There's a recent security trend that could have serious repercussions in the days, weeks, and months to come. The caution employers and employees alike had talked about in making work from home (WFH) a workable, secure answer to widespread social distancing measures has given way to overconfidence.
The problem is that far too many executives--89 percent according to one study--believe that the devices used by employees reporting to work from home are secure from the most advanced attacks and methods of compromise in use today.
Meanwhile, as Sue Poremba of Security Boulevard writes, "Google reported 18 million phishing and malware scams related to COVID-19 every single day. Not 18 million for the entire week, but 18 million per day for a week."
The problem is complex. According to a new report from Alliant Cybersecurity, "nearly one in seven senior decision makers said their organization has already experienced at least one cyberattack since the start of the COVID-19 pandemic." Worse than that is the widespread nature of the threat. One in five of the respondents in the Alliant report said their company "transitioned to remote work without having a clear policy to mitigate or prevent cybersecurity threats."
So, you may know this territory, but just in case you need a refresher (or you don't really know the territory), we're talking about a plan and not a service. Many companies work under the very wrong assumption that having antivirus software in place and updated is sufficient. Others may think that a VPN can protect them from network attacks.
Cloud access security tools, web filtering, password managers--none of these alone can offer sufficient protection, and some can actually make matters worse--namely a poorly deployed password manager.
We are still in the "one wrong move and it's game over" part of the cybersecurity quagmire. We were there before the pandemic began, and WFH became a widespread practice. We were there when employees were using equipment that was set up--in a perfect world--by IT professionals using CISA-provided guidelines and not devices that multiple family members use on a daily basis.
At the same time, IT professionals are experiencing security fatigue. According to Help Net Security, "more than two-fifths (43 percent) of organizations experience false positive alerts in more than 20 percent of cases, while 15 percent reported more than half of their security alerts are false positives."
"Security tools that simply produce large quantities of data to be analyzed without contextualizing potential threats," Rodney Joffe, chairman of NISC and SVP and Fellow at Neustar, warned in that article, "are contributing to data overload, alert fatigue and burnout."
So in addition to the exponential increase in an organization's attackable surface due to the very hard to manage issues associated with WFH, the drastic increase in cyberattacks and the false alarms set off by a workforce online outside the controlled environment of the traditional workplace mean we truly are in a new wild west--as if the old one were getting any calmer.
If social distancing and work from home have done nothing else, they've pushed us into unfamiliar territory. It's crucial not to fall prey to the idea that we've comfortably settled into a new normal and it's "business as unusual" from here on out. If anything, it's time to be hyper-vigilant.
The best practices are no secret:
Use multifactor authentication (MFA) whenever possible.
Procure software--such as your VPN service--that includes MFA.
Download and install all software and firmware updates.
Backup important data regularly.
Store mission-critical data on an air-gapped device.
Triple check that configurations on cloud servers are set correctly.
Limit employees using their own personal device unless it has been thoroughly checked and approved by your IT department. (A safer path is to supply secure, work-only digital devices).
Limit credentialed access to servers, and tier access to need-to-know or need-to-use.
Drill your employees on the prevalence and danger of phishing emails.
Create a company-wide protocol for cybersecurity.
In the coming months, there could well be breaches, data compromises, and other hacks the likes of which we never imagined possible. We may see vast enterprises critically damaged, and still others experience extinction-level cyber-incidents. While there's no such thing as failsafe, there's still a lot of work we need to do to make our new reality workable.