I chose the title of this blog to memorably reflect the parallel themes I recognise between Garcia Marquez’s masterpiece novel ‘Love in the Time of Cholera’ (published in 1988) and the situation we now face in the context of cybersecurity in the midst of this pandemic.
The novel’s focus is love, in all its myriad forms, and how it can meet the different objectives that occur over the course of a person’s lifetime. For Marquez, love and disease are so entwined that love itself is a form of disease. For me, the entwinement of cybersecurity and coronavirus, particularly the impact of coronavirus on the workplace, is a game changing event that cannot be ignored in any future cybersecurity strategy. If cybersecurity is to meet the challenge of the future, we must first appreciate what will change, what different forms of cybersecurity will be needed and the different objectives that will likely have to be met.
So how do we understand what impact Covid-19 has on the work environment and predict what the future workspace might look like? Fortunately, my firm, Harrison Clark Rickerbys (HCR), has conducted in-depth research and produced a report snappily titled ‘Future Workspaces – What is the future of the Office?’ The report includes surveys that were conducted both pre and post (i.e. during) the pandemic and which flagged up a seismic shift in behaviours, attitudes and trends.
One of these shifts, perhaps predictably, was the rise of Zoom and Microsoft Teams, aka virtual meetings, and the inexorable move toward remote, home working. At its peak in April 2020, the use of Zoom’s software increased 30-fold, with more than 300m daily participants in Zoom meetings worldwide. And that’s just Zoom. HCR’s survey results demonstrated that whilst before the pandemic just under 45% of respondents never used video calling as a tool to communicate with clients or colleagues, in the post pandemic era more than 45% used it frequently and 40% always held a virtual, video enabled call for client and colleague communication.
These figures are borne out by statistical evidence which indicates an eight-fold increase in those working predominantly from home during the pandemic; an increase in the home working population from 5% to 43%. And that sharp rise was met with a 76% uptick in the frequency of cyber-attacks. HCR’s research noted that phishing incidents alone rose from a mere 137 In January 2020 to 9,116 by March 2020 when the first UK lockdown came into force.
So, armed with the knowledge that a huge upturn in remote working has been met with a significant rise in cybercrime, we need to understand whether remote working will continue at an increased level once restrictions disappear and offices re-open their doors to their staff. The answer I suggest is an emphatic yes.
The pandemic has pushed the fast forward button and home working has become an irreversible, preferred option for the majority; in the survey a staggering 91% loved or liked working from home and 72% agreed with the statement that they hoped to continue working from home when we ‘return to normal.’ Whilst staff can’t always dictate the future to their employers, there will be a tsunami of support for remote working, which has arguably become the new normal, and organisations insisting on office-only presence will likely face opposition from disgruntled staff as well as a potential barrier to recruitment.
My own view is that if the future workspace has an emphasis on remote, location-flexible working, then our approach to cybersecurity has to radically evolve to meet the cultural as well as the technological challenge.
Culture as well as kit will be key cybersecurity considerations. Culture is more than just the people within an organisation. It is also more than the sum total of their behaviours or a statement of company values. Culture should reflect everyone’s practices and expectations; it includes, importantly, how we perform and problem solve together.
Outside an office, that togetherness is undoubtedly harder to achieve given that the face to face cues and physical, inter-relationship norms are absent. In the sphere of cybersecurity, remote working amplifies the risks because it becomes more difficult to convey, embed and enforce safe working practices.
There will be less cohesion to company security values such as only using company-issue devices, only using the secure company wi-fi, only discussing work issues with colleagues at work or only in the hearing of colleagues. This last point is important. Outside the office, an employee may work from a café or other social site with open, non-secure wi-fi and strangers who may use anything seen or overheard to facilitate a hack or for social engineering.
Away from the office it is far harder to effectively communicate and enforce safe cybersecurity practices, which, let’s be clear, are not the only cultural message the company will be trumpeting; it must compete with a plethora of other messages which seek to coordinate how we perform and problem solve together when we aren’t together physically.
It is difficult to write a comprehensive prescription that is a cure all for cybersecurity in a time of Covid-19, but I will offer the following, as the absolute minimum, for a future workspace strategy:
- Ensure you have a remote working policy that is not only available to all but known by all and understood by all; relying on staff reading a circulated document may not be enough to embed an appropriate cyber-risk averse culture
- The policy will need to cover the entire spectrum of remote working risks, from using personal devices, to location/open wi-fi risks and data privacy considerations; it must coherently explain the risk and how it can be avoided or mitigated so that your employees not only understand it but believe in it
- Ensure everyone uses a VPN whenever possible to create a more secure, encrypted network connection
- Ensure employees are trained to spot anything that may be suspicious and are encouraged to report it through quick and straightforward reporting channels
- Ensure your work network has very tight, updated security and is optimally patched and configured
- Confirm that your cyber insurance or other insurance policies cover remote working risks and that the cover is sufficient.
This pandemic has changed the way we work and the way we should approach cybersecurity. Cybersecurity in the time of Covid-19 should reflect and address the additional threat that a sea-change in culture presents. As work becomes more remote, so organisations will need to find new ways of implementing good working practices and culture that was previously achieved in a physical, face to face social setting. Being cybersecure was always demanding, but in the time of Covid-19, it just got more demanding.
Prof Dan Hyde
Dan is a partner at HCR Law.
22 March 2021