As if there wasn’t enough to worry about these days, cyberattacks have taken a sharp uptick since the COVID-19 pandemic began this year. From January to March, AT&T Alien Labs Open Threat Exchange (OTX) saw 419,643 indicators of compromise (IOC) related to COVID-19, including a 2,000 per cent month-over-month increase from February to March. Cybercriminals are taking advantage of the shift to remote working, increasing their volume of attacks by nearly 40 per cent in the last month. Home routers have been hijacked. COVID-19-themed phishing attacks have jumped 500 per cent. And most of 4,000 new COVID-19 domains are suspected of criminal intent.
Companies large and small are in a bad spot on this one. Asking staff to come to the office could worsen the health crisis. Having them work at home creates a vastly increased attack surface that cybercriminals can easily exploit. And in the meantime, trying to highly secure every employee’s home is about every IT Manager’s worst nightmare.
I have the advantage of working for a large company, where there is not much difference between working at the office or at home. But for most, the new remote work environment ushers in an entirely new security landscape overnight.
Long term, this means acceleration of cloud security and zero trust models. But for the short term, here are a few suggestions that I’d like to offer. These may be basic concepts, but in security, the basics matter most, and they are often easy to implement.
1. Teach staff how to “socially distance” their home networks.
When you think about who is using a home WiFi network in an average American family, it is unlikely that many of them are particularly cyber-savvy. If one or more adult members of a typical family are connecting to the office by remote these days, that leaves gaps for children, visitors and non-working adults who may also be accessing the internet via that home network.
The first and easiest “fix” that staff should do is to partition their home internet access. They should try to avoid children, their schoolmates, and even adult friends playing video games, checking email, and downloading movies on the same network connection that is used to log into the office.
This opens the door to a tidal wave of unknown vulnerabilities.
Staff should also avoid logging in on the same connection utilised by home IoT devices such as smart thermostats, wireless doorbell cameras, and virtual personal assistants.
Isolating a home network connection no longer requires particularly deep IT skills. There are many home and small office routers at around the $100 price point which offer VLAN support of one type or another. Most WiFi kits offer the ability to set up a “guest” network. IT departments can provide easy, step-by-step instructions to employees working remotely on how to set this up on common routers and impress upon all managers the importance of seeing this through.
2. If you can, provide your staff with lightweight mobile devices (smartphones and tablets).
At the office, the IT department can employ all sorts of protective and monitoring controls on PC’s to prevent attacks. But when your company is suddenly a “BYOD” environment, who knows what sort of malware exists on your employees’ home devices or will be installed over the weeks of remote work that are to come?
The power and flexibility of PCs and laptops make them notoriously difficult to provide protection; It’s too easy to download links from untrusted sites and to install all sorts of software. And we all know that users are vulnerability number one. If your remote workers can use lightweight mobile devices, like smartphones and tablets, you will enjoy a number of security benefits. First, in most of the country, you can utilise the mobile broadband capabilities and avoid the home network altogether. Second, these devices were designed to be managed - when using them you are teaming up with the security teams of the manufacturer in keeping the device highly secure and the mobile operator in making sure the connection is highly secure. If you have not tried one for work lately, you would be surprised how much can be done with a high-end tablet with a keyboard.
These devices can also be configured so that the only software that can be installed comes from popular sources and highly secure apps or your company’s own store. Malware has a more difficult time infiltrating those environments and is removed by the manufacturers on a regular basis. When a vulnerability is discovered, app stores are able to delete or patch the software to eliminate the threat immediately. These devices are not infallible, they are just vastly simpler to maintain good hygiene.
3. Move to the cloud wherever possible!
It is long beyond time to forget about all installed software on-premise and move to the cloud. If you have not, then let this be the forcing function for that change. SaaS solutions for Customer Relationship Management, office productivity and even creative work now outperform their traditional software equivalents at typically much better pricing. When you use the market leading SaaS solutions, you are teaming up with that firm’s internal security teams dedicated to keeping their platforms free of compromises.
Like the smart mobile devices, these platforms are not fool proof, but you’ll have these companies working security issues alongside you. Once you have moved to lightweight devices operating SaaS applications in the cloud, your attack surface is drastically reduced. It’s important to note that while cloud providers own protecting infrastructure, you are responsible for protecting your applications.
4. Provide security for your remote access
Your staff will be connecting through devices to service connections that are too numerous to manage on an individual basis. A strong endpoint security solution and a cloud security gateway allow you to set policy and monitor company-wide activity, regardless of which endpoint it originates from. There are a number of innovative cloud security solutions and SD-WAN solutions available in this area.
5. Time is up for the adoption of unique strong passwords
These things seem so elementary. Yet, I would be pretty confident that some (if not most) of your staff have already clicked on malicious phishing links offering news about a “cure for COVID-19.” I am equally certain that others are logging into the office right now using passwords that resemble their phone numbers, home addresses, or children’s names, or that they re-use for multiple gateways.
You need to immediately teach your employees how to improve their defensive posture. Show them how to recognise the “tricks of the trade” that hackers use in phishing schemes. If you do not already have your own protocol for doing so, there are videos and third-party services that you can consider utilising immediately.
Insist that staff create long, complex, and unique passwords for every device and connection they use to access the office. In order to do this, you must use password managers. You should also set up some kind of 2-factor authentication across the board—that is true from the CEO to the receptionist. Once you make this behavioural shift, this strategy costs you nothing. Someone else out there has not thought to implement it, so make yourself the harder target.
It’s time to make the urgent repairs you have been putting off.
For a long time, the security perimeter was steadily eroding. But now, quite suddenly, it’s gone entirely. The professional criminal organisation and offensive nation state attackers know this and are not taking time off for the pandemic. And I know you aren’t either. But there is hope.
What’s going on right now reminds me of driving down the freeway. You know those walls they put up to block the sound of cars and trucks zooming by? They only do that sort of construction when crews are already out there making urgent repairs. Well, you are doing emergency repairs to your IT infrastructure right now. It’s the ideal time to work on setting up barriers to “keep the noise out” for years to come. The list above is a nice place to start if you don’t already have one.
We are all vulnerable to this pandemic.
You never know what collateral damage a cyber-attack will cause. What if you knock intensive care units offline? What if encrypting health records means that someone does not get treatment? What if taking a network down means that people die? I implore you to take a break in order to fight this virus—like so many others are around the globe.
Roger Thornton, VP, Products and Technology, AT&T Cybersecurity