The return to the office, be it after a holiday or a shift from full-time remote working to a hybrid model, brings with it some worrying security habits and risks. While the holiday is not yet a distant memory, it is very likely that great security hygiene is; therefore, companies need to prioritise cybersecurity awareness and training as they move into the new year. Anna Collard, SVP Content Strategy & Evangelist at KnowBe4 Africa, points out that the attack surfaces have increased when people return to their offices in a hybrid model, which means that there are even more vulnerabilities for companies and employees to worry about.
“It has become important to prioritise employee security awareness and digital wellbeing as much as their physical and mental health and wellbeing when they return to work,” she explains. “HR is mandated to be aware of people being tired, overwhelmed, and too anxious so that they are given the support they need, but this needs to extend into security.” Tired and overwhelmed people are easier targets. Distracted people even more so, as they are not being quite as rigorous with their security behaviours as they should be.”
One area where the post-holiday brain may very well cause a breach in the company lies in the virtual meeting. Suddenly, there are a ton of meetings flooding into your inbox. Zoom on Tuesday, Teams on Wednesday, and six more on Friday. The problem is, some of these invitations may actually be a form of social engineering—fake meetings designed to look like the real thing, but engineered to capture critical information or perpetrate a nasty hack. In September 2022, there were several vulnerabilities found in Zoom. For example, these vulnerabilities allowed a remote hacker to join a meeting and download files, while in May 2022, users were tricked into downloading a more vulnerable version of Zoom, which made it easier for cybercriminals to gain access.
Microsoft Teams is not excused, either. The platform experienced a significant rise in phishing and malware attacks in 2022, and it is unlikely to escape unscathed in 2023. Both these platforms have such high volumes of users and use cases that they present a very juicy target – all it takes is for one person to make a mistake and the hackers are in.
“There are several areas of risk when it comes to holding meetings online. The first is clicking on a fake link. “Because people are so used to seeing these meeting invites, they tend to click on them without thinking,” says Collard. “This risk is increased by the fact that often companies work with third-party service providers or freelancers who send in their own meeting requests.” It gets harder and harder to detect which meeting requests are real, and which ones could be fake. This really does underscore the need for ongoing cybersecurity training and awareness—and to have approved lists of providers so that only their meeting requests are accepted.
Another issue lies in the fact that people are now back to working across multiple platforms, sites, and devices. This means that they are juggling multiple passwords, multi-factor authentication (MFA) processes, and time constraints. It is easy to slip up when you are deluged by work and out of practice. Even MFA has become a minefield, with hackers finding innovative ways of getting people to enter their codes into fake systems or share them over the phone.
“Cybercriminals and their attacks are getting smarter by the click,” concludes Collard. “Threats are increasing, vulnerabilities are always going to be a problem, and now is the time to remind users about being vigilant so that the new year is not marked by a new hack.” “Start 2023 with training and awareness that reinforces the messaging and reminds people how to detect and avoid the threats.”