Managing cyber in the remote workforce
As most professionals have shifted to working remotely from their homes, to access organisational networks and systems many of us are using our personal devices, as opposed to company-issued machines. By adding these devices into the organisation’s environment it is increasing the attack surface for malicious actors.
Taking advantage of the COVID-19 pandemic and international lock down or ‘work-from-home’ rules, cyber adversaries now have an extended access to target and penetrate the organisation’s most critical assets, its data, and operational environments.
Whenever there is haste to make change, people – both employees and those setting up systems – make mistakes. While companies relax their risk tolerances to maintain business continuity, this leaves their data and intellectual property vulnerable to opportunistic cybercriminals.
Cyber risk for virtual communications/teamwork applications
Before the COVID-19 outbreak, 27% of users globally worked remotely on the average weekday.
A conservative estimate today identifies more than 60% of users work remotely.
As the necessity for these millions of professionals globally to meet and work with each other and their customers during COVID-19, has meant the quick adoption of various communication platforms including Zoom, Microsoft Teams, and Slack.
Observed threat: Without security controls in place, adversaries may access and join any meetings. We have all heard of Zoom ‘bombing’. In addition, cloud-based communications platforms may allow cybercriminals to access sensitive information such as meeting details and conversations.
Suggested top actions:
1. Ensure discussions over Zoom are not highly sensitive. If so, resort to an alternative platform.
2. Secure all Zoom meetings with passwords at the individual meeting level, or at the user, group, or account level for all meetings and webinars.
3. ‘Lock meeting’ once a meeting begins to prevent additional attendees.
4. Integrate IT and security professionals on expedited tech projects, as well as new technology needs to integrate security controls and ensure the general implementation of IT controls
Heightened volume of phishing targeted at employees
The economic impacts of COVID-19 have spurred a series of wage subsidies. As employees receive many communications from government entities and their employers, it is critical that they avoid phishing campaigns which are disguised as relief payment plans.
Between March 13-26, 2020 there were more than +400K incidents of spam emails pertaining to COVID-19.
The Australian Competition and Consumer Commission’s Scamwatch has received more than 1000 of coronavirus-related scam reports since the virus outbreak. The Australian Cyber Security Centre notes thousands of COVID-19 related websites have been registered in the last few weeks, many of them delivering ransomware to unsuspecting users.
Observed threat: Recipients of the coronavirus relief payment from the government opened a phishing email from a criminal sender, with a malicious attachment that used macros to deliver malware to obtain their banking information. Recipients were based in North America and Europe. We anticipate that this threat will occur across many geographies as similar government relief plans are put into place.
Suggested top actions:
1. Raise awareness among employees who may be receiving a relief payment of malicious phishing campaigns. Be specific on what will be shared by your organisation (format, timing, etc.).
2. Bolster threat detection and response to promote proactive identification of malicious activity.
3. Ensure that your organisation has a crisis response plan and has informed employees to avoid the spread of misinformation.
Increased use of personal devices to work remotely
Employees working from home using their personal devices is leading to a significant increased risk of cyber adversaries accessing internal infrastructure where data and intellectual property can be accessed. Personal devices may not have the latest security patches and tools, or even a VPN connection to ensure a more secure connection to the business environment.
Our research shows that 1,000+ insecure personal devices connect to enterprise networks every day in 30% of U.S., U.K., and German companies without IT’s knowledge.
Observed threat: A spam campaign was observed leveraging a fake ‘Corona Antivirus’ lure to distribute malicious software (malware). Using a fake COVID-19 themed website, threat actors advertised a ‘Corona Antivirus’, which makes bogus claims to protect users from the COVID-19 infection. However, the application infects users with malware.
Suggested top actions:
1. Ensure IT teams develop and implement corporate security policies and guidelines for ‘Bring Your Own Device’ and require that corporate security software is installed on employee devices before such devices can be used to connect.
2. Review and establish corporate firewall rules for remote access, User and Entity Behavior Analytics, and file integrity monitoring, to effectively implement for remote employees.
3. Restrict unapproved personal devices from your corporate network and limit personal device access to only required corporate cloud services that are needed for critical business operations.
BUSINESS CONTINUITY & FINANCING
Work and economic climates will continue to contribute to an increased volume of insider threats. Leadership should consider how the enterprise is equipped to pursue a risk-based insider threat monitoring program.
Security and IT executives should brief senior leadership regularly and ensure there is a clear understanding of leadership’s expectations and their true level of risk acceptance. Threats from early opportunistic attacks can remain latent in the environment and pose sustained elevated risk.
As markets recover from COVID-19, scrutiny will likely increase around consumer safety, privacy and regulation, influenced by Europe’s General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), various privacy regulations in South America, and regulatory activities in China, which are improving the cyber posture for organisations and industries across global markets.
Companies should consider balancing their expanding digital footprints with a growing focus on cyber risk. Emerging technologies are often attractive avenues of opportunity for cyber criminals looking to expose weaknesses in an organisation’s digital ecosystem. In the absence of a well-orchestrated cyber program, new products and services will be exposed to greater financial, brand, and regulatory risks, likely to slow their development and marketplace penetration.
WORKFORCE & STRATEGY
Many countries still do not have resilient cybersecurity infrastructure, efficient and agile institutions and emergency plans prepared. Investment in more technology, resources and people to strengthen cybersecurity posture will be necessary. Building on the global understanding of the importance of physical distancing, we can help train the world to help protect themselves from cyber threats.
Changing behaviors through awareness, education and training is key to the success of any new process. By looking for ways to augment your workforce, organisations can consider managed security services to either operate an existing security program, or onboard to a turnkey solution. As a result, organisations may be able to recover faster and with less strain to the broader enterprise.
Tommy Viljoen leads Deloitte’s Cyber Risk Strategy and Governance teams based in Sydney. With more than 30 years’ experience in information technology, IT risk and cyber security governance across a broad range of industries, Tommy helps organisations with the development and implementation of cyber risk strategies and solutions, including, information security management systems, cyber threat management programs, cyber monitoring solutions, cloud solutions, third party strategies and secure by design solutions.
James Nunn-Price leads Deloitte’s Asia Pacific cyber practice. As a recognised cyber expert, James has led the implementation of many of Deloitte’s global network Cyber Information Centres. His reputation as a leader in implementing good practice cyber operations, managed services and global cyber incident response capabilities, James has also led multiple complex award winning projects for clients.