The transition to remote work last year lowered the bar of sophistication for hackers like me. People with privileged access to corporate networks now sit at home—some on the open internet—sending and receiving valuable corporate data.
Last March, 42% of the US workforce switched to working from home and as much as 88% of CXOs and VPs said they felt ready for that shift at the start of the pandemic. Two months in, they learned that they were not.
During that time, 85% of US CXOs and VPs said they experienced significantly higher rates of cyber-attacks, with 96% admitting to being completely caught off guard by the challenges that remote work posed. Organizations had lost control.
As a former hacker, I am dismayed but not surprised by this data (via cybersecurity company Tanium). Employees left the office with laptops and cloud accounts, but the safety nets and fortresses that kept them safe didn’t follow.
Organizations in the midst of their own rude awakening need to learn three things fast:
1. It’s human nature to feel that we are more prepared than we are. Remote work has exponentially increased the corporate attack surface. Senior employees, with access to important information, can now be accessed through weak points, from social engineering to ransomware granting hackers the keys to the kingdom.
At the same time, enterprises became victims of their own designs. VPNs that had once been used by 30% of staff at any given time were now accessed by nearly all staff, squeezing organizations’ limited bandwidth. Some did not have enough VPN licenses to go around or enough laptops for workers who had traditionally been without computers or working on desktops. As a result, employees are working on the open internet and using personal devices that their IT teams cannot identify or monitor.
Another weak link in this quickly cobbled chain is the other “smart” home network. Everything from gaming systems to IP cameras and smart refrigerators are connected devices that can be compromised and twisted into a gateway to the corporate network. All a bad actor has to do is choose the lowest-hanging fruit. Already, hackers have rolled out crime kits, back doors and command and control exploits for Macs and other mobile devices that individuals are likely to use at home.
To reduce the attack surface, organizations must be as ready to adapt as hackers are. Employees, in particular, should be aware of social engineering tactics and understand how their behaviors can be weaponized by adversaries. “Don’t trust, always verify” is an excellent axiom for today’s threat landscape. All it takes is opening one PDF to set off malicious code that lays down the welcome mat for a hacker.
2. There is no appealing to the malicious mindset. In order to stop a hacker, it’s important to think like one. Until I was arrested at the age of 17 for breaking into a federal network, I loved the thrill of a hack. History has taught us that attackers will shift their attention to wherever there is a broader attack surface and a big payday. While there was once a time when they did it for the thrill (and for bragging rights), hackers are highly motivated to monetize data.
It is not yet known how much money hackers have stolen during the pandemic, but it is likely to be a sizable amount. The number of incident response engagements at Brier & Thorn has nearly doubled since the pandemic started. Beyond my business, the FBI said that it had received nearly as many Internet crime complaints in Q1 2020 (320,000) as it had throughout all of 2019 (about 400,000).
3. The major problem of unknown assets. All of this amounts to significant security challenges that are ultimately rooted in a lack of visibility. Without a doubt, the biggest threat to organizations today is not knowing what assets they have. That problem is compounded by the fact that these unknown assets are more fragmented and distributed in a remote working environment. When unknown assets access an unpatched, unsecured network, the entire organization is at risk.
In my work in penetration testing, I’ve been able to compromise more than half of tested networks by gaining access through an unknown asset.
The good news is that these challenges can be addressed. While there are no silver bullets, enterprises should look to take a few key steps.
1. Re-establish visibility across the entire operating environment and adopt technical controls to identify and patch vulnerabilities.
2. Rethink business structure and realize that centralization may be a thing of the past. According to LinkedIn, 40% of Millennials and Gen-Z workers prioritize working from anywhere.
3. Re-tool their security strategy. The old castle-and-moat approach won’t work because data is no longer confined to the castle. Teams must secure data everywhere it lives and everywhere it could go.
Protection, Not Prevention
The work from home paradigm has created a new era of distributed operating environments that is filled with valuable data. There are countless new ways to access it, which is great for employees but adds new challenges to corporations.
Cybersecurity is a journey. Most organizations recognize that it is only a matter of time before malicious actors attempt to breach their networks.
By implementing the right technical controls to identify and patch vulnerabilities before they are exploited, enterprises will be poised to overcome future threats – whether employees are working remotely or all under one roof.