If the headlines can be believed, this year’s shift out of office buildings and into home offices is not just a passing fad arising from the coronavirus pandemic but rather a trend with serious staying power. But if remote work is truly here to stay, cybersecurity professionals have a lot of work ahead of them – because the threat levels are mounting, especially for critical infrastructure providers.
Cybersecurity challenges are rising up on a larger scale
One reason for heightened concern about cyberattacks is the sheer scale of the change.
Working from home used to be a relatively rare option, especially among salaried employees. According to a recent study by researchers from Upwork and the Massachusetts Institute of Technology (MIT), less than 15% of the U.S. workforce was working from home before the emergence of the pandemic. As of early April, though, that figure rose by more than 34%, bringing the total number of remote workers up to nearly 50%.
The numbers have also risen in other countries. In India, for example, the share of the country’s information technology (IT) workforce based at home rather than in the office rose to about 95%. And according to a Eurofound study released last month, nearly 40% of the European Union’s workforce have switched to working at home in the face of the outbreak.
In short, the number of people doing their jobs outside the office has already grown on a massive scale just in the last few months. What’s more, the number is likely to go even higher, even if the pandemic dissipates and case numbers decline, owing to considerations of employee satisfaction and cost reduction.
What this means is that cybersecurity teams are going to be very busy for the foreseeable future. They will have to assess the security and capabilities of as many different home office locations (and perhaps as many different types of machines) as there are workers on staff. They will also have to figure out how to train all these workers in the use of virtual private networks (VPNs) and other safeguards without gathering them together in a single space.
Teleconferencing services such as Zoom should help with some of these tasks. Nevertheless, cybersecurity teams are set to see their workloads get heavier as the remote workforce grows and as critical infrastructure providers face higher threat levels.
The stakes are higher in cyberattacks on critical infrastructure
Another reason for heightened concern is the expanding range of the work that is now being done remotely.
Those who are shifting to working from home don’t come just from the knowledge industry. That is, they’re not just white-collar or IT or creative types. More and more, they’re employed by companies involved in critical infrastructure – utilities, manufacturing, natural resource extraction, transportation, public safety, health care.
As a result, they are more likely to need access to operational technology (OT) as well as IT systems. This has the potential to pose even greater challenges for cybersecurity professionals, especially since OT and IT systems are not always well integrated, even within individual companies.
Additionally, the stakes are higher by definition for critical infrastructure. Failures in this arena have the potential to impact millions of people in very short order, as in the case of an electric power provider. They can put lives at risk, as in the case of a hospital. They can disrupt critical supply chains, as in the case of a factory that produces electronic components.
In other words, cybersecurity professionals are likely to see their workloads growing more urgent as well as heavier, as they seek to minimize threat levels for critical infrastructure providers as well as remote workers in other sectors.
It’s time to take heightened threat levels seriously
There are signs that those with the most to lose are taking the heightened threat level seriously.
For example, National Grid Partners (NGP), the investment arm of London-based National Grid, has said it plans to invest US$15 million in two cybersecurity and online data companies – namely, Risk IQ and 1touch.io. This announcement comes just a few short weeks after reports of a cyberattack on Exelon, which works with National Grid to facilitate payments on the British electricity market.
But there are also signs that much more action is needed – and much more money. In the United States, for example, state and city governments are reportedly pleading with the federal government for funds to fend off a rising tide of phishing, ransomware and other attacks. But at the same time, Washington is facing challenges of its own. The Congressional Budget Office (CBO) recently put the cost of the Grid Modernization Research and Development Act, proposed in 2019 but still working its way through the House of Representatives, at US$1.2 billion.
Problems such as these are not temporary. They’re not going to go away once the pandemic ebbs. Instead, they’re likely to multiply as more workers make their homes into their offices. Cybersecurity teams should get ready.