A n authentic-looking email arrives with the subject line, Covid-19.
The sender appears to be the US Centre for Disease Control and Prevention, a trustworthy name in healthcare. There’s either an attachment or a link that promises “further information” or such.
Such emails seem completely genuine to the uninformed eye. Only with deeper analysis does a malware payload hiding behind the link or attachment become apparent, capable of giving hackers access to the organisation’s network and placing the company’s entire data at risk.
Such cybersecurity nightmare scenarios have confronted many organisations in the wake of Covid-19. Cybercriminals went to work in the days and weeks following the pandemic, creating bogus domains, which they used to send phishing emails promoting either fake treatments for the coronavirus or some other prevention protocols, observes Tamer El Refaey, chief cyber security strategist, Emerging Markets, Micro Focus.
The result is that employees, desperate to get their hands on critical health information, fell for Covid-19 related phishing attacks. As the Covid situation evolved, the threat landscape also kept pace. Threat actors are carefully following each development around the coronavirus and launching attacks that closely mimic new incoming information, observes Emile Abou Saleh, regional director, Middle East and Africa at Proofpoint.
“The large number of remote workers across the country presents an inviting target for cybercriminals to pursue in an attempt to compromise victims’ systems and gain access to corporate resources and applications,” he says.
WORK FROM HOME
The idea of working from home is appealing and has been touted as a panacea for many ills that plague urban living, such as long commutes, pollution and overcrowding. However, hastily configured remote work policies present a myriad of cybersecurity challenges.
“Simply put, most organisations were not ready to handle the Covid-enforced bring-your- own-device (BYOD) circumstances,” says Saleh.
“The pandemic hastily shifted a large number of employees to remote work, many for the first time. For many users, there will be protocols, online tools, and communications they will not be familiar with, and it’s this lack of familiarity that threat actors will try to capitalise on,” he adds.
Data models many organisations used to identify abnormal behaviour were based on employees being on-premise. An employee signing in physically in the office and accessing the network from within the office would be considered normal behaviour.
This safeguard disappears when there is no longer a physical sign-in, Refaey observes. Many organisations were also forced to switch to the cloud so their employees could access corporate apps remotely.
“Unfortunately, with cloud comes risks or challenges of securing data off-premise,” says Refaey.
Businesses also had to develop numerous applications on the go, and carry out a lot of changes to their applications to ensure that the customer experience was not impacted.
“Such a high number of application releases imposes security challenges in fortifying them,” explains Refaey.
Within the office environment, the IT department can impose security best practises such as patching and regular software updates. This becomes complicated with emote employees as IT cannot control the process. Instead, they have to request staff to connect to the network at a certain time so they can push patches and updates.
“Such a situation can never be 100 per cent fool-proof, and leaves many computer systems vulnerable,” says Refaey.
Another danger lurks with the blurring of the line between the professional and the personal. Instead of the dedicated machines for work, personal computers also double down as entertainment centres where downloading of movies and games is common – activities associated with risky online behaviours.
Connecting to the internet from a corporate network involves scanning websites for malware. Then, the data has to go through different enterprise security controls.
“All these controls disappear when employees are at home, and this makes the life of attackers easier when trying to compromise corporate assets,” Refaey adds.
It is a cybersecurity truism that employees are the weakest link in any IT structure. This axiom has gained greater currency with working-from-home environments.
“Cybercriminals don’t target technical vulnerabilities; they target human weakness – the distracted user who clicks on an email attachment, the eager customer who fills in credentials to claim a fake offer, a loyal employee who follows directions to wire money from a criminal impersonating their CEO,” states Proofpoint’s Saleh.
The only security strategy that will successfully combat today’s advanced attacks is one that focuses on protecting people.
“We recommend that organisations prioritise a people-centric approach to security that protects all parties (their employees, customers, and business partners) against these threats, including layered defences at the network edge, email gateway – in the cloud and at the endpoint – along with strong user education,” he says.
An ill-informed employee tends to pose a great risk to an organisation’s security, agrees Amir Kanaan, managing director for the Middle East, Turkey and Africa at Kaspersky.
“No matter how advanced the organisation’s security technology is, a careless employee can always put the company’s infrastructure at risk,” he says.
In addition to an increase in phishing emails, another emerging threat involves attacks on open Remote Desktop Protocols (RDPs) ports. Essentially, this is an attack on remote access software used by employees when they connect from their homes.
“If these attacks are successful, they give cyber criminals unauthorised access to an organisation’s sensitive information or intellectual property,” warns Kanaan.
Lacking the resources in-house to safeguard their assets, many businesses turned to their technology providers for answers when Covid-19 struck.
As a software company with specialised cybersecurity tools, Micro Focus has a wide set of applications and software that can help customers in tricky cyber security situations, says Refaey.
“When Covid-19 struck, we helped organisations to build out the infrastructure they could use in working from home. For example, we have access control solutions that help organisations
reduce the exposure to cyberattacks using zero-trust access and strong authentication mechanisms. We can also integrate our authentication solutions with different infrastructure customers have such as VPN or mail access so they can elevate the authentication required for these services.”
Most organisations turned to online collaboration tools such as teleconferencing to keep businesses operational. Refaey says Micro Focus was approached by customers seeking to secure their remote collaboration platforms such as Zoom or Microsoft Teams.
“We availed our various tools to protect such cloud applications,” he explains.
For cloud security, the company offers solutions which ensure that even if companies’ systems have been compromised, the encrypted data is useless to attackers.
According to Refaey, Micro Focus also temporarily offered software free of charge to some existing and new customers to assist them to quickly adapt to the change and soften the impact of Covid-19.
“We also have other solutions that help organisations build profiles or patterns for users to detect anomalous activities. So, even if an organisation does not have data models or models to detect anomalous behaviours for remote users, we have solutions that can build these capabilities for them and learn over time. This reduces false positives and also helps pinpoint malicious attacks and suspicious behaviour.
“We have other products that helped organisations produce applications faster and more securely. Such tools scan the codes of applications that they develop, identify the potential vulnerabilities that may lurk in the applications, and suggest to them solutions. And this is all integrated with the DevSecOps concept of ‘develop fast and secure fast’,” he explains.
THE NEW NORMAL
Even as the threat of Covid-19 ebbs, many organisations are looking to continue with remote work, at least for part of their operations.
Navigating through this ‘new normal’ and adapting to working from home imposes risks that organisations need to change their structures to, observes Kanaan.
“As working from home becomes the new norm, IT managers need to develop their security budgets to also consist of endpoint protections for remote workers. It is important that employees keep in mind that working from home does not come with the same level of security as working from the office, which is protected by a corporate firewall and other on-premise security solutions,” says Kanaan.
Organisations need to adopt a zero-trust model, says Refaey. “This applies whether you’re in the office or you’re working remotely anywhere in the world,” he adds.
Cybersecurity awareness and training initiatives, which many organisations paid only scant attention to in the past, have now become an imperative in the current situation.
“It is critical for employees to be provided with cybersecurity awareness moving forward. It is now in the hands of the employees to keep themselves and their organisations safe. Cyber awareness and cyber education are the two key elements to building sustainable protection for any organisation – the human firewall,” says Kanaan.
An effective learning programme should be a mix of online and classroom learning (virtual or real-world) and regular advice by email. Regular testing is crucial especially when it applies to spotting phishing attacks.
“Setting up fake phishing emails is one way for organisations to test whether their employees have gained the most out of their training,” explains Kanaan.
Beyond education, communication is crucial, he adds. “Education is vital but so is clear communication. Employees need to understand what is acceptable to do on corporate devices, rather than what isn’t,” says Kanaan.
Security protocols and ongoing awareness and education training for remote employees should be a priority and treated as a long-term initiative.
“To change mindsets and reduce the mistakes and risk associated with employee behaviours, cybersecurity training must become an ongoing mission,” says Proofpoint’s Saleh.
“Occasional phishing tests and once-a-year training are not enough to raise awareness and help your employees learn how to apply best practices,” warns Saleh.
He says remote workers should also be using a secure wifi connection, company VPN, and strong passwords.
But while humans continue to be the weakest link in the organisations, they are also the first line of defence, says Refaey from Micro Focus.
“Organisations need to educate their employees through more interactive methods such as simulated attacks. We need to train them on how to be skeptical about everything that they receive. They need to be cautious when they are using open networks such as in coffee shops or airports.”
Awareness programmes also need to be tailored to different people in an organisation, he says.
“Technical people need to have their own set of awareness programmes as their requirements are different from those in finance or customer service.”
The cybersecurity situation was already perilous well before the Covid-19 outbreak, but the crisis has imposed a whole new reality. In addition to its catastrophic human toll, the pandemic has put organisations’ assets at greater risk than ever before. That said, the same security protocols of zero-trust, multi-factor authentication, people-centric cybersecurity and training
and awareness that relate to corporate networks apply to remote work.
This is an opportunity for organisations to ensure that long-neglected security processes are implemented to ensure healthy and safe networks.