COVID-19 has forced a rapid shift from office life to a fully remote work culture and increased reliance on digital infrastructure. Accompanying this shift is a 667% increase in coronavirus-related cyberattacks since the end of February, ranging from business email compromises to scams and brand impersonation. Additionally, the FBI Internet Crime Complaint Center (IC3) has issued alerts warning the public that hackers have increased attacks on communications software and remote access applications and have created sophisticated fraud schemes including phishing emails and false domains relating to COVID-19.
These attacks have caused the rules for cybersecurity management to be recalculated for both short-term emergency standards as well as long-term strategy. In many ways, the rapid changes necessitated by the outbreak have also shown cybersecurity teams how the risk calculus will change for the increasingly connected and distributed enterprise, particularly with the growing reliance on emerging platforms like cloud and IoT.
3 Key Remote Work Takeaways From COVID-19
Manage Distributed Risk
With the majority of employees working at home, as well as the increased likelihood of remote work long-term, organizations need to be prepared for heightened risk that’s more distributed across cloud, home networks and additional third-party software tools. To manage this risk, the enterprise needs to better engage and educate employees to ensure that everyone is able to reduce vulnerabilities inherent in distributed infrastructure.
With a remote workforce, smart devices intended for home use now need to be factored into enterprise threat assessment. Approximately 40 million U.S. homes are smart homes, potentially introducing critical vulnerabilities into the attack surface. And with the onset of COVID-19, many are updating their homes to include additional smart devices, increasing the size of their home network attack surfaces. Consumer IoT devices rarely integrate even basic security measures, let alone measures that meet the security requirements of the enterprise.
With basic education from security teams, employees can minimize the risk to themselves and the enterprise by changing default passwords, adopting two-factor authentication and regularly updating their devices. These devices are on the same home networks that employees are now connecting their work laptops, merging risks inherent to home networks into corporate systems. Considering that malware is 3.75 times more likely to be found on home office networks than corporate networks, the threat landscape has exploded as work has shifted from office to home. With recession looming, likely leading to reduced budgets, tools to automatically assess and prioritize vulnerabilities will be key to manage the altered threat landscape.
Enable Security Teams To Thoroughly Vet and Secure New SaaS Tools
Tools such as remote access applications, cloud services and VPNs have seen rapid growth as companies transition to remote work. However, the urgency of the COVID-19 crisis has shortened the time frame for deployment in the enterprise, undercutting the security vetting process and limiting the time for employees to learn the new tools, resulting in security lapses that may not be noticed until too late.
As new models predict the need for remote work to extend until 2022, even sensitive information will be shared across digital tools, heightening the risk for the enterprise as well as further incentivizing malicious actors. Though the thought of product development, mergers and acquisitions or fundraising data being seriously discussed remotely may have sounded absurd three months ago, organizations need to consider the full risks of doing so to be prepared for prolonged remote work. Assess the security posture of applications that are being used to access corporate data. Many enterprise applications are built for user experience and integrations first, not security. As the number of users for certain enterprise apps has grown, hackers are increasing attacks and seeking to exploit previously unnoticed vulnerabilities.
The increase in new accounts also heightens the risk of human error as employees need to track a growing number of logins and updates from new companies. Malicious actors are finding success in imitating known software vendors, convincing employees to download or open malware posing as new account confirmations. Hackers are even updating old techniques used to imitate Excel documents as email becomes a primary form of work communication. It is important to ensure that the organization is able to effectively monitor the expanded attack surface and identify any users or devices that pose a high risk. A proactive approach to managing the changing risk landscape will mitigate threats and ensure operational continuity.
Establish an Effective Security Culture
With employees working from home, being able to communicate and encourage best practices for security is critical. With a lack of employee cybersecurity training already a leading cause of data breaches, security teams can quickly mitigate risk by introducing tools that simplify and gamify cyber hygiene, especially for high-risk users.
Gamification is an effective strategy for applying ownership of cyber-risk management to employees outside of infosec, and even outside of IT altogether. Gamification assists CISOs and security teams by tapping risk-owners’ sense of competition, recognition, learning and rewards toward reducing an organization’s overall breach risk. By turning cyber hygiene into simple, manageable tasks, the enterprise can support employees seeking to protect their own privacy while also reducing a significant risk to corporate security.
Short-term Changes Support Long-term Strategies
The COVID-19 crisis has upended short-term work patterns, forcing infosec teams to scramble as they adapt to a rapidly growing, highly distributed enterprise attack surface that includes shadow IoT and a number of new work applications. Yet, the longer-term implications cannot be ignored as technology adoption is accelerated at the consumer and enterprise level. To manage cyber-risk and strengthen cybersecurity posture, infosec teams need tools that can efficiently assess and monitor risk across the entire attack surface, as well as engage and empower employees navigating an increasingly risky threat landscape.