Author: Raymond Rizk – Senior Consultant The COVID-19 global pandemic has touched every corner of the world. In order to combat the spread of the virus just over a quarter of the world’s population has been put on lockdown with many more told to avoid large gatherings and to only leave their homes where absolutely necessary. Business and organisations worldwide have had to adapt in a short space of time and change how they work and operate. A large number of staff have been asked to work remotely, with some using their own personal devices to conduct corporate activities.
COVID-19 – implications for information securityAttackers and cyber criminals love chaos and uncertainty as it makes businesses and people vulnerable to attacks and it creates new opportunities which they can exploit. We have already seen a flurry of phishing emails and text messages targeting people worldwide. Moreover, the dramatic and rapid shift towards remote working meant that security had to take a back seat while organisations rushed to make it happen. This has resulted in an increase to organisations’ exposed attack surfaces and in some cases without sufficient security controls being put in place. As such we are likely to see a sharp increase in attackers and malware searching for and exploiting misconfigurations and weaknesses in the new remote working practices. The ICO released a statement that it will not penalise businesses that do not prioritise certain compliance or information governance work such as responding to freedom of information (FOI) requests within the allotted timeframes. However, the ICO stated that organisations should implement the same security controls for homeworking as they do in normal circumstances in order to safeguard their data. Remote working is new for a lot of businesses and employees. Even if remote working has been supported for some time through VPN and similar technologies, this would have likely been limited to a small number of users. Suddenly there are a lot more people working from home than usual, most of whom have not done so before.
Remote access and online data sharingTo meet the new challenges businesses are likely to deploy new collaboration and remote access systems. In the short term these are likely to be unhardened and not configured in accordance with security best practices such as using multifactor authentication which could make them vulnerable to password stuffing and password spraying attacks. These systems might not be monitored initially and may fall outside the control of the organisation’s data loss prevention processes which could lead to the accidental leakage of confidential data. Data could be stored on online data stores to ensure that users can continue to access the data they require to do their job. Misconfigured online data stores could expose confidential data to unauthorised users and attackers. The Internet is full of examples of misconfigured S3 buckets and online data stores exposing personal data to the Internet.
Shadow ITIncreased remote working is likely to result in more use of shadow IT, particularly if the organisation does not have the appropriate online storage and collaboration tools. For example, managers might set up a Dropbox workspace for their department. These are likely to be misconfigured and unhardened which could result in data being exposed to unauthorised users.
Use of personal devicesA large number of employees might not have been issued with a company owned laptop or mobile device. These employees will have to use personal devices to access company resources and data. These devices are likely to be less secure than corporate devices, for example they might not have all the latest security updates installed or have an appropriate antimalware software. Additionally, users are likely to be using the devices with full administrative rights, making them more vulnerable to compromise through phishing or drive-by downloads. Moreover, the devices are likely to be used by other family members which could expose corporate data to unauthorized people and breach privacy and acceptable use policies. Other family members might install applications which would not be approved in the corporate network and may contain malware or expose data. This makes employees working from home using their personal devices an easy target for attackers and cybercriminals.
Phishing attacksAs with other disasters and crises cyber criminals are exploiting the pandemic and targeting users with phishing emails and messages trying to trick them into clicking on malicious links or downloading malicious applications or files that contain malware. Attackers are preying on the panic and people’s anxiety by sending fake emails claiming to originate from public health organisations such as the WHO or from IT companies trying to trick users into exposing sensitive information such as login credentials or executing malware on their device. Additionally, users are likely to be checking their personal emails and social media accounts in order to check on loved ones in this uncertain time. These do not have the same level of protection provided by corporate email and communication channels and as such as more likely to be vulnerable to phishing attacks. A successful phishing attack could lead to the compromise of company resources and confidential data.
Responding to security incidentsNew working practices are likely to result in reduced monitoring and incident response capabilities as a result of user using personal devices, rapid deployment of unmonitored new systems, and reduced cyber-security staff capacity as a result of illness or other organisational priorities. However, the pandemic is likely to result in an increase in reported security incidents in relation to COVID-19 related phishing emails or password attacks against new online systems and resources. This could result in incidents not being thoroughly investigated or attacks not being promptly detected which could give attackers sufficient time to compromise the network, achieve persistent access and hide their tracks.
What can you do now that the dust has settled?Now that the dust has settled is time to step back and think about the best approach to protect the company’s critical assets and data. Some of the actions that you should consider are summarised below.
Short-term actionsThese are actions that should be implemented as soon as possible to reduce the potential risk to the business:
- Conduct a risk assessment on the new remote working provisions to ensure that the business’s new risk profile is determined, communicated to senior management and appropriate controls are put in place to mitigate the new risks.
- Identify your key critical assets and data and ensure that they are adequately protected.
- If security monitoring and resources have been reduced, then focus on protecting critical business, assets, financial systems, privileged accounts, and high value targets such as senior management.
- Consider offering free antimalware software to staff using personal devices and who do not currently have one installed.
- Remind staff to be vigilant and to carefully consider any emails containing links, attachments or requests for information.
- Communicate policies, procedures, and guidance to all employees to educate those new to remote working and refresh those familiar with your home working practices and information on your organization’s incident response procedures.
- Send staff the National Cyber Security Centre (NCSC) newly published advice for reducing the risk of cyber attacks, and tips to help staff spot typical signs of phishing scams available at: https://www.ncsc.gov.uk/guidance/home-working
- Send staff information related to the latest COVID-19 phishing attacks and scams to ensure that they do not fall victim to these attacks such as the one provided by NCSC available at: https://www.ncsc.gov.uk/news/cyber-experts-step-criminals-exploit-coronavirus
Long-term actionsThese are actions that should be considered if home working is likely to continue for a prolonged period of time:
- Implement multifactor authentication for all accounts and all externally exposed services.
- Consider enrolling personal devices in a remote device management system that would allow the IT department to manage those devices and ensure that they secure through the use of security policies and profiles.
- Provide security awareness training that focuses on the risk of home working.
- Consider producing a series of guides that would help staff work securely from home.
- Identify shadow IT systems and ensure that these are brought under the control of your IT department.
- Update security monitoring and incident response capabilities to ensure that these address the risks identified in the risk assessment and meet the organisation’s compliance requirements.