Over the past few months, Covid-19 has uncovered many security challenges within most enterprises’ cybersecurity programs. That said, most organizations were ill-equipped to detect and respond to cyber threats brought on by Covid-19, especially with a majority of the population working from home. This pandemic exposed many vulnerabilities from a political, societal, economic and critical infrastructure perspective—not just how ill-equipped we are as a society to prepare and future-proof our daily work lives, but also where we, as a society, invest to ensure continuity, communications and cohesion. Most everyone wants to get past the unprecedented challenge that is Covid-19 and move on to some semblance of normalcy (I am looking forward to wearing non-pajama pants). From a cybercrime perspective, Covid-19 revealed a new breed of bad actors, sources, methods and attack vectors that would never been exposed without a crisis like this. The bad guys are thriving. Pushed to their limits, many IT and security organizations have been unable to keep up with the shift from a centralized management structure to a distributed environment, while also focusing on keeping the enemy at bay.
Why are we compromising speed and convenience for security?
Recently, identity management and authorization firm Callsign commissioned a very insightful study of over 2,000 adults in the UK and over 2,300 adults in the US, in order to determine under which circumstances consumers are willing to overlook online security to obtain staples and comfort products. Sadly, the results are not surprising. The average consumer is not taking precautions to protect their identity. The report cites, "consumers prioritize convenience and speed of access of online goods and services over personal security." Moreover, a recent report stated the U.S. Federal Bureau of Investigation (FBI) is receiving 3,000-4,000 cybercrime complaints per day—up from 1,000 on normal days. The primary targets are work from home employees that are outside of the company firewalls and thereby susceptible to social spear phishing and active persistent threat (APT) campaigns. Further, bad actors are increasingly using social media platforms like LinkedIn, Facebook, Instagram and Twitter to connect with and exploit information from unwitting, stay-at-home screen zombies. Callsign's research backed up these trends, finding that even in the face of increased cybercrime against online banking systems, 44% of US consumers do not plan on changing their passwords, while 55% in the UK will not update their old passwords or PIN. Hackers/crackers leverage many sources and methods to gain access to a user's account—these findings are well worth the read.
As I said in my last article, if Facebook and Twitter were a CIA/NSA intelligence operation, it would be the most successful one in history—the bad guys use the same methods of cyber espionage to garner personal information to exploit unwitting targets. Recently, the CEO of an artificial intelligence (AI) and object recognition company challenged me to hack what he swore was "unhackable." Within 7 minutes, while on the phone, I was able to gain admin access to his website with just a few personal questions and a nonchalant conversation amongst old friends. I also had the ability to control other systems, in particular, their Microsoft Office365 email, if I desired (by the way, I am not a hacker/cracker, nor have I ever been one).
IT and security teams are striving to flatten their own curve
As stated before, the reality of Covid-19 is how vulnerable and likely compromised many people working from home are. The reasons include:
- The rapid deployment of non-conforming and personal devices deployed without corporate images or security policies creates a security vulnerability. Non-conforming devices also create inconsistent patching and security updates that expose workers to ongoing and recent threats
- Bring your own device (BYOD) is challenging network integrity. Many that work from home share their personal devices amongst other family members, making the likelihood of clicking on a malicious link or downloading malware or viruses a reality. At a minimum, updated virus protection and two-factor authentication is imperative to reducing attack vectors.
- Neither IT nor security departments are prepared for a majority of their workforce to immediately work from home. Mature security organizations will turn to outsourced security service providers like CyberHat, end-point security and management platform providers like Tanium and threat detection and identity management providers like Callsign and CyberadAPT to bridge the gap between IT and Security. Additionally, they should ensure that proactive monitoring is implanted, to reduce risk and improve incident response.
This is a new world with new challenges, especially as more people work from home and slowly return to the office. IT and security teams can help alleviate and "flatten the curve" for some of the threats by simply implementing two-factor authentication on all system logins, enforcing consistent and regular password updates, and understanding where and how to react to the threats as they are identified (which comes from access to education and external resources). Effective cybersecurity in any situation must be a combination of technology, people and process. Now, more than ever, security is everyone's responsibility. Stay safe and secure, my friends.