Hackers accidentally allowed into company software by security noncompliant employees cost businesses millions annually; we asked experts to weigh in on best safety practices.
Cyber threats didn’t suddenly become a thing when COVID-19 pushed the enterprise into a remote workforce. Careless, security noncompliant employees have negligently allowed hackers access into company computers and software while solidly ensconced within a brick-and-mortar office. A pre-US lockdown January insider threats report from Ponemon showed the average global cost of those insider threats rose 31% from 2018 to when the report was compiled on Jan 29, and incidents of hacking spiked 47% in the same time period.
Hacking has gone viral
But the coronavirus pandemic brought a new slew of cyber threats, feeding on how “Anxiety and desperation can make it easy to let one’s guard down when it comes to online threats,” Forcepoint principal security analyst Carl Leonard told TechRepublic in March.
Last month, TechRepublic’s sister-site ZDNet reported what it dubbed “disturbing statistics” of COVID-19 cybercrime, including brute-force attacks were up 400%, the number of unsecured remote desktop machines rose by more than 40%, COVID-19-related email scams surged 667% in March, tens of thousands of coronavirus related domains are created daily—and 90% of those new domains are “scammy.” It further noted that 530K Zoom accounts were sold on the Dark Web, and a 2,000% increase in malicious files with “Zoom” in the name. A 2020 SonicWall cyber threat report cited a 105% spike of ransomware samples.
SEE: Coronavirus: Critical IT policies and tools every business needs (TechRepublic Premium)
Lock up sensitive information
Because staff is working from home (WFH), company leaders simply do not know if staff are ignoring best practices, or unsafely storing sensitive information. Therefore, the enterprise must turn to effective plans of action. Briefly, the 411 on the current cyber threat situation revolves around: Personal devices used for work can be hacked in a multitude of ways; the vast majority of hacks don’t use malware; unemotional and undaunted by a lack of feeling, AI is a great tool to use, and won’t be jeopardized by human error, and now is the time for companies to adopt and integrate much-needed security measures, supported by great company/employee communication, trainings, etc.
The enterprise needs to be concerned. “At home, employees and executives are communicating online with colleagues much more frequently, and they are doing so increasingly on personal devices, personal email accounts, and non-work applications,” said Chris Cleveland, founder of AI-powered phishing prevention company Pixm. “This multiplies the entry points attackers have to breach an organization, particularly those that are not protected by corporate email and firewalls.”
“Lookout data showed a 24% increase in use of iOS devices in the first 90 days of the pandemic,” explained Chris Hazelton, director of security solutions at Lookout. “This equates to several more hours a day of use for many employees.” Hazelton added that “more phishing attacks come via personal apps than email. Phishing attacks or malicious payloads delivered by work email are stopped by corporate email gateways, but it is the lack of similar protection for personal mobile apps that creates a significant opportunity for attackers to target remote workers.”
Insiders who are also outsiders
It’s important to remember that it’s not only team leaders and their teams telecommuting, “IT and security stakeholders are themselves more remote than ever from the people they are trying to protect,” Cleveland said. “This makes it harder to influence their users toward better cyber hygiene and awareness, particularly for employee training efforts.”
He notes that Q1 saw a 350% increase in phishing attacks, much hinged on impersonating tax-relief efforts by government entities like the IRS or HMRC—unsurprising, because individuals as well as business owners were anxious to claim much-needed benefits.
The psychology of hacking and a fearful remote workforce
The COVID-19 crisis exacerbated existing vulnerabilities, which “are not new, but the pandemic and WFH environment have exacerbated and accelerated them,” he said. “General anxiety around the pandemic, longer work hours and related emotional stress can short circuit people’s short term decision making, which hackers are exploiting with phishing.”
Here’s what hackers want—employee credentials. Cleveland cites it as the No. 1 data-breach vector and said: “Today that is easier than ever as there is an increasing number of accounts employees use to share and access sensitive digital assets. Since most traditional enterprise defense against phishing emails and malicious URLs hinge on the webs’ reputation and threat intelligence, there is a big fat window of time to launch a new attack and steal passwords before an attack is reported and those reputation and intelligence tools start working. This is why 75% of credentials are harvested within the first hour a phishing attack is deployed.”
Hacker tools start with the familiar malwareless phishing, followed by “open-source phishing kits that can phish two-factor authentication codes in real-time,” Cleveland said. “Much more common than that are hackers hijacking the reputation of 3rd party websites, by first breaching them and using them to deliver phishing pages to targets.”
Digital Shadows, a software company, identified an increase of 160% in the number of total cyberattacks in 2020, when compared to 2019, said Ivan Righi, the company’s cyber threat intelligence analyst.
“Spearphishing and account takeover attacks (ATO) remain the most credible threats to remote workers,” Righi said. “Nearly 30% of all remote work incidents since the start of the COVID-19 pandemic were attributed to phishing attacks. A successful phishing attack could give threat actors a foothold on the victim’s network, where they can later move laterally and spread malware, such as ransomware, on critical systems.”
But in addition to personal device security concerns, home equipment may also play a role, said Brandon Hoffman, chief information security officer at Netenrich. “There are some more manual approaches as an initial entry point that remote workers create opportunity for. Some examples in crude weak security on home routers or smart devices attached to the same network. Even in these scenarios, if a manual attack against something like a printer takes place to gain access to the network, at some point malware will likely be delayed against the target machine.”
“Employees have always been on the front lines when it comes to cyberattacks, whether they are targeted at the office or at home,” said Joseph Carson, chief security scientist and advisory chief information security officer at Thycotic, a protection software company. “However, when targeting employees at home, cybercriminals typically had to wait for the employee to return to the office or open a VPN connection to abuse stolen credentials and gain further access to the victim’s employer. With the increase in today’s remote workforce, many organizations have opened persistent connections from employee’s home offices, allowing cybercriminals to jump onto those connections and abuse remote access immediately.”
“IT security can reduce the risks from such threats by increased cyber security awareness for employees and practicing the principle of least privilege, meaning employee credentials cannot be abused by criminals to gain access to other parts of the organization’s network. A strong cyber defense starts with the employee and the ability to detect attacks that start from their home network as well as the ability to reduce those risks with a strong privileged access security solution that can implement a least privilege strategy.”
“Non-security incidents can have a substantial knock-on effect within the information security spectrum,” weighed in Steve Durbin, managing director of the Information Security Forum, an organization of cyber, information and risk management businesses. “In 2020, the striking example has been the global COVID-19 pandemic, which forced digital change on organizations at high speed and certainly faster than many had dealt with before. It meant that senior IT and security managers have been called on to refocus efforts and help their organization oriented around secure remote working practices. They also had to ensure supply chains remain secure and roll out tailored security awareness campaigns and training, for example to combat the sudden flood of phishing scams related to COVID-19. COVID-19 represents both a crisis and an opportunity. It has accelerated and concentrated forces, such as the move to remote working and adoption of cloud services, that were already in motion. Organizations must be willing to respond to non-information security-related threats if they have a significant impact on the way an organization operates or threaten its technical infrastructure.”
Finally, “As well as using digital tools, it’s paramount that enterprises stick to high-security standards,” Cleveland stressed. An “employee should always follow their employer’s advised best practices to avoid being the cause of a costly breach.
At the very minimum, best practices should include using company-issued devices equipped with security controls where possible, VPN usage from personal devices, and training on basic security practices. Companies should implement a disaster recovery and business continuity plan, and purchase cybersecurity liability insurance.”
Organizations should take a critical look at “how many employees have access to authorized and confidential material that needs to be kept secure, it’s a breach risk. Individuals should consider cybersecurity as a job requirement, and not something left for IT, Cleveland said. “If individuals take responsibility, IT teams can spend less time tending to attacks and more time paving the way towards a remote-ready cybersecurity solution.”
Cleveland cited three of what he considers the most common ways to contend with cybersecurity:
Communication: Employees should feel like they have a stake in their company’s data security. Good communication should be an organization-wide alignment.
Awareness training: Common, and not entirely super effective, as it was found to reduce phishing clicks by 75%, but it is a start.
Install real-time AI applications on the user devices: “This can augment real-time decision making for end-users to prevent threats that bypass and circumvent the existing corporate security funnel,” Cleveland said. “It can also support users in WFH environments. Browser-based AI tools, in particular, can protect users from phishing links delivered outside their corporate email, like LinkedIn, WhatsApp and personal email.”