This is a quick look back over the last six months or so: what’s changed in the world of work and cybersecurity and how businesses have responded. I wasn’t sure how to title this post. I don’t think words like ‘review’, ‘lessons learned’ or ‘takeaways’ really do the scale of the situation, but ‘What the …. just happened?’ seems a bit strong.
That being said, from my research and conversations with people in the companies that have made it through this terrible time, I can confidently sum up the last six months in seven words:
Everything changed, and everything stayed the same.
Everything changed because a lot of people were required to work from home at very short notice. The proportion of those teleworking went up from 8% pre-pandemic, to around 42% in August (including those working from home part-time).
IT departments had to very quickly find ways for people to work remotely. Is there an office computer the users can take home? Can they use their own kit? Who gets VPN access? How else are files shared? How can we manage remote devices? What about malware protection? And when people are able to work from home suddenly there are backups, compliance and so many other things to consider.
One big headache of managing security in a corporate network environment became ten, a hundred or a thousand little headaches. An army of homeworkers were using wifi networks shared with who knows who clicking on who knows what!
Then the dreaded rise in coronavirus-related malware and phishing attacks. Scammers preying on our fears and desire for news, reassurance and PPE.
And yet everything stayed the same.
Most businesses were used to having at least some remote workers pre-Covid. VPNs, Microsoft 365, G Suite all existed before, as did malware and phishing emails. Video conferencing has been demanded by users ever since they first considered how lovely it would be to work in their pyjamas. For many IT departments it was just a matter of scaling up existing technologies and dusting off the BYOD policy.
Yes the cyberthreat grew, especially from phishing and other scams, but very much in line with people’s click-worthy concerns. A recent article from Microsoft details how coronavirus scams rose and fell with the pandemic related news cycle in different countries. After all, this has been quite a year for big news stories, and the pandemic is only a part.
But while the methodology of the attacker didn’t change, the attack surfaces themselves did change in size and scope.
The office VPN is not just a route in for the homeworker. Another member of the household, or a piece of insecure IoT, could download malware that is able to tunnel through the homeworker’s computer into the corporate network.
RDP attacks are also on the rise. The Remote Desktop Protocol might be being used for remote management, or not have been disabled before computers left the office. This is a well known exploit route, a new vulnerability in which was discovered just last year.
And then of course there’s the ever present danger of ‘Shadow IT’. It was always there – the employees finding new and interesting ways to ‘make life easier’ for themselves. Sharing confidential data on random file-sharing sites because the VPN is soooo slow. Installing TeamViewer because that’s the software the prospective client wants us to use. Using the same username and password to download software that they use to log on to their computer. It was happening before and it’s happening now.
So what are the people in charge of IT Security supposed to do six months down the line?
Here’s a few things to do right now:
- Reassess your threat landscape. Every homeworker’s computer is vulnerable in a way that they weren’t before. Through your VPN your internal network is now connected to all these home networks and everything malware-ridden thing on them.
- Review user access. In every way possible you should reduce the possibility of a remote worker spreading malware. Least privilege access might have to mean even less than before. And with so many people sadly laid off – is every piece of kit accounted for, and their user access, and all their accounts with online services?
- Increase your ransomware protection. Not just the detection software, but your backup and restore procedures still need testing and improving. If you love your trusty tape drive because of the air-gap it gives you but you haven’t been able to get to the office for months to change the tapes, you’ve got a problem.
- Go over every decision made in a hurry. Some of those quick and dirty fixes to get people working from home in a hurry might have turned into long-term risky solutions by accident.
- Get a cybersecurity assessment. However well you think you’ve done is no match for someone external and experienced to give you advice and hopefully some reassurance. Picking up a vulnerability before it’s exploited is invaluable.
If your company has got this far without a serious security breach then by all means pat yourself on the back. But also consider that you’ve either been very lucky, or there is one taking place that you haven’t found out about yet. Yes nothing has changed, but everything really has changed, and if you didn’t change with it then your networks and data are at risk.
Speak to the experts at TBG Security today about their cybersecurity assessment and get some peace of mind.