The Health of Security
The digital security threat landscape has been radically shifting as the pandemic has taken hold. For all businesses, a new approach is needed to ensure that their systems and staff remain safe and secure. What are the critical components of a robust and flexible COVID digital security policy?
Digital security has been rapidly evolving for the past decade. The threat landscape and perimeters enterprises have been protecting have until now, been easily defined. COVID-19 and its radical altering of business processes and infrastructures have meant digital security has suddenly been presented with a whole new set of challenges.
According to the latest report from Gigamon, considering the challenges EMEA IT and security decision-makers currently face, especially their attitudes towards the adoption of Zero Trust, 84% of respondents have seen a rise in threats since the start of 2020. The main issues included: the work from home model has made businesses more vulnerable due to insecure devices (51%). Phishing scams have increased by 41% with data breaches and insider threats increasing by the same 33%
Following closely in terms of concerns were the increase in data and applications to monitor and protect (36%) and managing a complex working landscape (35%). This highlights a myriad of operational issues IT teams are dealing with daily.
Interestingly, the survey found that company culture and employee behaviour were both a motivator behind starting on a Zero Trust journey and a barrier. Shadow IT and employee education were cited as top challenges facing respondents, signalling that businesses may look to adopt a Zero Trust architecture to minimise the risk of the insider threat. Conversely, 65% of respondents who decided not to adopt the framework cited wrong company culture as the top reason behind this decision and getting employees on board (28%) was named the most important thing to have in place before starting the journey towards Zero Trust.
Bassam Khan, VP Product and Technical Marketing Engineering at Gigamon, commented: “This research dives into issues that IT and security professionals face, the causes of these issues and frameworks IT is adopting, following a major global shift in how work gets done. With rapid changes and an ever-growing attack surface, IT and security teams are beginning to rely on a solid framework to better manage risks.”
Also, Josh Neame, Technical Director at BlueFort Security told Silicon UK, “We’ve seen a stark increase in targeted phishing. Indeed, research [https://info.greathorn.com/report-2020-phishing-attack-landscape] released in September, found that 53% of cybersecurity professionals have directly witnessed an uptick in phishing this year.
“IT teams have been under huge pressure to move more services to cloud workloads, and this has reduced the time available to properly secure them, leaving security gaps in configurations that otherwise – if time allowed – would have been adequately tested and rectified. The speed required to react and maintain ‘business as usual’ operations has forced organisations to spin up services and systems without proper security vetting.
Neame concluded: “Shadow IT and its many associated risks have also increased, as workforces have perceived greater flexibility working from home. The need for collaboration has also seen new threat vectors appearing, in applications like Zoom that otherwise would not have been used by organisations.”
New COVID security
The rise of remote mass working has bought its own digital security challenges. Research from iomart indicates that the cost of a data breach can be significant. One-third of businesses have been forced to axe essential IT staff as a result of COVID-19 cost concerns, while more than four in ten companies admitted that their remote working practices aren’t in line with GDPR requirements.
The typical data loss for a large company is between 10 and 99 million records per incident, resulting in an average company value drop of 7.27%. These costs increase if a data breach infringes GDPR guidelines, which could cripple smaller companies and businesses that cannot stand to lose up to 10% of their market value. With 60% of businesses reported as having experienced a severe security breach in the last two years, business owners must take steps to prioritise data security to minimise loss in the event of a substantial breach.
“The move to remote working has dissolved the perimeter of the corporate network, which historically was much easier for the IT department to patrol,” says Bill Strain, Product Development Director at iomart. “The increased use of personal mobile devices, public cloud services, software as a service and home Wi-Fi has opened up a threat landscape that has few borders. Not only is this unfamiliar territory for many in-house IT teams, but it is also unchartered territory for many employees.”
How important a detailed and up-to-date digital security policy is for remote workers in particular, is the core conclusion NordVPN reached who looked closely at the vulnerabilities of email and MS Word documents.
NordVPN has shown compared to the first quarter of the year, targeted attempts to exploit the memory corruption issue CVE-2017-11882 in Microsoft Office (2007-2016) went up by 400% in the second quarter. Analytical sensors have detected a growing trend, which doesn’t seem to be improving any time soon.
“The malware targeting a decade-old MS Office vulnerability must have been under the radar, as it has been spreading through emails for three years now. Having acquired new forms, today it is as efficient as ever. When exploited successfully, this particular memory corruption issue in Microsoft Office enables attackers to execute code on machines remotely,” says Daniel Markuson, a digital privacy expert at NordVPN.
Speaking to Silicon UK, Jennifer Ayers, vice president of OverWatch and Security Response, CrowdStrike also explained: “Since the outbreak of COVID-19, both nation-state and eCriminal groups have exploited public fear through the use of COVID-19 themed social engineering strategies. Also, with companies having moved their workforces outside of the office, the attack surface has increased exponentially. This has made for a very active and treacherous threat environment. CrowdStrike’s recently published 2020 OverWatch report disclosed the first half of 2020 saw 41,000 potential intrusion activities, surpassing the number seen throughout all of 2019, which totalled 35,000.
“Also, eCrime adversaries have increased the volume and reach of their activities, outpacing state-sponsored activity and making up 82% of interactive intrusions observed by CrowdStrike’s OverWatch team. The eCrime actors are using more RaaS (Ransomware-as-a-Service), bringing in many affiliates and increasing the velocity of attacks. More presence online in general from companies and employees is giving attackers other means for social engineering, and of course, pandemic-related lures, financial/invoice related lures playing on human fears as part of spear phishing attacks.”
Digital COVID security continues to be multifaceted. From data hygiene, all employees must adhere to protect their systems and the more comprehensive data networks they use, to infrastructure security which has had to change in reaction to the pandemic.
Exonar found that 94% of IT professionals have experienced a data breach, and an overwhelming majority (79 per cent) are worried that their current organisation could be next. The survey of 500 IT professionals found that when it comes to cybersecurity, employee data breaches are seen as the most significant risk to an organisation. Two fifths (40%) of respondents named employee data breaches as the biggest overall threat to information security in the coming year. In contrast, a fifth (21%) said external attacks from cybercriminals are the biggest risk to information security, and 20% believe it is ransomware/malware attacks.
When looking at what causes employee data breaches, more than half (51%) of IT professionals say these most commonly occur through external email services such as Gmail and Outlook. However, 42% say employee data breaches have happened through collaboration tools such as Slack and Dropbox, and 41% through SMS/messaging services. Just 6% of those surveyed said they had never knowingly experienced a data breach.
Scott Nicholson, Director at Bridewell Consulting concluded: “Cybersecurity measures have never been as important to companies than during the pandemic. Rapid increases in online sales have been driven by the restrictions put in place and digital trust and assurance are vital to individuals providing their data and transacting online. A cyberattack or data breach can have a detrimental impact on any organisation’s bottom line and I would encourage businesses to review their digital footprint. All organisations need to ensure they have adequate resilience within their systems so they can continue to drive revenue via their digital channels.”
Businesses have always been under attack from many different threats. None of these threats has receded. The digital landscape has expanded to the homes of employees, making it difficult to control the security of network access. The new business normal needs new business digital security policies that every enterprise should be defining as a matter of urgency.
Silicon in Focus
Anurag Kahol, CTO at Bitglass.
Jay Ryerse, CISSP, VP Cybersecurity Initiatives at ConnectWise.
Tim Bandos, VP of Cyber Security, Digital Guardian.
Richard Cassidy, Sr Director Security Strategy at Exabeam.
How has COVID-19 changed the digital threat landscape?
RC: Social engineering, phishing, and ransomware attacks have been occurring much more over the last six months, as users are much more vulnerable. We also have to consider the recent rise in geopolitical tensions, with the UK Government warning of nation-state attacks targeting critical COVID-19 research, vaccine data, medical facilities, and even building companies behind temporary hospital projects.
Healthcare has always been a prime target for a nation-state, however, what’s worrying now is malicious actors seem to be going beyond the hunt for valuable intellectual property related to vaccines and research – they are targeting the organisations mounting our critical national response to the pandemic, knowing that focus is elsewhere. Security-related projects haven taken somewhat of a backseat.
TB: Geopolitical relationships around the world have increasingly become strained and uncertain with direction, and we will continue to see state-sponsored attacks being carried out much more. There have been several attempts and even successful attacks against these types of systems, but for the most part, they’ve all been isolated.
AK: Threat actors continue to enhance their current tactics, techniques, and procedures (TTPs) as well as create new ones to infiltrate businesses and steal data, implant ransomware, and more. The United Nations’ health agency released an alert warning of an increased number of cybercriminals posing as World Health Organisation (WHO) representatives amid the global Coronavirus pandemic.
While phishing attacks are not a ground-breaking threat, and there is an elevated level of awareness around these schemes, hackers can still find success with this tactic by taking advantage of significant news. During this stressful time, recipients of these messages are more likely to click on malicious URLs, open attachments, and give up personal data.
What are the main challenges facing CTOs and CIOs to meet the COVID security threats they now face?
AK: Looking back to April, the shift in circumstances caused a panic for many CTOs and CIOs affected by lockdown. Without the benefit of planning, the initial top priority for most was purely trying to get their colleagues connected and working. As a consequence of that, irregular security gaps quickly appeared on their list of critical tasks. For example, colleagues were suddenly asking for remote access to a much more comprehensive range of services and data than they would typically require.
The uncertainty of the current situation is a real challenge. The immediate short-term planning and reaction phase has now passed, and they are faced with a situation that has now stretched over many months. In the most extreme cases, some companies are now planning for a 100% remote workforce, with an accompanying impact on security. As a result, concepts like zero trust and Secure Access Service Edge (SASE) will become the norm as they adapt their approach to meet this new – and in some cases, permanent – situation with proactive strategies.
JR: CTOs and CIOs need to ask themselves how did they digitally transform their organisation to allow all or the majority of their employees to work from home? Did the rush to do so create any security vulnerabilities? The conversations that need to take place are how can they slowly bring employees back into the workplace — not only without risking the spread of disease even further but also in a way that is secure and safe on a digital front.
It’s important to consider that not all employees will want to come back to the office full time. This will clearly impact how organisations purchase IT infrastructure going forward, for example, buying more laptops instead of desktops. That also means they will need to train employees on using a VPN connection to ensure the business can control whether the data flow is secure without putting the organisation at further risk from using BYOD.
TB: It is people who are (and likely always will be) the biggest security risk. For that reason, employers should never underestimate the power of properly educating their people. Not only is it significantly cheaper than the latest cybersecurity solution, but in the majority of scenarios, it is also much more effective. Well trained, well-informed employees can easily spot phishing or social engineering tactics and even identify insider threats, helping to stop attacks much faster than any technology solution can.
RC: The rapid shift in workplace practices that the current pandemic has accelerated has been a steep learning curve for most security organisations. With such a rate of change, C-level teams are learning to adapt and automate impressively. C-level teams are innovating in cybersecurity practice, providing their respective industries with the accountability and capability driving the best possible protection outcomes to limit the damage that a breach may cause severely.
If C-level teams are not looking to automation to underpin business and security operations, then it’ll be a case of making headline news for all the wrong reasons. There’s no reason that an organisation’s next breach can’t become one of their biggest PR successes, showcasing to the world how to best manage the breach life-cycle end to end to better detect, mitigate and remediate in a worst-case scenario.
What makes the security risks caused by COVID-19 different from the security risks businesses faced before the pandemic?
AK: How many businesses will operate going forward has fundamentally changed, and a rapidly growing number of employees are joining the Work From Home (WFH) culture. This means that the security of organisations is now at an increased risk of being compromised due to the heavy traffic flowing in and out of the cloud. Salesforce, O365, Confluence, and Slack are just a handful of apps out of the thousands that currently host their information in the cloud.
As a result, organisations must become increasingly vigilant to securing apps their employees may have access to. Company data can be remotely accessed from anywhere in the world due to the cloud and ensuring that all sensitive content is protected is a forerunner in this battle of cloud security. Everything is changing, so organisations must adapt by investing in the right tools to help them be both profitable and secure.
TB: There’s no denying the convenience of USB media. From hard drives and flash drives to a wide range of other devices, they offer a fast, simple way to transport, share and store data when a digital transfer isn’t possible. However, from a business security perspective, their highly accessible and portable nature makes them a complete nightmare, with data leakage, theft, and loss all common occurrences.
Unfortunately, the remote working climate that many organisations currently have in place appears to have compounded these issues. According to new research, there’s been a 123% increase in the volume of data downloaded to USB media by employees since the onset of COVID-19, suggesting many have used such devices to take large volumes of data home with them. As a result, there are hundreds of terabytes of potentially sensitive, unencrypted corporate data floating around at any given time, significantly increasing the risk of serious data loss.
RC: A recent report revealed that 82% of SOCs are confident in their ability to detect cyber threats, but with 40% also reporting staff shortages and only 22% of frontline workers tracking dwell time, it’s no surprise attacks keep happening. Compounding this issue, the sophistication of criminals and easy access to ransomware-as-a-service (RaaS) is rising, so we can expect to see this increase in ransomware attacks continue throughout 2020. In fact, some experts predict that by the end of 2021, ransomware will hit a business every 11 seconds.
As the cloud is now an even more important component of a business’s communications, how has cloud security had to change to meet the security risks COVID has delivered?
AK: Cloud adoption is clearly outpacing the adoption of the tools and expertise needed to properly protect data in cloud environments; this is supported by the fact that 99% of cloud security failures will be the customer’s fault through 2025, according to Gartner. Misconfigurations will continue to be a leading cause of data leakage across all verticals. In addition, highly niche cloud tools provided by second-tier cloud service providers are making their way into enterprises.
While services that cater specifically to individual industries or company departments are gaining traction, they do not typically have the same native security measures that mainstream cloud services do. Regardless, companies are gaining confidence – even if it’s a false sense of confidence – in their ability to utilise the cloud and are adopting these second-tier and long-tail cloud apps without considering all of the security ramifications. Enterprises will need visibility and control into all of their cloud footprint, including niche services, in order to proactively mitigate any vulnerabilities and properly secure data in the cloud.
JR: The most efficient way to ensure that all employees can access all of their important work documents and applications just as easily as when they are physically in the office is by migrating all such documents and applications to a secure cloud environment that employees can log in to from anywhere.
Any leading cloud platforms also include access and permissioning tools as part of their solutions, giving organisations control over exactly who can access what within the cloud, protecting sensitive information from prying eyes and/or insider threats.
The threat perimeter has now moved to the homes of millions of remote workers. Are businesses equipped to meet this security threat?
AK: The rapid shift from office-based work to home-based work, combined with a lack of adequate forward planning, has made the transition a painful one for many. Simply finding a workable remote solution has been challenging enough, let alone one that meets all the same stringent data protection measures typically found in an on-premises setup.
While the use of personal devices in the work environment is growing rapidly, many are unprepared to balance security with productivity. According to the latest 2020 BYOD Report the greatest BYOD security concerns were data leakage (63%), unauthorised access to data and systems (53%), and malware infections (52%).
Understanding the risks is the basis for developing a successful BYOD cybersecurity strategy, but by definition, organisations lack access and control over personal devices compared to their own IT estate. For most organisations, physical access is required to secure mobile devices, but this is highly challenging when the devices are the personal property of an employee. Not everyone wants to hand over the PIN to their smartphone, for example, even when it’s to enable employers to increase security.
We found that 51% of organisations lack visibility into file sharing apps, and a quarter still doesn’t have insight into email applications on BYO devices. When asked what security capabilities they have in place for a mobile enterprise messaging, 30% have no visibility or control over mobile enterprise messaging tools at all.
JR: With employees continuing their work from home, organisations must ensure they have access to the latest security tools and solutions as well as the right training on how to use it. It’s common knowledge that many company data breaches or leaks are due to human error or believing a phishing email, so making sure employees can access critical documents on a secure network is a necessity.
TB: The truth is we could be bypassing previously unthought-of security measures working from home. Video chat platforms, like FaceTime and WhatsApp, are great for collaboration, but there are a ton of others out there that may be exposing your data to additional risk. For organisations, it’s important to establish upfront an authorised platform that adheres to your company’s security policies.
It’s essential to educate employees on the risks associated with how data is transferred and offer them the tools they need before they go out on their own looking. Inter-office chat platforms can come with inherent risks as well. Companies that don’t subscribe to an industry-recognised service like Slack or Microsoft Teams could be in danger of having data exposed. Chat platforms like WeChat, Telegram, Viber, etc. are all free, but when it comes to experience and security, namely end-to-end encryption, users’ mileage may vary.
Additionally, if you’re able to be contacted by individuals outside your organisation via these apps, the platforms can open the door for phishing scams to taking place. Phishing isn’t an email only issue. Attacks can be easily constructed such as URL shorteners to malicious sites, fake login pages to harvest credentials, and more. To ensure the right safeguards are in place to protect your data, its highly recommended organisations identify a platform that falls in line with its security controls.
RC: Organisations need to cast their net of inspection far wider now. The home office is the new corporate cubicle, and security teams will need to detect anomalies from home networks, users and devices – sources that are far easier to compromise because they inherently lack security capabilities. Attackers understand that the inherent weaknesses prevalent in-home networks and increased pressures on employees working from home makes for a much easier route to compromise now than ever before.
How will digital security have to change in a post-pandemic business landscape?
AK: With the shift to remote working shaping to become long term, businesses can no longer afford to improvise when it comes to data protection. Instead, organisations must invest time and resources into finding appropriate security solutions that are capable of securing data in a remote environment. There’s a wide range of highly effective products and solutions available today that can quickly provide visibility and control, no matter how geographically dispersed a workforce might be. Organisations must equip themselves with the proper tools to avoid data leakage and other security risks.
JR: Organisations will need to strengthen their security as the majority or part of their organisation will want to continue working remote and protecting their own company and customer data from cyberattacks and even hardware failure will be critical. It’s important to first take a step back and understand what you’ve learnt from going into lockdown.
Having this record is crucial to uncovering potential cybersecurity vulnerabilities that may have left the organisation exposed. It’s critical to understand how these existing or new security vulnerabilities can be diminished. Organisations will need to ensure that they have strategies in place to manage cybersecurity, disaster recovery and backup, which can function no matter where the staff are located.
TB: We definitely see a huge rise with phishing attacks in a COVID-19 theme being the primary aggressor. I wouldn’t necessarily say the total number of cyberattacks has gone up. I do think the method by which they’re carrying out these attacks is that they’re leveraging this opportunity. Because these highly lucrative attacks are succeeding, they will continue to attract more groups willing to attempt their methods. It’s time that businesses consider applying security to their business practices because IT security tools are not infallible against human behaviour.
RC: As long as we have a distributed workforce, behavioural analytics can help detect attacks and suspicious user activity even for home networks. By investing in user and entity behaviour analytic tools (UEBA), this can help to free up security teams enormously, detecting anomalies across the entire estate and monitor critical assets to find early signs of suspicious activity. When presented with the most vital information, and with all of the necessary context, security teams can better respond, mitigate, and remediate the many threats they are faced with.
Photo by Sebastiaan Stam on Unsplash.