This month marks one year since unprecedented lockdown restrictions were first introduced throughout the world, as governments scrambled to try and slow the spread of COVID-19. As part of these measures, non-essential businesses were forced to close their physical premises and move to digital/remote working models in order to continue functioning. This precipitated a virtually overnight shift to remote working for a huge number of people and organizations.
One year on, and despite the rapid development of COVID-19 vaccines, the situation currently remains very similar, with home working now part of daily life for many people. As we mark the one-year anniversary since stay at home orders were issued, it is worth reflecting on the cybersecurity challenges that organizations and individuals have faced while working remotely during this time, along with exploring what the impact of these may be going forward.
It’s fair to say that, especially at the start of the pandemic, the mass shift to home working caught many organizations by surprise, and they had to pivot quickly simply to ensure their staff were able to fulfil their basic functions while not in the office. Sarb Sembhi, CTO & CISO, explained: “The first thing was to make sure everyone had something they could work from. Then connected to that, was having all the software that they need to make sure they can do the work, including video conferencing software.” Security was therefore often a secondary concern for businesses at this time, and has arguably been playing catch up ever since.
The traditional perimeter architecture, set up to ensure every device, network and endpoint inside corporate walls are secure, evaporated. Instead, employees were spread across multiple locations and connected to different networks, massively expanding the attack surface for cyber-criminals. Anurag Kahol, CTO, Bitglass, noted: “This shift had (and continues to have) massive implications for IT and security teams. In essence, the pandemic killed the perimeter and the legacy security strategies that organizations had leaned upon for years.”
Endpoint Security
A major implication of this new way of working has therefore been a substantial rise in the number of devices and endpoints, offering numerous pathways into organizations’ systems. With some companies not in a position to provide all staff with corporate laptops, particularly at the start of the crisis, numerous people were forced to turn to their own personal devices, such as phones and tablets, for work purposes. Pete Pendlebury, technical director at Cortex Insight, emphasized the scale of the problem: “Getting people remote access to systems and data was one of the major challenges for businesses, because not every company had employees with laptops or systems which enabled remote access into corporate networks. This left businesses scrambling and making decisions on security they wouldn’t normally have done.
“Corners were cut just so businesses could keep operating. One common concern was allowing employees to work from personally owned computers and laptops which, until the start of last year, was something most companies would never have dreamt of letting people do.”
In this context, Brian Honan, CEO, BH Consulting, outlined the enormous challenge of ensuring all devices used for corporate purposes were adequately secured. “How do you ensure patch management carries on as it did beforehand? How do you take the challenge of managing a device that is someone’s own personal device so therefore you can’t enforce your patches on top of them?” he asked. “So you have that challenge of trying to deploy patches, anti-virus software or any other endpoint management measures out to these systems.”
IoT Devices
Another issue revolves around the huge increase in IoT devices in homes over recent years, which regularly have security weaknesses. Sembhi explained: “I think people have got used to the idea of having new devices installed around the house, and there has definitely been a big increase in the number of devices in the smart home. So you’ve got an environment where the home was unprotected, you’re bringing your work equipment home, you’re working from home and now you’re installing these vulnerable devices that can now be used to attack the work environment.”
This hasn’t escaped the notice of cyber-criminals, with a huge rise in IoT malware detected last year.
Rapid Cloud Adoption
In order to help continue the flow of information in the remote working environment, many organizations have accelerated their cloud adoption. While this has helped organizations improve productivity, it has raised additional security concerns. “Moving to the cloud has highlighted many deficiencies in cloud security strategies, especially when it comes to protecting the critical financial and customer data which has been migrated to these cloud systems,” observed Kevin Dunne, president at Pathlock.
Honan concurred, adding that in the rush to migrate to the cloud, proper security features were often not enabled, making organizations far more vulnerable to attack. “Security is something you need to think about before you engage with a new solution or system because we have seen customers take the leap too quickly, setting the systems up with the intention of just surviving as a business, but became victims of cyber-criminals,” he said.
“We have seen customers take the leap too quickly, setting the systems up with the intention of just surviving”
The Human Factor
In the remote working model, with people physically separated from other areas of their business, including IT teams, organizations are now far more reliant on the actions of individual employees to stay secure. “As workers moved to a work from home scenario, the burden shifted to the individual to be diligent and conscientious about data security,” outlined Trevor Morgan, product manager at comforte AG. “Workers have to ensure that they use VPNs (which by the way have their own vulnerabilities) for protected network communications with the home office when on home networks or coffee-shop Wi-Fi hotspots, that they change passwords more frequently and that they police their own data access and storage habits.”
Unsurprisingly, this increased reliance on employees has been exploited by cyber-criminals, shown particularly by the huge rise in social engineering attacks in the past year, with the COVID-19 pandemic proving to be a tremendous lure. Throughout the crisis, the financial consequences of the crisis have been a constant discussion point, with the threat of furlough or redundancy hanging over the heads of many people. This scenario has left people more vulnerable to clicking on links in phishing emails relating to topics such as financial relief packages introduced by governments. “This then created that uncertainty in the minds of employees about where they are going to get the money from to survive,” explained Sembhi.
Phishing attacks in particular have been viewed as an effective gateway into organizations’ systems by bad actors, and has been a constant theme of the pandemic. Martin Jartelius, CSO at Outpost24, noted: “Phishing in all its forms will continue to press forward in 2021, especially with the home workspace starting to blur the lines for many between work and personal life. This offers greater opportunities for hackers to Phish/Smish/Vish away at the gatekeepers to our data from employees who work from home and sit separately from the secure firewalls of the office environment.”
In addition, numerous studies have shown that a high proportion of remote staff regularly engage in insecure behaviors such as device sharing, which puts their organization at greater risk of attack.
A New Approach to Security
All of this means that organizations are operating in a more dangerous landscape. While it appeared at first that the shift to remote working was only going to be a temporary measure, it continues to persist throughout the world. The indications are that, for a lot of workers, remote (or at least hybrid working) will become the norm beyond the current crisis. As Sembhi noted, the pandemic has proven that people are able to work very effectively from home, and it is likely both staff and organizations will be far more open to this approach going forward, especially if it can save money on overhead costs. “We’ve learned that we are more resilient as individuals than we ever thought we were,” he commented. “We will put up with a lot and do what needs to be done whereas the thinking before was if we let people work from home how do we know they’re working.”
In this reality, security architectures need to adjust, with a zero-trust model now seen as essential by security experts. This can help reduce the onus on individual employees, with access management and monitoring at its heart. Dunne stated: “Organizations need to strongly consider a zero-trust approach to security, which can ensure damage is limited even in the case that privileged accounts are compromised. Rationalizing the applications, identities, access and roles into a manageable and understandable structure is the foundation of a zero-trust architecture. From there, organizations can implement more investigative and preventative policies to ensure that the access that has been granted is being used as it was intended to be.”
Ensuring staff are more security conscious and aware of the basic cybersecurity behaviors is also critically important in this new environment. Organizations should be “growing a culture of data security and data privacy. People need to understand that they are the caretakers of their own organization’s valuable and often sensitive data, much of which also consists of customer information,” noted Morgan.
“People need to understand that they are the caretakers of their own organization’s valuable and often sensitive data”
Positive Signs for the Future?
On a positive note, there are signs organizations are really starting to appreciate the necessity of tightening their cybersecurity defenses to protect a hybrid workforce. “On the whole, organizations have done relatively well in adjusting to the conditions imposed on them by the pandemic,” said Oliver Tavakoli, CTO at Vectra. “The first weeks of the pandemic consisted purely of adrenaline-driven change which was thought to be temporary in nature. Once everyone was three months into the pandemic, it became clear that the conditions would last for a while and organizations accelerated some projects which were already in the planning stages to get to a better posture.”
As per the mantra ‘necessity is the mother of invention’, it appears likely that organizations will ultimately be forced to implement zero-trust models to manage this way of working. Bindu Sundaresan, director at AT&T Cybersecurity, commented: “Cybersecurity is more related to risk and resilience. The idea of security being a shared responsibility and heightened awareness across organizations will be seen.”
On the vendor side, it is also not fanciful to expect to see a growth in new cybersecurity solutions that protect hybrid workforces going forward. Sembhi said: “I hope we will see technologies in the next six, nine or 12 months that will enable us to work from home far more effectively and more securely with less worries.”
Additionally, the cybersecurity awareness and knowledge of individual staff should naturally improve as they are forced to take more responsibility for their own cybersecurity. Tom Pendergast, chief learning officer at MediaPro, added: “The move to remote work is ultimately going to improve the cybersecurity acumen of the common employee. After all, when it comes to cybersecurity, everybody who suddenly found themselves working from home had to go through this process of taking more ownership and control over their security: they had to dig into their Wi-Fi settings, they had to master remote connections, etc.”
Out of the gloom of COVID-19, a period which has inflicted huge health and economic damage upon much of society, some potential positives have emerged. One of these is a more flexible way of working, and to facilitate this effectively, organizations have become increasingly aware of the need to enhance their security posture. “I think many companies now have learned that IT and technology are key to their survival and upped the priority of cybersecurity to senior management/board level,” stated Honan. However, he explained that security has to ensure it takes full advantage of this situation by working as collaboratively as possible with the organization, taking the Walt Disney approach of “yes, if” rather than “no, because” when responding to digital transformation initiatives. “We have to make sure we can meet the businesses needs as well and that means instead of blockers, we have to be enablers,” he added.