The global coronavirus pandemic has changed the world of work forever.
With no real warning or preparation, we all became homeworkers, whether we liked it or not. And while most have now adjusted to “the new normal” and worked out how to make the best of a home-working routine, many companies were — and still are — woefully unprepared in terms of wider network security issues.
Business Insider has reported that “Americans have lost nearly $12 million this year to scammers and bad actors capitalizing on the coronavirus pandemic” – a figure that’s probably a great deal higher three months later.
In the new normal, black hat hackers can easily do any of the following to gain access to a remote network:
- Find homeworkers that do not know their security procedures
Most people expect to “plug and play”, relying on their office IT and security teams to ensure solid security. Shifting technology to remote locations is a sure fire way to leave it wide open to abuse.
- Find vulnerable unpatched VPNs
Companies are often behind in terms of current security patches. The swift shift from secure office VPNs to remote access has left gaping holes, while overworked security and IT staff fumble to patch and catch up.
- Find houses that have other vulnerable devices on their networks
You’ve probably heard the horror stories, where hackers have gain access to a home network via creative means – even via the electric car charging point; the children’s smart phone or that always-on but rarely used ‘smart’ device.
- Send phishing emails to known home workers
If it looks legit, and you’re distracted by kids, pets, and housework, chances are high that you’ll open an email and open a world of pain.
- Call home workers and socially attain passwords
As above, working from home brings large, new distraction, and staff – often untrained on how to spot hacking attempts – are falling prey to malicious calls.
- Find homes with weak wifi passwords
At home, how many of us regularly change our network passwords? How many of us employ 2FA on our home network? How many of us use 123456?
- Find companies with weak security policies and target their central systems
The shock of the lockdown left a lot of companies – who have reasonably well organised office security policies – completely unprepared to deal with a complex new world of disparate connection, systems and networks.
- Take advantage of old home technology
Many people working at home only have basic technology, a lack of security awareness and outdated software. The least savvy hacker can easily access such a vulnerable scenario.
- Capitalise on the blending of personal and work computing
As the boundaries blur between work and personal time online, unscrupulous hackers can gain access to corporate networks via personal email, gaming and other personal activities online.
- Feed on virus fears
Unscrupulous hackers are inviting homeworkers to sign up for legitimate seeming furlough and financial schemes; donate to charities, and add their details to virus-related news bulletins.
Networks were thrown wide open as remote log-in became the norm. While hackers rubbed their hands with glee, capitalizing on the number of ‘open’ back doors, the corporate world is still in a state of shock regarding the economic losses of the pandemic, never mind the security issues.
While we see a wave of news headlines regarding alleged nation-level hacking of vaccine data, there’s a problem just as pressing.
Within weeks of lockdown, a malicious ransomware attack was carried out on a Czech Republic hospital, shutting down the hospital’s entire IT network, causing surgery postponements and disrupting vital operations.
While critical infrastructure networks have been staffed in-situ throughout the lockdown, the US government Cybersecurity and Infrastructure Security Agency (CISA) issued an advisory to key infrastructure companies to help them prepare for the possibility of remote working. The advisory included enhancing system monitoring, checking virtual private networks are patched, implementing multi-factor authentication (MFA), testing remote access scenarios and triple-checking firewalls, malware and intrusion prevention systems.
This same advice delivered to help critical infrastructure operators survive the pandemic can be just as applicable to the corporate world. Office networks are, broadly speaking, secure, and most certainly more secure than unmonitored home networks. But with an entire staff logging in remotely, there is clearly a broad range of issues to manage, and new ones emerging every day.
Employee education is perhaps a cornerstone of all security policies, but how can employee knowledge and support of external access be monitored? Suddenly, every employee is expected to be able to monitor their own network with the keen awareness of a cybersecurity expert, while fending off more immediate attacks from bored children, family pets and delivery drivers. Home distractions are a big concern for corporate security, creating windows of vulnerability — and in such times of stress or distraction, people are far more likely to fall victim to scams.
Most home-based Wi-Fi simply doesn’t offer the same defenses — such as firewalls and anomaly detection monitoring — found in corporate environments. Add in the fact that many corporate VPNs simply don’t keep up with vulnerability patching, attack briefings and security software updates, and we find ourselves in the midst of hacker utopia.
Microsoft recently released updates to plug some 123 security holes in its Windows OS and related software, including fixes for a critical, “wormable” flaw in Windows Server versions that the company said is likely to be exploited, according to security commentator Brian Krebs.
Employees must keep their software updated — but patches and fixes are often time-consuming to download and implement.
Onus on employers
The onus is on the employer — and the IT department — to maintain a higher level of remote security to fend off hackers and security issues.
While most corporate networks might not need an ‘air gap’ (keeping vital infrastructure software networks separate from more mundane internet-connected IT networks) there is a definite need for greater network security, and increased awareness. Many malicious attacks are based around ‘mimicking’ corporations, getting unsuspecting homeworkers to log in to familiar corporate services using fake URLs.
Multi-factor authentication is a must. Creating tokens which change regularly, or need updating in order to log-in again, makes any system harder to hack.
No one should be using their own equipment at home unless it’s been updated by the company and approved. How many of us truly keep our home PCs completely up to date and virus free?
And, of course, vulnerabilities can easily start to creep back into an environment if security basics like patching are neglected.
Establish the rules
Homeworking rules should be established by now – regarding use of own devices and ensuring common platforms — backed by MFA tools — such as online conferencing and email are fit for purpose and safe for average home workers to engage with.
Security and IT teams must identify what new risks are emerging in this very fluid time, and examine whether existing policies can still be pursued as normal. Security and IT priorities for 2020 must be focused and relevant — there’s no point in working on new policies revolving around how visitors at the office reception are dealt with right now, for instance.
Of course, on top of all the well-documented stress and strains of dealing with coronavirus, staff might be feeling overwhelmed by communication. While it’s crucial to keep staff abreast of security issues and best practice, it’s equally important to communicate the issues clearly and concisely.
Become familiar with the unfamiliar
Staff may well also be unfamiliar with technology which must be used to enable homeworking, such as collaboration platforms and VPNs, for example, while becoming increasingly blase about security as time progresses.
Cyber security expert at analysts PwC, Rachel Mullen, speaking of the current cyber threat landscape during a recent podcast, said: “What we’ve been seeing is almost business-as-usual for cyber attackers in terms of tactics they are using and who they are targeting. They’re using the same kind of malware that they would ordinarily be using, using spear phishing as a way to get into networks, but what has been shifting has been the increase in the malicious activity that’s themed around COVID-19, which is perhaps unsurprising and it’s certainly very clear that criminals are exploiting the situation.”
She sees a key issue as securing and monitoring access to the corporate network, while being vigilant for unusual behaviour. Speaking during a podcast, Mullen says the rise in ransomware, phishing and spamming is something to be mindful of, along with the ever-present horror of a DDoS (distributed Denial-of-Service) attack, especially if corporate security and IT departments are unwell, or may have been repurposed into other departments during the pandemic. Rather than creating skeleton IT and security teams, she suggests it’s better to augment these teams.
Very human element to risks
She stressed the ‘very human element’ to the risks — that we are all more likely to click on a link which seems familiar or legitimate, and malicious hackers are all too aware of that fact, taking full advantage of the current climate: “it’s really highlighting that social engineering is a particular risk at the moment.”
Mullen added malicious activity is currently targeting technology used for remote working, “particularly if you consider that there’s a lot of tools or applications that we’re using that might be unfamiliar to a lot of us, so collaboration platforms are an obvious one, as are virtual private networks.”
Her PwC colleague Sean Sutton points out that it’s equally important to pay heed not only to the corporate network, but what data resides on end-user systems at home, and the need for vigilance from all parties.
De-tuneing corporates to allow remote access
He also suggested that the PwC cybersecurity team has had to ‘almost de-tune’ client company’s MFA procedures to allow staff remote access to corporate systems, adding: “That’s OK if it’s the only decision that you can make [to] enable the business to continue to operate, but the flipside then is to make sure you’re putting some additional security control in place. Maybe that’s monitoring or something else.”
Mullen stresses the need for potential adjustment in the detection and response methods in place, given that the need for rapid IT change has seen systems and devices being introduced where, by necessity, “controls may have been relaxed or removed to ensure that they can do what they need to do at the time,” and “ensuring that those controls are either put back in place…or [checking] whether there are risks…that maybe you didn’t have before.”
Overall, short-term decisions made at almost crisis level will influence long-term strategy.
Building future resilience is a hard-learned lesson food corporates picked up during the pandemic – and we may well see more acceleration and adoption of cloud-based services and storage in the near future.
As PwC’s Sutton put it, the pandemic has highlighted that current plans don’t quite address the need, so many organisations will be re-examining what resilience means for an organisation, and how security is the backbone of resilience.
This year has been one of rapid new technology adoption and unprecedented collaboration. And while homeworking certainly has its pitfalls, there is always a silver lining — the lockdown has allowed many companies to highlight, discover and rapidly react to gaping security holes in their networks.
As with all data security, remote access is only ever as strong as its weakest link. But with the right combination of good technology and employee know-how and training, it can be done well.