Audit, tax, and advisory firm Grant Thornton surveyed more than 250 CFOs in February 2021 and asked them to name the three biggest challenges facing their companies. Nearly half cited cybersecurity risks, and 30% said a remote workforce. The two are closely related.
“The pandemic pushed almost all companies to work remotely in 2020, and this shift can be directly linked to an increase in cybercrimes,” says Gyan Prakash, head of cybersecurity at IT services provider Altimetrik. “In the end, all it takes is one wrong click by an employee to infect a network.”
Why does the remote/work-from-home model pose a cyber threat? John Pearce, cyber risk advisory services principal at Grant Thornton, cites a few reasons.
One, a variety of technology changes have occurred to support a remote work model. “Security controls to support these models are still catching up with remote-work capabilities, to protect corporate assets better,” he says.
Two, bad actors continue to focus on remote workers, leveraging messaging related to the pandemic in their social engineering activities.
And third, the increased stress of the pandemic on employees, including fluctuations in work and pay, combined with poor remote security controls, has resulted in increased data theft for personal gain.
Shimon Oren, VP of research and deep learning at security company Deep Instinct, told ZDNet: “You have a much bigger attack surface; not necessarily because you have more employees, but because they’re all in different locations, operating from different networks, not working with the organization’s perimeter network on multiple types of devices. The complexity of the attack surface grows dramatically.”
“Work laptops are increasingly used for personal work, which increases the likelihood of [them] being targeted for phishing, malware, and ransomware attacks.”
— Gyan Prakash, head of cybersecurity at IT services provider Altimetrik
The remote work model is “a strain on the abilities of network defense,” says David Holmes, senior analyst serving security and risk professionals at Forrester Research. “There’s just no good way to secure the remote worker’s home-office environment.”
That won’t stop companies from trying. In the Grant Thornton, 61% of respondents indicated their organizations expect to increase investment in cyber-risk management and cybersecurity in the next year to safeguard against breaches attributed to remote work.
The remote work and hybrid work models, which many companies will move to post-pandemic, present multiple security risks:
The security risks during the pandemic are largely the same as those pre-pandemic, except on a larger scale, Holmes says.
“For example, where distributed denial-of-service (DDoS) was always a problem before the pandemic, the vendor community has been reporting significant increases in DDoS activity as many businesses effectively become digital-first,” he says.
Holmes says that DDoS extortion campaigns during the pandemic have been widespread, and attacks against VPN concentrators where employees connect to their organizations have become more common. “Ransomware and phishing are active attack vectors during the pandemic, and remote workers have been singularly vulnerable to these because they operate outside of the security perimeter.”
Companies continue to deploy technologies to provide more granular authentication and authorization services for their technology ecosystem. Some are also using enhanced security analytics to identify nefarious activity better.
But more work is required.
Before COVID-19, many companies used a combination of endpoint security on corporate-issued devices and access via virtual private networks (VPNs), Holmes says. But that model didn’t scale during the pandemic, because of such factors as too much two-way video and the increased use of online video conferencing and collaboration platforms.
In the new remote work environment, also, “work laptops are increasingly used for personal work, which increases the likelihood of [them] being targeted for phishing, malware, and ransomware attacks,” Altimetrik’s Prakash says. “Many of the content sources outside of work are not well-protected.”
Many organizations have already moved some or a majority of their services and work environments to the cloud, which can help improve security. For example, companies are operating intranets in the cloud using direct, private connections and virtual desktop interfaces.
Another area organizations are exploring is DevSecOps — short for development, security and operations. Essentially it means thinking about application and infrastructure security from the start.
“With fast-paced product release and agile development methodologies, DevSecOps is the only way to contain the security issues before releasing the code to production,” Prakash says.
Artificial intelligence and machine learning are beginning to have a critical role in uncovering threats from millions of security alerts and warnings, Prakash adds.
An Infosecurity Magazine article in December 2020 described how machine learning might be used to detect phishing attacks. In the solution described, an algorithm is located in a cloud service. It probes email header messages via the user connection to detect “ratware” — software that automatically generates mass messages. A second algorithm on the client’s device looks for phishing vocabulary in the body of the email message. The algorithms learn as they are used more.
Some companies respond to the remote work security challenge by launching “zero trust” initiatives to reduce attack surfaces. Holmes says. With a zero-trust security model, devices are not trusted by default, even if they are connected to a managed corporate network and have been previously verified.
These initiatives include adopting zero-trust network access (ZTNA) to replace VPNs to alleviate bandwidth, latency, and network performance problems while still providing access to on-premises applications.
ZTNA is a set of technologies for secure remote access that leverages an adaptive trust model: trust is never implicit. Access is granted to users on a need-to-know, least-privileged basis (a user gets the minimum level of access needed to do their job). ZTNA gives users seamless and secure connectivity to private applications without ever placing them on the network or exposing apps to the internet.
Forrester Research predicts a threefold increase in full-time remote work post-pandemic, with hybrid work possible for as much as 80% of the workforce. So, the boost in cybersecurity spending has to go beyond tools and services to protect data, networks, and endpoint devices, Pearce says. It also has to go toward enhanced training and awareness for end-users.
Bob Violino is a freelance writer.