Cybercriminals have adapted by exploiting improperly secured VPNs, cloud-based services, and business email, says Malwarebytes.
Triggered by the coronavirus lockdown, the abrupt transition to a work from home (WFH) venue forced organizations to scramble to support a larger remote workforce. Such a quick shift means that certain security measures and requirements inevitably fell by the wayside. At the same time, cybercriminals found a new opportunity for attack with remote workers and improperly secured connections and technologies. Together, these trends have created a more vulnerable environment affecting the cybersecurity defenses of many organizations.
SEE: Return to work: What the new normal will look like post-pandemic (free PDF) (TechRepublic)
Released on Thursday by security firm Malwarebytes, a new report entitled “Enduring from home: COVID-19’s impact on business security” shines a light on how the transition has impacted security and how organizations can better handle the risks and vulnerabilities of working remotely.
The report itself combines telemetry from Malwarebytes with survey results from IT and cybersecurity decision makers in the US.
Due to the coronavirus lockdown, around one-third of the respondents had to shift anywhere from 81% to 100% of their employees to remote working. And more than two-thirds moved 61% or more of their workforce to a WFH mode. But most respondents felt their employer was prepared for the transition. Ranking preparedness on a scale of 1-10, with 1 being the least prepared and 10 being the most, the average ranking was 7.23. Only 14% of those surveyed ranked their company with a 4 or less.
However, organizations failed to address certain areas that would’ve strengthened security amid the WFH shift. Among those surveyed, 44% said they didn’t provide cybersecurity training focused on the potential threats of working from home, 45% didn’t analyze the security or privacy features in the software tools considered necessary for remote working, and 68% did not deploy a new antivirus solution for work-issued devices.
IT leaders also acknowledged a host of challenges in the move to working from home. A full 55% cited the need to train employees on how to securely and compliantly work at home as the top challenge. Some 53% mentioned the challenge of setting up work or personal devices with new software for employees to do their jobs remotely. And 51% pointed to the need to shift to a new, remote model of communication and/or collaboration among employees.
Along with the challenges have come concerns due to the WFH transition. Among the respondents, 45% said their biggest concern was that devices may be more exposed at home where employees feel safe, but those devices could be accessed by other people who could accidentally compromise them. Several other concerns were cited by those surveyed, including the following:
- IT may not be as effective at supporting remote workers.
- Cloud collaboration tools may not provide adequate cybersecurity (concerns of Zoom bombing, for example)
- Employees may not have adequate cybersecurity protections for their personal networks and devices.
- Employees may be using unauthorized and unmanaged “shadow IT” tools to share company and customer data.
- Increased risk of ransomware attacks and malware attacks overall.
As a result of the shift to remote working, organizations have encountered a range of security issues. Among the respondents, 20% said they faced a security breach as a result of a remote worker. Some 24% had to spend money unexpectedly to resolve a security breach or malware attack following the WFH shift. Some 28% admitted that they’re using personal devices for work more than their company devices, which could open the door for cyberattacks. And 18% acknowledged that cybersecurity was not a priority for employees.
“Many organizations failed to understand the gaps in their cybersecurity plans when transitioning to a remote workforce, experiencing a breach as a result,” Malwarebytes CEO and co-founder Marcin Kleczynski said in a press release. “The use of more, often unauthorized, devices has exposed the critical need for not just a complete, layered security stack, but new policies to address work from home environments. Businesses have never been more at risk and hackers are taking notice.”
What can and should organizations do to shore up their defenses while juggling the needs of a remote workforce? In its report, Malwarebytes offered a few suggestions based on the survey responses.
Develop stronger remote security policies. Cited by 55% of the respondents, stronger remote security policies are critical not just as a long-term strategy but as a way to unify cybersecurity defenses across the organization. The idea is to deploy remote work security guidance that views the organization from the standpoint of an attacker, which means being creative.
Install a permanent WFH model for employees who don’t need to be in the office each day. Cited by 54% of those surveyed, this measure would help people who permanently work from home. But it would also benefit employees who need to access company resources when they’re away on a trip.
Host more trainings for WFH. Cited by 49% of the respondents, training is important for employees working remotely. However, such training must be tailored to the needs and responsibilities of individuals, teams, and departments. Generic security training will only help so much. Workers also are likely to pay more attention if the security advice is specific and relevant.
Develop online privacy reviews for new software. Some 44% of those surveyed said they plan to take this step to make sure that the tools used by remote workers function properly but also keep communication and information secure.
Deploy antivirus solutions that can better handle a remote workforce. Cited by 44% of the respondents, this measure would help since many of this year’s threats targeting remote workers are older, commercial ones that could be detected by the proper security products.
Malwarebytes’ survey received responses from 200 managers, directors, and C-suite executives in IT and cybersecurity roles at US companies. The survey included companies of different sizes, with some respondents working at small- and midsize businesses and others at large enterprises.