It's quite obvious that the ‘C’ word has changed how many of us work. Whether you’re an employer or employee, the way in which you ‘do IT security’ has probably changed. If it hasn’t then it probably should have….
Threat actors notice that your employees are working from home, or from the coffee shop and adjust their tactics accordingly – they have their ‘Priority Intelligence Requirements’ if they are a nation state, or their financial targets if they are a cybercrime group.
There are dozens of tools – both software and hardware – which can be exploited by the bad guys. Some have other – legitimate – purposes, and others are purely malicious. Would you be able to notice if a threat actor plugged a malicious USB device into one of your employees’ laptops – and would you be able to stop them exfiltrating data from it? Would you notice if your CFO’s email account was compromised, and he/she started asking for employees to change banking details, or buy gift cards?
Have you encouraged (or forced) your employees to use longer passwords, or perhaps you’ve provided a Password Manager for them to make use of (there are some excellent options available commercially). Alongside this, forcing ‘Multi-Factor Authentication’ is one of the strongest forms of defence you can establish – its not infallible but it does raise the bar.
Security maturity is a journey, not a destination. Every day brings new technology, new attack surfaces, new vulnerabilities, new exploits – but its not an impossible task, and having an educated workforce, combined with a modern, patched infrastructure for them to use will dramatically reduce your risk.
Know what you have, know how you access it and know what would be valuable to different threat groups and you can adjust your stance accordingly. Being in a state of perpetual preparedness is hard and tiring, but it’s the only way to survive on the modern internet. Educate your staff on how to spot, and report suspicious behaviour just like they would in the ‘real world’ and you’re halfway there.