Data security vulnerabilities due to remote or hybrid work

By Cecilia Yontz, OSPCA marketing and communications intern 

Cyber attacks have evolved over time and with many businesses adapting to hybrid or fully remote work environments, it is important to know the impact this has on cybersecurity.  

“The COVID-19 pandemic really changed the game on not only how we work, but how cybercriminals operate,” said Nicole Graham, risk consultant at Aon. “And the increase in cybercrime hasn't slowed down; we've adjusted to this new reality and so have the cybercriminals.” 

Identifying the risk 

The top three claims that Aon sees are ransomware, business email compromises, and data breaches, said Graham.   

A security risk she believes many do not consider is employee turnover. When an employee leaves, it is important that firms take certain steps to secure information. 

“One of the reasons I stress no personal devices is because if you have someone leave, it is very hard to get your business information off their personal device, whereas you can request they turn in their work-issued devices,” said Graham. “In addition to getting devices, you want to immediately remove their access to anything on your network, you don't want them to be able to access it in any way.” 

Enhancing cybersecurity 

Enforcing the use of only work-issued devices, reinforcing with training, using a virtual private network or VPN and multi-factor authentication are the top ways that Graham believes firms can enhance their cybersecurity. 

“These are things that are becoming more normal for everyone to use, and you should be sure that everyone's using them while accessing confidential client information or just your firm's information,” she said. “You don't want a situation where your firm's proprietary or  trade secret information gets out because of an unsecured communication.” 

Not only are there measures that firms should enact, but there are also regulations that they need to follow. Graham noted that The Federal Trade Commission issued safeguard rules in which accounting firms are now considered financial institutions. This means that they have to maintain written information security programs.  

Looking at the future 

As for what future risks firms might see, Graham mentioned staying on the lookout for how generative AI might be leveraged by cybercriminals. Cloud computing is also something she believes firms should be vigilant about.  

“Everyone is switching to cloud computing now; most are not hosting their own data anymore,” said Graham. “When firms are configuring their cloud data and controls, they need to be mindful and try to restrict access.” 

Ultimately, strong cyber hygiene and cybersecurity measures help to ensure the protection of people’s personal information. 

“You never want to get in trouble for leaking people's personal information,” she said. “Not only are you going to run afoul of these laws that have penalties and everything else, but that's a huge reputational harm to your firm. You never want to break client confidence.”