The coronavirus (COVID-19) pandemic has forced businesses to undergo seismic changes in the way they operate. As flexible policies become standard and remote work becomes a norm, another important challenge is taking the spotlight – cybersecurity.
The coronavirus pandemic presents a tremendous health crisis that nations across the globe are grappling with. With over 2 million confirmed cases of infected people globally, the virus is causing a huge impact on people’s lives, families and communities.
In addition to being a major public health issue, the COVID-19 crisis also brings about profound social and economic consequences, according to the World Health Organisation (WHO) Director-General Tedros Adhanom Ghebreyesus.
Crisis-response efforts are in full motion in many countries across the world. Healthcare organisations are explicitly increasing their capacities and maximising their resources to cope with the rising demands to contain the virus. Educational firms are shifting to online platforms to ensure ongoing learning opportunities. Moreover, companies are rapidly adopting new ways to operate to maintain their businesses, many of which have been compelled to embrace remote working.
However, with the coronavirus not showing any signs of slowing down anytime soon, enterprises are faced with the challenge of having to juggle a range of new systems priorities such as ensuring the stability of critical business processes, workforce productivity and, of course, cybersecurity.
Security Advisor ME speaks to industry experts to get their insights on how the pandemic is impacting the cybersecurity and the future of work.
Risks and challenges
For many businesses, the move to a remote working model came too swiftly. Rather than being able to transition gradually, the quarantine measures demanded a quick response, which has left CIOs and CISOs with little time to prepare and address the cybersecurity challenges for remote working.
The huge amounts of global uncertainty and change that organisations are facing are what criminals are seeking to capitalise on, according to Harish Chib, vice president – MEA, Sophos. These risks are further amplified by the immediate and unforeseen IT challenges that companies are having to ensure their staff can work from home.
“Normal remote working is not a challenge as it gives organisations time to implement it,” says Chib. “The current scenario due to COVID-19 is different. This remote working is rapid, forceful and unplanned, and many organisations have relaxed their cybersecurity controls due to this. There are two areas which are most likely to result in a cybersecurity incident due to the ongoing crisis: remote access and phishing.”
With a majority of employees working from home, business networks have been exposed to countless untrusted networks and unsanctioned devices.
“When employees connect to their corporate networks from home, they expose numerous access points for hackers to exploit,” says Subhalakshmi Ganapathy, Product Evangelist, ManageEngine. “These unprotected endpoints extend the corporate network perimeter, which increases the attack surfaces for the hackers.”
Ideally, whenever an employee is working remotely, they should be accessing their organisation’s network and any software-as-a-service (SaaS) resources they need via a virtual private network (VPN).
A VPN creates a safe, encrypted ‘tunnel’ from the user network, whether public or private Wi-Fi, across the public internet, and into the organisation’s network.
According to Ganapathy, often enterprises don’t have segment or limit their networks for VPN use as they are usually utilised by internal employees and/or trusted third-party vendors. However, with the sudden shift to remote working, most IT teams wouldn’t have had the time to segment their network for the large VPN usage.
“This could lead to channels used for remote connections such as VPNs and other remote access platforms having umpteen security vulnerabilities that could be exploited by the hackers. A simple phishing attack on an unsecured network can expose the entire sensitive data of your company,” she explains.
The human element
More critically, IT and security leaders need to bear in mind that attackers will first and foremost take advantage of human weaknesses.
In the last few weeks, there has been an increase in the number of incidents of individuals receiving a variety of emails, which impersonate authorities such as the WHO to persuade victims to download software or donate to bogus causes.
Google’s Gmail, which is being used by over 1.5 billion users globally, has blocked around 18 million hoax emails related to COVID-19 since the outbreak began.
There have also been numerous cases of coronavirus-themed emails being sent out, which have been designed to look like they came from an organisations’ leadership team but are embedded with malware that would infect corporate networks.
“Humans are the weakest links in the security ecosystem,” says Sam Curry, Chief Security Officer, Cybereason. “Today, the biggest blunders include opening email attachments that end up being laced with malware or ransomware, visiting dubious websites or downloading malicious software. The CEO of a company shouldn’t be emailing you a message asking for you to wire transfer $1 million to an account to deal with COVID-19. That should raise a red flag with any employee these days, but there are countless examples of this happenings over the years.”
Curry further notes that even as companies ramp up their security awareness programmes, the overall task of educating employees on the do’s and don’ts to reduce corporate risk remains a constant challenge.
Werno Gevers, cybersecurity specialist, Mimecast, says, “There is a general escalation in cybercriminals’ activity during times of heightened disruption.”
“Already, malicious actors are spreading disinformation with the sole purpose of creating panic. People are desperate to find out more about the crisis and are letting their guards down, clicking on just about anything sent to them. Even one misclick on a link could initiate malware and put the user – and the organisation – at risk.
“Webmail and private emails are unencrypted, leaving employee devices at significant risk of compromise via interception or ‘man in the middle attacks,’ and can make home networks vulnerable to compromise as attackers may piggyback on these end-users to compromise an otherwise secure environment,” he adds.
However, Centrify regional director for Northern, Southern Europe, Middle East and Africa Kamel Heus points out that one of the most common risks that organisations make is focusing only on securing remote access for regular employees. They often forget about the privileged users such as management teams, IT staff and database administrators among others, who often have privileged access to critical infrastructure and sensitive data.
“Those are the credentials that cyber-attackers are most commonly after since they offer the most power and ability to move laterally, find and extract data, and sell it for profit,” he says.
“They also forget about securing outsourced IT and other third-parties who are not employees but may have elevated privileges. Many times, those third parties are simply using a VPN to access the network, which leaves a gaping hole in the security of the enterprise. IT staff, whether employees or consultants, need to have secure remote access for privileged users that goes above and beyond the solutions being made to the collective at-home workforce.”
This being said, CIOs and CISOs need to ensure that their workforce maintains a comprehensive understanding of the cybersecurity risks.
“It is hard to build a cybersecurity culture with employees and user slack is quite certain to take place,” says Rohit Bhargava, Practice Head – Could & Security of Cloud Box Technologies. “Not every employee understands the risks that the organisation could encounter equally.
Bhargava emphasises that IT and business leaders need to look at training and cybersecurity awareness to be as regularly as possible. “Employees must be made aware of phishing emails and ransomware attacks, which must be reported in real-time to the concerned IT experts. There should be better systems in place to manage user sessions and strengthen IT processes and audits to ensure that information leaks are prevented.”
New platforms
In order to maintain productivity and ensure business continuity, organisations have also opted to deploy new applications to allow users to perform work-related tasks remotely. However, the rapid escalation of the pandemic has left them with little time to prepare the security measures in utilising such platforms.
“Many companies that did not initially have remote work capabilities have rushed to use consumer-grade solutions like Zoom, Facebook and many others,” says John Pescatore, director of emerging security trends, SANS. “Zoom has recently admitted it wasn’t ready for this level and type of use and is focusing 100 percent on security and has already taken some steps. Also, users are often sharing or storing business-sensitive information on these services, which increases the odds it will be exposed.”
A majority of new home workers have also adopted third-party applications and use non-corporate remote access tools such as GoToMyPC and TeamViewer, which increases the risks of data breaches.
“Use of unapproved cloud storage makes it more difficult to detect attackers that are trying to exfiltrate data,” says Matt Walmsley, director – EMEA, Vectra. “It also creates regulatory and compliance issues.”
“It is possible there will be heavier use of cloud-based storage (OneDrive, Google Drive, etc.) rather than corporate file servers to share information. This means more valuable information could be placed into cloud storage than would have with most workers on-prem. The way that the remote host is connected will impact what level of cloud storage visibility is available,” he explains.
Walmsley reiterates that security teams must rigorously identify, understand and protect the newly expanded attack surface that the move to increased remote working has created.
Digital Guardian VP for Cybersecurity Tim Bandos shares these views as well saying that with the rapid transition to remote work, data sharing has become a bit of a nightmare for organisations and their employees.
“With the right tools in place, transferring large files while at work may have been easy in the past,” says Bandos. “Without these tools, employees may look for workarounds if they’re unable to use corporate email. Employees may be tempted to leverage sites that are typically blocked while at work such as Dropbox or Box. These workarounds can add risk when it comes to exposing an organisation’s sensitive data to the outside world. It’s essential to educate employees on the risks associated with how data is transferred and offer them the tools they need before they go out on their own looking.”
Furthermore, Bandos points out that inter-office chat platforms can come with inherent risks as well. “Companies that don’t subscribe to an industry-recognised service like Slack or Microsoft Teams could be in danger of having data exposed. Chat platforms like WeChat, Telegram, Viber and the likes are all free but when it comes to experience and security, namely end-to-end encryption, users’ mileage may vary.
“Additionally, phishing attacks are no longer just an email issue. If you can be contacted by individuals outside your organisation via these apps, the platforms can open the door for phishing scams,” he adds.
Next steps
So, what kinds of tools and solutions can organisations utilise to ensure cybersecurity amid the COVID-19 pandemic?
According to Help AG CTO Nicolai Solling, one of the key elements of a robust and secure work-from-home strategy is secure remote access as working remotely radically changes how users, services and data are protected.
“As a bare minimum, any remote access solution should offer two-factor authentication (2FA),” he says. “2FA combines something the user knows – like a password – with something that they have. Today, 2FA can be easily delivered as a smartphone app. It is quick, easy and cost-effective to deploy.”
But it is important to understand that when evaluating your remote access solution, it is also important to remember that there’s no ‘one-size-fits-all’ solution.
“You may even have existing IT investments which can effectively support your remote workforce when evaluated and re-purposed correctly,” explains Solling. “In these unprecedented times, several technology vendors have provided promotional programmes and extended licenses to help organisations overcome security challenges. With the support of a highly-skilled implementation and support partner such as Help AG, most of these solutions can be delivered with extreme speed and with fantastic security features.”
Robert Huber, chief security officer, Tenable, says, “Security teams should lock arms with IT to secure all software-as-a-service (SaaS) applications via cloud access security brokers for configuration, security and data loss prevention. In tandem, integrate all SaaS solutions into one central identity and access management solution. This will not only save time but also reduce headaches too.”
The future of work
If done correctly and securely, remote working can yield a range of benefits for both employers and employees.
“The COVID-19 pandemic has forced many companies to have to enable and exponentially ramp up remote working, for a vast majority of their workforces,” says Marco Marco Rottigni, chief technical security officer, EMEA, Qualys.
“This has highlighted several risks which would otherwise not have been considered if remote working had been approached as an IT project. I believe that this experience will bring a better awareness in companies and among employees about the huge advantages of smart working; this will hopefully increase the overall operational efficiency once this crisis is behind us. Organisations will also gain a better understanding of the importance of SaaS to leverage business and IT processes.”
In the past, remote employees often report flexibility and focus as the biggest benefits, which enables their productivity. It has also proven to be the best resort for many businesses who want to ensure the continuity of their activity amid the pandemic.
“We think that this crisis will drastically change the working habits in many organisations, and some of them might find advantages in remote working,” says Asif Hashim, Middle East Business Manager, WALLIX. “Employees might enjoy the extra time at home, and employers might find that it reduces costs. If organisations opt to continue with this way of working moving forward, this will most likely increase the use of cloud-based services and remote connection tools and therefore make organisations more vulnerable to security breaches.”
Remote working might not be the right option for everyone. But if the future of work drives a big portion of workforces to work remotely, then organisations will have to develop new solutions to the challenges of working remotely.
“Remote work is not the norm in many cultures and regions,” says Huber from Tenable. “While I do not anticipate a monumental shift to remote work as a result of the crisis, it will certainly become a valid option for business continuity events. This will, however, require additional security policies, solutions and education to ensure that the same protections applied within an office will be sustained when working remote.”
Whether this is the future of work for businesses is yet to be determined. However, in this unprecedented new reality that we’re in, we are witnessing a dramatic restructuring of the economic and social order, which is shaping remote work as the new normal for the near term.
