CIRA publishes an annual survey of Canadian IT security decision-makers to better understand how they are coping with cyber threats. This year’s survey, which research firm The Strategic Counsel conducted in August, collected over 500 responses from IT professionals across the country. This is the fifth blog post in a series of five for 2022.
More than two and a half years after the pandemic abruptly sent workers home from the office, the way we work and where we do it has changed for good. Hybrid work has become commonplace, with organizations large and small in almost every sector allowing at least some of their employees to work in the office part of the time and remotely the rest of the time. While the implementations vary, one thing is certain: the future of work will involve a wide range of flexible work arrangements.
The results from the 2022 CIRA Cybersecurity Survey underscore the extent to which this trend has taken hold in Canada and offer some important insights into the impact it will have on cybersecurity for Canadian organizations. Of the 500 IT professionals we surveyed across the private, public and MUSH (municipalities, universities, school boards and hospitals) sectors, one-half identify hybrid work as their organization’s preferred option.
Overall, among organizations that have chosen not to adopt a hybrid approach, 15 per cent characterize their workforce as fully remote, while just over a third (34 per cent) still expect their employees to show up at the office every morning.
Extending cybersecurity protections beyond the office
IT organizations have had ample time to adapt to the new ways of working, and most have put new systems and processes in place to support hybrid and remote workers. But significant challenges remain. Among these, extending cybersecurity protections to remote workers ranks near the top of the list. Some key findings from the CIRA cybersecurity survey back this up.
For example, a sizeable majority of cybersecurity professionals (55 per cent) view their organization as more vulnerable to cyber threats because some or all of its employees work remotely. Of these, 44 per cent view their organization as somewhat more vulnerable, while 11 per cent believe it to be much more vulnerable.
Data from the survey also shows that cyberattacks continue to plague Canadian organizations in every sector. In the last 12 months, 44 per cent of cybersecurity professionals say their organization has been hit by a cyberattack (either attempted or successful), and 22 per cent say their organization has been victimized by a successful ransomware attack. During the same period, just under three in ten (29 per cent) say their organization experienced a breach of its customer and/or employee data.
While the pivot to remote work is just one piece of the puzzle, there’s no question it has altered the cybersecurity landscape for many Canadian organizations by increasing the number of endpoints in the network and expanding the attack surface for would-be hackers. It also has the potential to expose organizations to additional cyber threats that are not typically seen in a traditional office setting.
For example, remote/hybrid working can mean employees’ personal devices, many of which are not equipped with adequate endpoint protection, are being connected to the corporate network, increasing the risk of malware being propagated. Poorly secured home Wi-Fi networks are another potential vulnerability, as is the use of consumer-grade platforms for file sharing, many of which lack the levels of encryption and protection provided by corporate IT systems.
Mitigating the security risks of the hybrid work model
There are some proven key steps you can take and security systems you can put in place to protect your remote employees and your organization from ransomware, phishing scams and the latest type of malicious software designed to compromise your network and your data.
Firewall solutions, virtual private networks (VPNs), and two-factor authentication are all great tools for keeping hackers at bay. But it’s also critical to ensure that any security measures you implement, however effective in theory, are bolstered by comprehensive cybersecurity awareness training for all your employees. No cybersecurity solution can be relied upon to neutralize every single cyber threat, so it’s critical that your people are properly trained to recognize and report phishing, ransomware and other types of cyberattacks.
Cybersecurity is a moving target and there’s strong evidence to suggest that the rise of hybrid, remote, and other non-traditional ways of working are introducing new complexities into the mix. But by investing in cybersecurity solutions that take these complexities into account and ensuring your employees have ongoing cybersecurity awareness training, your organization and your data will be protected, and your employees will be well prepared to deal effectively with any threats they do encounter before any damage is done.
Learn more about the new off-network protection feature in the CIRA DNS Firewall, which protects users when they’re not connected to their corporate network.