every day, the worker of today is just as likely to pull out a laptop and get their work done without even walking out their front door. The physical space we work in is changing. According to a recent study, 70 per cent of employees globally work from home at least one day a week, while everyone from startups to Fortune 500 companies is moving their operations into co-working spaces. And this isn’t the only way the office landscape is changing. Whereas once an entire workforce was hooked up to company-owned desktop computers, now employees are just as likely to work on their own laptop or from their personal smartphone.
The new off-site work model has been made possible by collaborative work apps that let workers connect with office servers and databases, and with colleagues inside or outside the office via the cloud. And whether telecommuting necessitated cloud-based apps, or those apps facilitated a new way of working, their popularity has spilled over into the office as well. It’s not uncommon for entire teams to share files on Dropbox, communicate via Slack or Trello, or collaborate on documents using Google Docs, even when sitting in adjacent cubicles. The benefits of collaborative apps are even clearer for employers: rather than spending time and money mapping employees to secure company servers, they can outsource their business tools and map employees to various cloud drives.
It’s a great system – until it isn’t. Collaborative apps are vulnerable to cyberattacks, both outside the office and inside, and all it takes is one well-executed attack for hackers to be able to drop their malware into a worker’s device and infect files – including files that can be uploaded to a company’s intranet via collaborative apps. Part of the problem is that when it comes to securing cloud-based apps, it’s unclear whether that security should come from the vendor or the consumer. But if organisations want to avoid the devastating losses that could come from an attack, they need to ensure the work apps their employees are using are secured against malicious content.
Understanding the risks
Unsecured Wi-Fi networks are everywhere, from the nearest coffee shop to an airport lounge a continent away or even in a shared workspace, leaving employees vulnerable to a hacker’s infiltration. By uploading a keylogger or similar malware, a hacker can easily steal a user’s credentials to their collaborative apps. The malware uploaded to the collaborative account via a document will infect anyone who opens it, and eventually that malware will make its way to the corporate network, and to the data that the hacker seeks.
But it’s not just an out-of-office problem; workers inside the office who use collaborative apps are no more immune to attacks. Many workers inside the office use collaborative apps to share files internally and with third-parties, and these apps are not particularly robust when it comes to cybersecurity. A well-executed phishing email in which an employee opens up an attachment or clicks on a link that downloads malware to a device, or includes an attachment that has hidden malware that installs when the recipient opens it, could compromise employees who get them both inside and outside the office. If the document is uploaded to the working group’s Dropbox account, for example, it could potentially infect the systems of anyone who accesses that document, spreading that malware to systems inside the office. Using this method, a hacker could spread a keylogger to the office network, potentially stealing user credentials, and maybe even administrative credentials.
BYOD (Bring Your Own Device), the mirror image of the remote worker phenomenon, is another reason for organisations to worry. Additionally, those devices – the same ones employees use to watch YouTube videos and do their work on at the coffee shop – means that when it comes to cybersecurity, anything goes. Not only do employers lack control over the security protocols on employees’ personal devices and are unable to know if they are up-to-date, those devices are using shadow IT security methods for protection— so when those devices connect to the corporate network, the IT department now has a very complex cybersecurity arena to navigate. Multiple devices, multiple operating systems, multiple cloud apps – they all amount to multiple threats, and require diverse security systems to protect them. And that may be out of the range of expertise, not to mention budget, of the organisation.
New security for a new workplace
The question for employers – and employees – is how to manage such a complex risk environment. The dramatic solutions – banning BYOD, requiring employees to do all of their work in the office, and educating them on the danger of phishing attacks and insecure networks – are non-starters. Workers, especially young ones, want to work remotely; employees want to bring their own devices to work, and companies, saving money on hardware, are happy to comply; and efforts to educate employees to avoid falling for phishing scams have been flops.
Standard security systems for devices, mostly AV systems, but also personal firewalls and other measures as well, are no match for what hackers can do. Even commercial sandboxes, touted for their ability to defend networks, aren’t a fool proof solution.
If companies are going to keep up with telecommuting and the associated changing security risks, they’re going to need to adapt their strategy and tackle the vulnerabilities of collaborative apps head-on. That means that any company that allows its employees to work remotely, to use their own devices, or that utilises cloud-based collaborative apps needs to take a strong look at how their information is being secured, and needs to implement a holistic cloud-based system for analysing and detecting the existence of malware in content across channels and across devices—one that triggers an alarm when something is out of place. If unauthorised activity is taking place there, it could mean that a device has been hacked – and that device could be denied network connectivity to prevent it from infecting the network. Only then can organisations rest easier, knowing that while employees enjoy the benefits of remote employment and easy collaboration, they can enjoy the benefits of enhanced cybersecurity.