Working from Home — The New Threat Frontier

by Or Katz on May 28, 2020

The emergence of the COVID-19 outbreak dramatically changed and disrupted the normal routines of our personal and professional lives. It led us to stay inside and work from home. It altered our browsing habits from our corporate devices, and it led to increased levels of security risk exposure.

According to our research, Akamai observed momentous internet traffic growth in March, which can be explained by new guidelines around social distancing and remote working during COVID-19. One of the observed changes is the increase in consumption of internet services over enterprise-connected devices, with a 40% increase during the month. The research also shows an increase of more than 400% in traffic to malware-associated websites.

Both of those observed changes are considered as the outcome of changes in users’ browsing habits once working from home, as connected devices are being used more frequently to access social networks, chat with friends and family, or read the latest news reports. The changes in browsing habits come at a price, as the risk of accessing malware-associated websites increases as well.

In this post, we’ll look closely into the numbers and trends associated with enterprise users — employees connected to enterprise applications and systems while COVID-19 guidelines for working from home are applied — and evaluate the implications of those changes on remote accessibility to enterprise applications, traffic consumption of a wide range of internet services, and access to malicious and risky websites.

Access to Enterprise Applications

The first data source used to analyze changes due to COVID-19 is Akamai’s Zero Trust Enterprise Application Access service. This data set enables us to measure the changes associated with the way people are now working and accessing enterprise applications over time.

Sponsorships Available

The first attribute of the data that was used was the location of enterprise users. We were able to see an increase in the number of cities across the globe where users connected during the time frame of mid-February to mid-April, 2020. The data shows a 114% increase in the number of cities, which represents the outcome of new work-from-home guidelines, as enterprises are adopting business continuity plans and enabling remote connectivity for their users.

The data from the week of March 9 to the week of March 16 shows a rise in the percentage of remote access from multiple cities, reflecting the new guidelines implemented around the world for people to stay at home.

Figure 1: Cumulative change in enterprise users’ connectivity by their location (cities)

The second attribute of data is the change in the percentage of unique applications being accessed. In this case, we could see an overall change of 216% in the number of applications being accessed, representing enterprises’ adoption of business continuity plans and enabling of remote access to more enterprise assets.

Similar to the location data, accessed application data also shows strong momentum between the week of March 9 to the week of March 16, when guidelines around social distancing and remote working were announced.

Figure 2: Cumulative change in number of enterprise applications being accessed

Consumption of Internet Services

The second source that we used to analyze changes due to COVID-19 was data from Akamai’s enterprise cloud-based secure web gateway (SWG) service. This data set enables us to measure trends associated with the way people are consuming and using internet services from their enterprise devices.

To accurately measure behavior, we measured the same anonymous users over the time frame of eight weeks, sampling data of users that were chosen to represent the behavior of the larger group.

The attributes of SWG data measured were the total number of DNS queries and the number of queries per classified categories of web traffic (such as web streaming, gaming, social networks and chat sites, and applications).

The measured traffic represents traffic generated by users on corporate devices, and it gives us the ability to track changes in the way users are consuming internet services.

Figure 3: Cumulative change in number of DNS queries

In figure 3, we can see a dramatic increase in the volume of DNS queries by more than 60%, starting on the week of March 16 and increasing rapidly in the following two weeks. The change in traffic levels stabilized over the following weeks in April.

We attribute the change in the second half of March to the new guidelines implemented around the world for people to stay at home, leading to a change in users’ browsing habits. We believe this stabilization can be considered as the new norm of traffic consumption once working from home.

When looking into the classification of the DNS traffic into different content categories, we can see that social network, gaming, chat, and streaming websites were continuously growing over the measured weeks, and especially in the middle to the end of March (figure 4). Over that month, we see an 80% increase in gaming and social networks, a 60% increase for chat sites, and a more than 30% increase in streaming website traffic.

Figure 4: Cumulative change in number of DNS queries per traffic content category

This increase in growth is not surprising. It represents the outcome of the changes related to COVID-19 guidelines of working from home. The same devices that were used in the context of work in the enterprises’ offices are now being used from home. People replaced watercooler conversations with browsing the internet for some news updates, using their favorite social network, watching an entertaining video, or just chatting with the same co-workers over an online messaging platform.

The Rise of the New Frontier

The pivot to complete work from home changed patterns around enterprise application access and internet services, but it also affected users’ security posture.

The third data source used was traffic classified as malware. Malware-associated traffic is considered as traffic to websites that are known to be risky or malicious. These can be websites that host or have recently hosted malware executables, websites running malicious code, or websites known to be compromised.

We were able to see an increase in the number of DNS queries to malware-associated websites, mirroring the trend observed over the consumption of internet traffic, with a strong spike in the last two weeks of March of up to nearly 400%.

The correlation between trends on internet consumption and access to malware-associated websites shows the causal relationship derived from the change of users working from home. Users change their browsing habits, leading to an increase in internet consumption, leading to more exposure to the risk of malware infections.

Figure 5: Cumulative change in number of DNS queries to malware-associated websites

While measuring malware-associated traffic gives us the ability to compare to the overall traffic consumption trend, another important measurement used was the change in number of devices exposed to malware-associated traffic. This measurement gives a more granular context on challenges associated with mitigating threats and the risk posed to enterprise-connected devices.

As shown in figure 6, enterprise user exposure increased by more than 100% in the last week of March.

Even when considering a cumulative increase of more than 11% in the number of exposed devices from the beginning of March to the end of April (figure 6), that number shouldn’t be discarded — it represents the extra work and challenges placed in front of enterprise security professionals, who need to analyze, evaluate, and mitigate threats on their users’ devices.

Figure 6: Cumulative change in number of devices exposed to malware-associated websites

Summary

The analysis and data presented above show what we believe to be a continuous trend as the result of enterprise users starting to work from home due to COVID-19 guidelines. As the domino effect shown in this research illustrates, enterprises are seeing a dramatic shift in employees working from home, leading to increased need for remote access to enterprise applications and assets. While remotely connected, the online habits of enterprise users are also shifting into rapid growth in consumption of internet services, finally leading to growth in security risk to enterprise users and devices.

As remote employee access becomes a critical element for business continuity, here are our top recommendations for reducing the risk of remote connectivity:

Reducing the Attack Surface
Business continuity requires enabling more remote accessibility to enterprise servers, applications, and services. We recommend enabling controlled and limited accessibility to relevant applications and services using a Zero Trust approach. Moving to this approach reduces the attack surface of the enterprise network from potentially compromised devices, freeing up the enterprise’s security team to focus on better monitoring and protection for enterprise assets.
Protecting Enterprise Assets
As more enterprise servers, applications, and services become accessible to remote enterprise users, those assets need to be better protected to avoid being compromised or exploited.
Protecting Remotely Connected Devices
Making sure remotely connected devices are continuously monitored, evaluated, and mitigated according to their security posture. As working from home will become a norm, and more and more personal devices are granted access to enterprise assets, those devices need to be tracked for the security posture and risk associated with them, and able to detect and block threats that will try to compromise them.
Actionable Security Controls
The ability to react upon detection of compromised devices, suspicious user behavior, or devices with risky security posture allows security teams to block, suspend, or limit users’ accessibility, and reduce risk involved with remote connectivity.

The COVID-19 global crisis has mandated a shift to a remote workforce. We need to rethink the way we enable corporate accessibility, protect assets, and eliminate threats. Usability and habits of corporate users have changed, and we must address these to ensure the future of work.