The transition to remote work in 2020 has driven technology adoption at an unprecedented pace. Online events, teleconferencing, and virtual meetings quickly became the standard. “Zoom” entered the vernacular seemingly overnight. At virtual happy hours, conversations swirled around whether Microsoft Teams or Slack was the better collaboration tool. Necessity became the mother of adoption.
This transition was also the mother of opportunity for cyber criminals and threat actors worldwide. The security implications for remote and hybrid work are immense, in which new vulnerabilities are met by an evolution in the threat arena.
1. Outside the Wall
As the threat of COVID-19 became understood in early 2020, the first priority for organizations was business continuity: keeping employees and customers safe, shifting to remote work, deploying new collaboration tools, and building ecommerce capabilities.
As vast numbers of workers left the security of their employers’ firewalls, technology leaders had to act quickly to improve endpoint security. Employees’ home networks are more vulnerable, and it is challenging to ensure that all security patches and updates are installed on employees’ home networks and devices.
2. Peak Volume
Online shopping, virtual engagement tools, social media-supported food delivery and a jump in IoT (Internet of Things) ramped up the volume of potentially threatening interactions. For example, websites compromised with form-jacking, a malicious code that infects a commercial site and steals users’ payment and other personal data, increased in 2020. These threat actors benefit from the increased online activity generated by COVID-related storefront closures and the global move to e-commerce solutions. When employees use the same device to access corporate networks that they use for online browsing, shopping and streaming, that corporate network is at risk.
The security implications for remote and hybrid work are immense, in which new vulnerabilities are met by an evolution in the threat arena.
3. Band of Robots
IoT adoption rose globally during COVID-related lockdowns and the shift to working from home. Smart device company Xiamoi identified the adoption of smart home technology as a prevailing trend in 2021. Typically, consumers use default or weak passwords for their IoT devices, and malware can be spread through these connected doorbells, routers, smart TVs and other devices, ultimately leaving corporate networks vulnerable. Weak IoT security also contributes to distributed denial of service (DDoS) attacks whereby threat actors infect connected devices (like thermostats, routers, etc) with a virus that coordinates overwhelming requests to a target server, making a website crash or leaving online services unavailable.
4. (Still) Gone Phishing
According to Symantec, phishing accounted for 1 in every 4200 emails in Q1 2020, and spear-phishing continues to be a primary vector for cyber attacks. For example, Google reports blocking 18 million COVID-related phishing and malware emails a day during a single week in April 2020 (Neil Kumaran and Sam Lugani, “Protecting businesses against cyber threats during COVID-19 and beyond.” Google Identity and Security Blog, April 16, 2020). And according to AESC Partner KnowBe4, who provide cybersecurity training awareness programs to organizations including AESC Members, more than 90% of successful hacks and data breaches start with phishing scams. Phishing is a threat to every organization across the globe.
One spear-phishing technique that executive search consultants, clients and candidates should be acutely aware of is an attack that uses LinkedIn data to create a targeted email with a fictional job offer. Once the target individual clicks on the attached job description, their system is open for any malware the threat actor chooses to deploy.
Complicating matters is that more and more employees have been hired and onboarded virtually—that makes it much harder to know whether that email really is from the CFO, and much easier for threat actors to spear-fish successfully.
As vast numbers of workers left the security of their employers’ firewalls, technology leaders had to act quickly to improve endpoint security.
5. Bad is a Business
The most interesting and alarming change in the threat landscape may be the extent to which cyber criminals are expanding their business models. Much like the trend of taking on side-gigs within the professional class, threat actors are developing new revenue streams, including “malware as a service” (MaaS) or selling their malicious code and/or established backdoors to victim organizations to other cyber criminals.
6. Ransom on the Bus
Payouts for ransomware attacks have risen dramatically, as threat actors go “big game hunting.” The Colonial Pipeline attack in the US disrupted fuel supplies and cost the company an estimated $4.4. Million. UK-based foreign currency exchange service Travelex was devastated by a ransomware attack in which the criminals demanded £4.6 Million.
In another revenue-generating expansion, cyber criminals are using ransomware to further monetize the data they encrypt: intellectual property, trade secrets, and potentially reputation-damaging information could be released to the public if victims refuse to pay. And it’s working. According to a report by Chainalysis, payments made by ransomware victims jumped by 336% in 2020 to reach just under $370 million. (Chainalysis, “Ransomware Update: Newly Uncovered Addresses Reveal $21M Worth of New 2020 Ransomware Payments.” Insights Blog, Chainalysis.com, March 1, 2021)
How are CISOs keeping one step ahead?
Organizations have a number of security tools and practices to prevent or mitigate intrusions and stay ahead of the fast-adapting security threats.
1. Software-Based Firewalls
For remote workers, laptops and other remote devices require a software-based firewall to protect each device. Software-based firewalls help protect networks from intrusions, but updates and patches can be hard to distribute and remote triage is a challenge for IT teams.
2. Multifactor Authentification
Multifactor authorization adds an extra layer of security to often easily compromised usernames and passwords. Authenticator apps, a fingerprint, security questions and facial recognition prove the person logging in is who they say they are.
One spear-phishing technique that executive search consultants, clients and candidates should be acutely aware of is an attack that uses LinkedIn data to create a targeted email with a fictional job offer.
3. Security in the Cloud
Cloud-based security offers improved compliance, absorbs DDoS traffic preventing the disruption of servers, ensures the encryption of data in storage, safeguards information from eavesdropping during transmission, and reduces internal data theft.
4. Meet PAM
Privileged Access Management (PAM) tools actively control who has access to what. Restricting access to sensitive data and critical systems to a limited number of people reduces the risk that the data and systems will be compromised and provides for the monitoring and recording of any access or actions.
One of the most effective ways for organizations to protect their data and systems is through Zero-Trust architecture. According to Crowdstrike, Zero-Trust “combines advanced technologies such as multi factor authentication, identity and access management (IAM), identity protection, and next-generation endpoint security technology to verify the user’s identity and maintain system security.” (Jeannie Warner, “What is Zero Trust Security?” Crowdstrike.com, May 6, 2021)
6. Cyber Insurance
And if all else fails, organizations need to be protected from the devastating costs of a breach. The financial burden of a cybersecurity incursion can be enormous, from the legal, forensic and mitigation expenses to the loss of revenue and potential fines for non-compliance with data security regulations. Carefully negotiated cyber insurance can keep a victimized business in business.
7. Red Team Exercises
Like war games for cyber threats, red team exercises test an enterprise’s security. External “threat actors” run a simulated cyberattack to thwart the security systems and teams as they stand, without notice. These exercises can find weaknesses before real threat actors do, giving organizations the chance to repair their systems and retrain their people.
8. Workforce Security Training
The weakest link in IT security is users. Training across organizations is essential—this includes AESC Members and their clients. That’s why AESC has partnered with KnowBe4, a leader in cybersecurity training for organizations and their people.
Security Beyond Cyber
Cyber criminals are not the only threats in the hybrid workplace. Enterprises are focusing on workplace health and safety in the remote environment, resources for mental and occupational health, and a heightened commitment to well-being among workers, whether they are on-site, remote, or some of both.
For more information on Crime and Security in the Digital Age go to AESC.org