Between a Rock and a Hard Place: What Furlough Means for Cybersecurity

With the change in Furlough rules, Javvad Malik, security awareness advocate at KnowBe4, looks at what dangers might be lurking in people’s inboxes.

Posted 6 July 2020 by Christine Horton

Since the coronavirus outbreak earlier this year, the world economy has been thrown for a loop, with millions of employees required to stay home and respect social distancing guidelines.

In an effort to curb mass unemployment, the UK government enacted its furlough programme, known officially as the Coronavirus Job Retention Scheme (CJRS). In principle, the rules of the scheme prohibit individuals from undertaking any work-related tasks and in return, they receive a grant covering 80 percent or up to £2,500 of their current salary. Failure to comply with this, could result in the retraction of such funds or even severe fines.

As a fairly new concept to the UK labour market, however, ambiguity about what ‘work-related tasks’ means, is rife. Whilst not explicitly saying so, for instance, checking emails could arguably be seen as ‘providing services’, particularly if employees then respond to the email or action points within it.

Moreover, many are not receiving any counsel from their employers on what is or is not acceptable. In a recently conducted survey of one thousand furloughed employees across the UK, KnowBe4 found that as many as 46 percent of respondents did not receive guidance or were not aware of having received any from their employers.

Abstaining from checking inboxes, on the other hand, could leave employees burdened with a seemingly insurmountable number of emails upon return to work. An issue that is quickly approaching as the government eases remote working restrictions and allow businesses to reopen. Indeed, almost 60 percent of furloughed employees have felt some degree of stress about their email inboxes, with many feeling anxious about the backlog or missing time sensitive communication. While you can take the employee out of the workplace, you cannot quite take the workplace from the employee; especially in our hyper-connected world.

In the end, individuals are faced with a tricky dilemma: Allow for an unmanageable amount of unread emails to accumulate or continue to check emails and risk their employers being in breach of the CJRS?

What’s more, we can be certain that cybercriminals are leveraging these circumstances for personal gain…

Phishing in Rocky Terrain

Recently, it was revealed that the NCSC had received a million reports of phishing emails in just two months since its launch in April 2020. Various other reports have also confirmed a spike in social engineering attacks by bad actors looking to take advantage of the chaos and fear surrounding the pandemic. In the KnowBe4 Q1 Phishing report, for example, it was found that coronavirus-themed phishing emails had shot up 600 percent. This means hundreds of thousands of malicious emails are infiltrating the work inbox of furloughed employees, waiting to be activated.

Yet, nearly half of the furloughed workforce appear undisturbed by this, trusting that their “IT team should take care of them”. For the majority, priority is given to returning swiftly to business as usual, as opposed to filtering emails carefully for fraudulent links or attachments. Unfortunately, this exacerbates the risk for organisations as phishing emails have become ever-more sophisticated, bypassing even the best technological controls.

Moreover, a vast majority of these employees believe themselves to be capable of correctly identifying a phishing email, despite the lack of security awareness training. Indeed, almost two-thirds conceded that their employer had not offered a training course, and for more than half of those who did, it had been over six months since the last session. This is concerning as it has been proven time and again that individuals are over-confident in their abilities. In the KnowBe4 2020 Benchmarking Report, it was found that almost 40 percent of untrained employees were likely to fall for a phishing email; a figure that continues to grow every year.

Finding a Cushion in the Middle

This is a troubling time for many, not least for those furloughed and worrying about falling behind in work or losing their jobs altogether. It is not feasible nor warranted to simply tell employees to stop checking their emails or condemn them for doing so. Rather, organisations should be proactive in helping ease their stress and transition both into remote working as well as back out of it.

For one, implementing a process that categorises emails according to priorities, sender, topics etc would be useful in aiding employees sift through their inbox as well as respond efficiently to important, and safe, emails. Other technologies should also be installed to assist in offering a primary safety net to catch malicious emails before being opened.

Javvad Malik, security awareness advocate at KnowBe4

Secondly, on average, it appears that many individuals would likely take over two days to filter through their emails upon return to work. As such, it is crucial that organisations respect this and offer ample time for employees to do so. By recognising the importance of the need to take one’s time and examine the authenticity of emails, employees may be less likely to rush through and click the wrong thing.

Finally, organisations should offer security awareness training, or refresher courses as they can make a world of a difference. In fact, the impact of security awareness training has been assessed and was found to potentially reduce the phish-prone rate by half in just 90 days.

By taking time and easing employees back into work, recognising that mistakes may happen and having a plan in place for them, employers can make the transition back to work easier and, ultimately, more secure.