This week thousands of business leaders are counting the costs of REvil’s Kaseya hack, now dubbed the “worst ransomware attack on record.” With coronavirus-driven remote working spurring cyber criminality, chief security officers (CSOs) are under increasing pressure to protect their companies’ coffers and reputations from a relentless stream of attackers. As such, it is no surprise many are pining for the apparent safety net of the office environment. But are these hopes misdirected?
It is no secret that these past 18 months have seen a sharp acceleration of cyber security threats due to near-universal remote working. According to a recent report by cyber security vendor Sophos, almost two-thirds of organisations experienced an increase in attacks in 2020.
Threat actors are galvanised to exploit businesses’ unpreparedness for working-from-home, a larger attack surface and employees’ human fallibility.
Covid-19 itself is an easy bait for phishing hackers, with scams for vaccines and miracle cure abounding email inboxes. In addition, ransomware attacks, such as those on Kaseya and the Colonial Pipeline, are rising, with even the Singapore Computer Emergency Response Team (SingCERT) reporting a significant spike in ransomware and botnet attacks last year.
Yet, while many CSOs may seek solace in rising vaccination numbers and an eventual return to the safe confines of an office network, it is unlikely cyber criminals will cease their attacks. If anything, they will be emboldened to find more ways to breach cyber security defences and take advantage of an increasing number of hybrid workforces.
The so-called human factor is often cited as the cause behind many corporate cyber attacks. Unfortunately the pandemic-driven long periods of isolation have fostered poor cyber practices and a sense of complacency among many employees. Bad habits include using work laptops for personal leisure, failing to scan downloaded files before opening them and, most worryingly, falling for phishing emails.
These unsafe practices pose a serious threat to a company’s security, leaving them increasingly open to phishing attacks and data breaches.
Also of concern is the drastic increase in exploits involving standard workplace documents. According to Sonicwall’s Cybersecurity Report 2020 malicious Office documents have proliferated by 176 per cent. The report also noted a 50 per cent increase in intrusions of internet of things (IoT) devices, partly driven by employees’ failure to turn off macros, allowing macro viruses to seed.
CSOs also have to contend with the increasing sophistication of hackers and threat actors. Supply chain attacks, where attackers infiltrate software or IT service providers to infect their customers, have become the latest tactics used to wreak disruption on a global scale, as hacks of SolarWinds and Kaseya have demonstrated.
IT and security teams must remain leagues ahead of their adversaries, but worryingly many are falling behind. More than half of IT teams surveyed by Sophos said cyber attacks are now too advanced to handle solo. Staying ahead of potential attacks will undoubtedly continue to pose a challenge as office working resumes, but there are several ways to mitigate the risks.
Bad habits the new normal?
It remains an unfortunate fact that cyber breaches occur all too often due to human error. This can stem from poorly-configured networks to an unwitting worker responding to Covid-19 baiting phishing scam.
The former can be avoided by hiring and training passionate cyber security experts to run internal IT departments. Another alternative is outsourcing these functions to a round-the-clock managed security services provider. Whatever the choice, acting more proactively will give businesses a clearer insight into hacker mindsets and the latest attack strategies, better equipping them to ward off incoming threats.
However, employee error remains a thornier issue and a harder one to fix. This is where better education comes in — and that doesn’t just mean a one-off cyber online cyber awareness PowerPoint. Indeed, this will do little to help employees shake off bad habits from remote working.
Regular reskilling courses in best security practices will be essential for workers returning to the office, with the emphasis on greater vigilance. Business leaders should also communicate data security policies and regular updates on the newest cyber attack methods that workers can look out for, for example, the latest business email compromise (BEC) methods or Covid-19 phishing scams.
Deploying security models based on the concept of Zero Trust, essentially a “never trust, always verify,” can go a long way in safeguarding an organisation’s most critical datasets. However, to capitalise on this, CSOs must identify the most important attack surfaces to protect, following this up with limited user access and rigorous privilege access management (PAM).
At the endpoint, multi-factor authentication should be by now a no-brainer with sole reliance on passwords as a security measure confined to the past. If that is not possible, limiting access to documents to those using official office systems will add an extra layer of protection.
However, the key factor above all of these is employee education and communication. In cyber security, there is no such thing as too much information. Therefore, reminding staff to be more mindful when handling information, especially working between a secure office and unsecured home environment. Alongside this, you can maintain vigilance with regular updates around the newest security policies and cyber attack methods, such as circulating Netflix or Covid-19 phishing scams.
Although the past 18 months have been challenging for many organisations, the remote working experience has reinforced the importance of strong cyber security measures. In addition, the publicity around several global cyber attacks has provided a severe wake-up call for business leaders into the ramifications of not safeguarding their organisations. Investment in cyber security technology is no longer optional, and ignorance is no longer an excuse for a major breach.