2020 Work-for-Home Shift: What We Learned

Goodbye, 2020 — and good riddance, right? Most of us don’t want to take too much from this year into the next — but let’s make an exception for what we learned about security in the wake of the COVID-19 pandemic. In 2021 after all, more enterprises will permanently downsize their physical spaces and give employees the flexibility to continue working from home.

In an effort to have a safer 2021, Threatpost takes a look at the top five biggest takeaways of the remote-work shift for security teams going forward.

1. Cybercriminals Are No Dummies

This one seems obvious, but for too long security teams have ignored the danger that comes from offering attackers low-hanging fruit.

As soon as businesses made the transition to work-from-home, cyberattackers got busy capitalizing on it. Researchers saw a near-immediate 131-percent increase in malware infections and about 600 new phishing attacks per day when the pandemic and remote working started in earnest in March. And according to a recent Acronis Cyberthreat Report, 31 percent of global companies reported daily cyberattacks in 2020, mainly targeted at remote workers. Clearly, threat actors know that home networks are typically less secure than corporate infrastructure, and saw an opportunity to ramp up their attacks accordingly.

Since cybercriminals are pretty savvy (and quick-moving), defenders need to be too. The mad scramble to get employees connected from home is over; and now, security practices need to be hardened.

“2021 will be the year of ‘working from anywhere’ and it is very much a moving target for security and privacy professionals,” Yossi Naar, chief visionary officer and co-founder at Cybereason, told Threatpost. “Coupled with a challenging home environment where devices are often shared with family members and the rapid change that occurred, there was little time to prepare and that fact has been exploited widely by hackers leveraging phishing attacks and known exploits to penetrate and maintain their hold on the remote environment. In 2021, enterprises need to focus on patching the holes in their security defenses as the majority of their workers continue to operate remotely.”

Bitdefender researchers noted that home routers and computers will continue to be seen as weak links, so endpoint security will become a bigger focus in 2021 even as attackers evolve and mature.

“Threat actors specialized in hijacking devices will either rent access to other groups seeking distributed command-and-control capabilities or sell them in bulk to underground operators to reuse as proxy nodes to conceal malicious activity,” they said.

2. Collaboration: The New Chink in the Armor

When companies went to a decentralized footprint, they also turned in droves to cloud applications and collaboration services to support the new, borderless, virtual office. In short order, Zoom, Microsoft Teams and Slack became household words, video calls became the default for meetings, and the resources that are connected to, shared and exposed in the cloud were suddenly being used by tens of millions of workers.

A recent Fortune CEO survey showed that 77 percent of CEOs reported that the COVID-19 crisis accelerated their digital transformation plans, while 40 percent are spending more on IT infrastructure and platforms. Security, however, largely remained an afterthought as companies prioritized productivity over vetting the security for these products.

As a result, it was open season on collaboration. Last month for instance, attackers were seen using ads for fake Microsoft Teams updates to deploy backdoors, which used Cobalt Strike to infect companies’ networks with malware.

On a related note, cybersecurity will move up the food chain to become a business differentiator for collaboration platforms and cloud apps, researchers said — which will spur innovation in the space.

Going forward, “[security] needs a category disruptor,” Nico Popp, chief product officer at Forcepoint, told Threatpost. “The need for a converged, digital, cloud-delivered platform means we’ll see the emergence of the ‘Zoom of Security’ – a high-tech system that ‘just works’ and is easily accessible for the everyday consumer.”

3. Zero-Trust Has a Moment

As employees were sent home and forced to connect to precious corporate resources using potentially insecure devices, home networks and new cloud apps, the focus on authentication ramped up for security teams. The problem, of course, is that password hygiene isn’t good in the best of times, let alone in an environment of massive change and new platform adoption.

As a result, zero-trust frameworks gained a little buzz in 202o. “Zero trust” means that all users, inside and outside of an organization’s enterprise network, are inherently not trusted and must be authenticated and authorized before being able to access apps and data. In order to do this, systems must evaluate the safety of a user’s device, verify transport/session information and general identity, and take into account the application being used (is it allowed?) and the data being accessed (how sensitive is it?).

It works, according to those in the trenches. “Our adoption of zero-trust network access technologies and a cloud-based end user security stack made the transition of 95 percent of our workforce from relatively secure corporate networks to relatively unsecure home networks virtually seamless for the end user, but comparatively safe,” said Bradley Schaufenbuel, vice president and CISO at Paychex, via email.

Zero-trust frameworks have a reputation for being expensive and complicated, but in 2021, they will no longer be optional for enterprise, according to Jasen Meece, CEO of Cloudentity.

“There’s no doubt that COVID-19 and the shift to remote work have accelerated zero-trust adoption in the enterprise,” he told Threatpost. “In 2021 and the following years, implementing a zero-trust approach will become essential to protecting every enterprise, regardless of industry. Roughly one-quarter of all data breaches are caused by human error, with the average cost of $3.92 million for each breach, according to a report from the Ponemon Institute. As a result of this growing issue, the zero-trust model will become the new standard.”

4. A Mobile-Focused Security Policy is a Must

As workers went home, mobile devices became more ascendant, with many of the new go-to collaboration and cloud services offering mobile apps designed to boost productivity and allow multitasking. This resulted in rafts of personal devices suddenly being used to access corporate resources — and true to form, cybercriminals followed the trend lines.

For instance, 2020 saw mobile messaging becoming a growing vector for phishing attacks (often called smishing). In fact, in September, the FTC issued a warning about phishing campaigns involving text messages with false delivery notices that included a link to validate the delivery.

“Across any chat medium on mobile, phishing attacks seek to trick users into clicking links to expose personal and work credentials, and even download mobile surveillanceware,” Chris Hazelton, director of security solutions at Lookout, told Threatpost.

But threat actors are building more advanced phishing campaigns beyond just credential harvesting, according to Hank Schless, senior manager for security solutions at Lookout.

“Through the first 9 months of 2020, almost 80 percent of phishing attempts intended to get the user to install a malicious app on their mobile device,” he said. “Threat actors have [also] learned how to socially engineer at scale by creating fake influencer profiles with massive followings that encourage followers to download malicious apps. Personal apps on devices that can access corporate resources pose serious risk to enterprise security posture.”

Criminals are also targeting weaknesses in mobile apps. For instance, WhatsApp in February disclosed a vulnerability in its iOS app that was exploited by Pegasus surveillanceware to gather intelligence from targets.

“While there are security vulnerabilities in all operating systems, including iOS and Android, it is less understood that vulnerabilities in mobile apps can be used in attacks,” Schless said.

5. The Rise of New Insider Threats

Remote employees have been thrust into new working environments, with no face-to-face supervision and little to no training for handling new security risks. And, they are also facing more distractions from their home settings, as well as new emotional stresses tied to COVID-19 and less job satisfaction. All of these factors created a ticking time bomb for insider-threat risks in 2020, researchers said.

According to a report from Tessian, insider-caused security incidents already increased by 47 percent since 2018. Worse, security experts warn that organizations aren’t ready for this influx of remote work-induced challenges.

“The [work from home] trend due to the COVID-19 pandemic has significantly increased insider threats from employees taking risks with company assets, such as stealing sensitive data for personal use or gain as employers have less visibility to what employees are doing or accessing,” Joseph Carson, chief security scientist and advisory chief information security officer at Thycotic, told Threatpost.

Insider threats can stem from either “negligent insiders,” or malicious insiders, who intentionally steal data or company secrets. The “negligent insiders” are the bigger threat, according to Proofpoint. They account for 62 percent of insider-threat incidents.

A survey from IBM Security in June found that more than half surveyed had yet to be given any new security policies on how to securely work from home. Also, more than half surveyed had not been provided with new guidelines on how to handle personal identifiable information (PII) while working from home, despite more than 42 percent newly being required to do so as consumers lean on customer service representatives for a variety of services.

Going forward, awareness of insider threats must take on more importance, researchers noted — especially as the pandemic grinds on and layoffs/workplace dissatisfaction rises.
“One area that organizations need to deal with is the rise of the insider threat, with so many unhappy employees who have been furloughed, or let go, from their jobs,” Steve Durbin, managing director of the Information Security Forum, told Threatpost. “The insider threat is one of the greatest drivers of security risks that organizations face as a malicious insider utilizes credentials to gain access to a given organization’s critical assets. Many organizations are challenged to detect internal nefarious acts, often due to limited access controls and the ability to detect unusual activity once someone is already inside their network. The threat from malicious insider activity is an increasing concern, especially for financial institutions, and will continue to be so in 2021.”

Overall, the trust that organizations must place on their workers has grown with rapid digital transformation, increasing information risk and changing work environments — and there’s no sign of this changing. Taking the lessons of 2020 will be critical for a safer and happier 2021.

Download our exclusive FREE Threatpost Insider eBook Healthcare Security Woes Balloon in a Covid-Era World , sponsored by ZeroNorth, to learn more about what these security risks mean for hospitals at the day-to-day level and how healthcare security teams can implement best practices to protect providers and patients. Get the whole story and DOWNLOAD the eBook now – on us!