Session Title | Enduring from home COVID-19’s impact on business security
Executive summary: In March 2020, for companies across the world, “business as usual” became business uncharted, as the novel coronavirus spread throughout the nation at an unchecked pace. Faced with shelter-in-place orders in their home counties and states, countless companies transitioned to entirely remote workforces. Predictably, these near-immediate transitions carried with them some setbacks. A remote workforce can become a workforce stretched thin: Communication must adapt to online models of email, chat messaging, and video conferencing; collaboration must move to cloud-based storage platforms; and keeping the business afloat must take into account the unique cybersecurity needs of now-remote workers who are connecting to potentially unsecured home networks while accessing company resources from personal devices—all without the direct support found within the office.
Methodology: I wanted to dig deeper into today’s new, work-from-home (WFH) normal, measuring not just the immediate reaction to the pandemic, but also businesses’ planned cybersecurity strategy for the future.Survey for more than 200 managers, directors, and C-suite executives in IT and cybersecurity roles at companies across the world. Our survey of roughly one dozen questions tracked respondents’ concerns about transitioning to WFH, the impacts suffered due to the pandemic, and their plans to implement long-term security changes moving ahead.
Key takeaways: Our research revealed some concerning trends. We found more devices spread across more locations connecting to more software tools, coupled with an uneven increase in deploying antivirus software. These actions have predictably resulted in serious setbacks for some companies.24% Said they paid unexpected expenses specifically to address a cybersecurity breach or malware attack following shelter-in place orders.20% Said they faced a security breach as a result of a remote worker.18%Admitted that, for their employees, cybersecurity was not a priority, while 5 percent admitted their employees were a security risk and oblivious to security best practices.28%Admitted they’re using personal devices for workrelated activities more than their work-issued devices, which could create new opportunities for cyberattacks.survey also found that, despite some of the above setbacks, a majority of respondents scored their organizations rather high when evaluating their readiness to transition to WFH. This may be an example of an often difficult-to-measure phenomenon that we call “security hubris,” aka overconfidence in limited security measures deployed At least a quarter of respondents said their organizations froze all or nearly all promotions and pay raises, laid-off employees, or lost clients or contracts. Amongst the worrying trends, however, we found a silver lining. While some of the numbers above may present the picture of an insecure, vulnerable workforce, there is a flipside to the data. The fact is that the transition to WFH has not happened in a vacuum. Stayingcyber secure is not just an exercise in good company governance. Mercilessly, in the midst of all this, threat actors have pounced.
How prepared were companies transitioning to WFH?
COVID-19 caught every company, large or small, off-guard. Organizations’ security budgets may have increased year-over-year and their defensive measures may have become more proactive—but few survey participants could admit they were fully prepared for an immediate transition to work-from-home en masse. Less than 16 percent of survey participants gave their organization a perfect score on WFH readiness. Still, a significant percentage of respondents expressed high levels of confidence in how prepared their company was for the move to remote work. To understand the volume of work IT teams would need to tackle in the transition to WFH, we asked survey participants to tell us the percentage of employees that were moved to a WFH model. About one-third of respondents (33.2 percent) moved 81–100 percent—if not all—of their employees home. And 142 respondents, or a little more than 70 percent, moved 61 percent or more of their workforce to a WFH model. For companies with fewer than 700 employees, 42.9 percent moved 61- 80 percent of their workforce home. On the other hand, for companies with 700 employees or more, 37.9 percent moved 81-100 percent of their workforce home Among our respondents from the four major regions of the United States—the Northeast, South, Midwest, and West—organizations from the South moved more employees to WFH (33.2 percent) than any other region. The Northeast trails behind in a distant second (21.3 percent), with the West following closely on its heels at 20.3 percent.33% moved 81–100% of their employees home. 70% moved 61%+ of their workforce to a WFH mode 43% of Companies with 100–700 employees moved 61-80% of their workforce home83% of companies with 700+ employees moved 81-100% of their employees home.
Ranking WFH preparedness To measure participants’ confidence in their WFH readiness, we asked managers, directors, and executives across business sizes, US regions, and industries to rate how prepared their organization was to transition to working from home on a scale from 1–10, with 1 representing the least prepared and 10 representing the most. Of the 202 respondents, the average ranking was 7.23. In fact, roughly three-quarters (73.2 percent) of those we surveyed gave their organizations a score of 7 or above on preparedness for the transition to WFH. On the flip side, only 14 percent scored their company a 4 out of 10 or less. Overall, IT leaders were confident that they were prepared to transition to a WFH setup.
Among IT leaders surveyed, directors of companies with more than 5,000 employees were the most confident group when rating their company’s cybersecurity posture, giving it an average of 8.2 out of 10. In fact, following close behind were directors from organizations with 350–699 employees, with an average of 8.16. However, the pattern stops there, as not all directors felt as confident about their WFH preparedness. In contrast, directors and those in executive/C-suite positions of companies with 700–1,249 employees were the least confident, giving their organizations an average rating of 6.11 and 6.5 out of 10, respectively. Managers belonging to these companies, however, did not share this view. Their ratings bucked the trend hard, with an average of 8 out of 10.
Which WFH challenges were respondents most worried about?
The shift from working in the office to working from home did not erase cybersecurity problems that were already there, pre-COVID. If anything, organizations were presented with new, compounding challenges that had to be addressed without delay.
Companies that were able to successfully transition to WFH did not do so free from problems: More than half of IT leaders surveyed reported facing at least three of the challenges listed in our questionnaire. The challenge cited most by respondents was training employees on how to be security compliant at home (55.4 percent), followed by setting up work or personal devices with necessary software (53.5 percent). Fifty-one percent of participants felt shifting to a new, remote model of communication was a challenge as well. The challenge selected by the fewest respondents was ensuring work/life balance at 36.6 percent.
Organizations’ biggest challenges to WFH
55.4% Training employees how to most securely and compliantly work at home
53.5% Setting up work or personal devices with new software to continue current responsibilities/roles
51% Shifting to a new, remote model of communication and/or collaboration amongst employees
47% Serving employee needs through limited IT resources
45.5% Finding the right cybersecurity tools to support employees at home
36.6 Ensuring work/life balance
Employee cybersecurity awareness Despite finding training employees on security compliance to be a challenge, 47 percent of respondents were confident that their employees were “very aware” of the cybersecurity best practices they needed to follow at home. A much smaller portion (17.3 percent) believed their employees were “acutely aware and mindful to avoid risk.” Only 5.4 percent of IT leaders said their employees were “oblivious and risky.”
Employee awareness of cybersecurity best practices when WFH
47% Very aware 18.3%Aware but not a priority 17.3% Acutely aware and mindful to avoid the risk
11.9%Slighly aware5.4% Oblivious and risky
Respondents in director and executive positions expressed more confidence than managers in their employees’ awareness of cybersecurity procedures while working remotely. While 20.5 percent of executives said their staff was “acutely aware,” just 16.2 percent of managers felt the same. Conversely, only 1.7 percent of directors stated their employees were “oblivious and risky” compared to 7.6 percent of managers.
Managers, directors, and executives expressed similar levels of faith in their employees, though directors and executives felt slightly more confident.
Biggest cybersecurity concerns What are your biggest cybersecurity concerns with remote work?
29.2% Difficulty in onboarding remote employees when necessary to prevent unauthorized future access
37.6% Difficulty managing new devices using remote work resources
22.3% Increased risk of ransomware attacks
27.7% Increased malware attacks overall
45%Devices may be more exposed at home, where employees feel safe, but others may have access to their devices and may inadvertently compromise them
37.1% Our IT support may not be as effective in supporting remote workers
31.2% My employees may be using unauthorized and unmanaged “shadow IT” tools to share company and customer data
21.3% My employees lack proper cybersecurity training to act intelligently in order to avoid cyber threats
36.1% My cloud collaboration tools may not provide adequate cybersecurity (concerns of “Zoom-bombing,” for instance)
36.6 % My employees may not have adequate cybersecurity protections for their personal networks and devices
When asked about their biggest cybersecurity concerns now that all or a portion of their employees are working remotely, it is clear that managers, directors, and executives are most concerned about other individuals in the home who have access to an employee’s device and might inadvertently compromise it (45 percent). Other concerns that stood out are difficulties associated with managing devices using remote work resources (37.6 percent), the possibility of IT not being able to support employees efficiently (37.1 percent), and the general lack of adequate cybersecurity measures over resources, including cloud collaboration tools (36.1 percent) and personal networks and devices (36.6 percent).
What actually happened: the bad news
Respondents’ concerns were largely founded in reality. As we learned from our survey, some of the same fears expressed by IT leaders later materialized in the transition to WFH. Our survey found that 23.8 percent of the respondents ran into unexpected expenses specifically to address a cybersecurity breach or malware attack. And nearly 20 percent (19.8 percent) stated they faced a security breach because of a remote worker.
23.8 % of Respondents’ concerns were largely founded in reality. As we learned from our survey, some of the same fears expressed by IT leaders later materialized in the transition to WFH. Our survey found that 23.8 percent of the respondents ran into unexpected expenses specifically to address a cybersecurity breach or malware attack. And nearly 20 percent (19.8 percent) stated they faced a security breach because of a remote worker. 19.8% Faced a security breach as a result of remote worker respondents said they also suffered from cyberattacks and security breaches as a direct result of shelter-in-place.
Let’s briefly put that 19.8 percent statistic into perspective. Remember that all it takes for a company to suffer a security breach as a result of a remote workforce is to compromise just one remote employee. As our survey showed, a remarkable 98 percent of respondents said their organizations have moved at least 21 percent of their employees into remote positions. Further, the remaining 2 percent of respondents said their organizations moved anywhere from 0 to 20 percent of their workforces into remote positions. With these numbers, it’s safe to assume that nearly every company out there today has at least one remote employee, and thus is vulnerable to this type of threat. Further, it is important to point out two significant contributing factors that impact cybersecurity for remote workers. One: Workers that suddenly transitioned to remote work found themselves working from a different environment, outside of the company’s security perimeter. Two: Some of the employees had to work on different, unfamiliar devices. Both of these factors contribute to a weakened security posture overall. What negative financial impacts has your organization experienced following the shelter-in-place orders?
55% Froze all/nearly all hiring 48% Restricted travel expenses 37.6 Froze all/nearly all promotions, pay raises 30.7% Laid-off employees24.8% Lost clients/contracts
In fact, 31.2 percent of our respondents admitted they sometimes used personal devices for work and a frightening 27.7 percent said they used their personal devices more than the device provided by their workplace. Worse: 8.4 percent never even received a work-issued device for remote usage. Only 39.1 percent adhered to a strict regime of only using work-issued devices for the workload. As we know, though, the effects of WFH and of the coronavirus pandemic extend beyond cybersecurity impacts. Companies have also suffered broad financial losses.
What actually happened: the good news
The COVID-19 threat built slowly and hit hard, taking many by surprise when lockdown arrived and forcing businesses to evaluate at short notice how they’d be able to function as remote organizations. As it happens, several businesses were more prepared than they might have initially suspected with swift, decisive responses from the largest organizations to the smallest. Sixty-one percent of respondents were able to supply staff with devices to work remotely, and 56.4 percent provided crucial training to ensure best cybersecurity practices were followed in a home environment. In the blizzard of suggested installs and unfamiliar programs recommended for WFH, the caution came into play as organizations resisted the panic-stricken kitchen sink approach; 21.3 percent told us they refrained from deploying software because it didn’t meet their standard for security. On a related note, 55 percent performed security and privacy analysis of any software suggested for their network prior to deployment. And 38.6 percent also said they’d urged employees to install antivirus tools on their personal phones while working from home. Admittedly, these aren’t the highest numbers, and, predictably, as a cybersecurity organization, we’d like to see higher rates of cybersecurity training and adoption of antivirus tools. But, that said, these numbers show that some companies are taking the right steps. Sixty-one percent of respondents were able to supply staff with devices to work remotely, and 56.4 percent provided crucial training to ensure best cybersecurity practices were followed in a home environmentAn increase in remote tools usageWe found similar boosts for instant communication/ messaging tools like Slack (34.7 percent), cloud storage solutions to manage data securely (33.2 percent), and VPN services to keep communications locked down (26.7 percent). There were also gains for password managers, with 30.2 percent claiming they used them slightly more than they used to and 19.8 percent using them significantly more. While some of these numbers may sound low, it’s worth noting that any increase in key areas of business security is a good thing—even in cases where businesses said their use had slightly increasedAll this data suggests work environments that were already secure and making good use of security and privacy tools had a reasonably smooth transition to WFH, even if the organization wasn’t previously aware it was possible. More successful and well-thought-out security policies and practices didn’t ultimately need a huge amount of change to become COVID-19 resilientMeanwhile, what’s happening in cybercrime?
Despite rolling with the punches and expressing relative confidence in their ability to transition to remote workforces, IT leaders must still contend with relative instability in the economy and in the cybersecurity space as a whole. We are currently in a period of great chaos for employees, employers, and cybercriminals alike. We know this because threat actors have been scrambling to adjust to the sudden change just as much as organizations. Instead of taking time to develop sophisticated malware families that would ultimately do a better, stealthier job of investigating new security setups in the wake of COVID-19, cybercriminals have had
to resort to using commercially available (and sometimes older) malware families just to get a look inside the networks and access points of fully remote teams—a reactive instead of proactive moveLucky for them, they had a few tricks up their sleeves how cybercriminals are adjusting to COVID-19 While cybercriminals had previously ramped up attacks on organizations and dialed down their advances on consumers over the last two years, they had to quickly adjust to a hybrid approach, targeting personal and work systems in order to smoke out at-risk employees and vulnerable remote networks. Cybercriminals expected employees to have access to corporate VPNs, cloud-based services, and business email, all of which could be used for infiltration of corporate assets if not properly secured. In addition, we’ve seen many campaigns using the fear of COVID-19 as the theme for their malicious activities both email examples were used to spread commercial malware, such as AveMaria and NetWiredRC, likely purchased in the dark web markets. Both families provide attackers with remote access into infected systems. In fact, here are some of their capabilities: • Remote desktop access • Remote webcam control • Password stealer • Downloader • Keylogger • Remote shell • Privilege escalation • System manipulation Many targeted attacks against organizations require reconnaissance, planning, and collection of information about the target. For example, a company may have an outdated version of an application installed on the base image they install on every system, and that could be a possible avenue for exploitation. When your target workforce is dispersed, there are fewer opportunities to identify specific individuals or systems for intelligence collection. As such, using the same tools to attack a corporate network may not work when dealing with a computer that may only have a loose connection to business systems. The features found in these malware families are especially valuable when attackers are faced with an unknown environment. Using tools that allow an attacker to see and control the desktop, steal passwords, and manipulate systems might seem like overkill for any regular operation, but a Swiss army knife approach is what cybercriminals need right now. As a result, Malwarebytes has seen an increase in detections of these threat families throughout the last few months. However, we noticed a massive drop in May, which may coincide with a change in tactics from the threat actors using this threat to gather information. According to our telemetry, AveMaria mostly targeted large enterprise businesses.meanwhile, NetWiredRC increased significantly from 2019 to 2020, and even in 2020, we observed a 99 percent increase in detections from January to June. In contrast to AveMaria, NetWiredRC went after small- and medium-sized organizations. Considering the various methods of infection that NetWiredRC has historically used, from exploits to malicious spam, we aren’t surprised to see this family doing so well.Analyzing confidence and potential security hubrisAny data—particularly data that points to conflicting conclusions— demands scrutiny, and that’s just what we did when looking at some of the more contradictory results in our survey.As stated earlier in our report, 73 percent of respondents scored their organization a 7 out of 10 or higher when evaluating their readiness to transition to WFH. This was a promising result, as it showed confidence on the part of IT managers, directors, and executives to maintain the productivity, performance, and security of their employees. But in looking at how respondents specifically evaluated their security posture during WFH, we must consider a hidden modifier: security hubris. The fact remains that transitioning to a WFH model in the way many organizations were forced to do—immediately, with more devices, more software deployments, and limited in-person support—has already created opportunities for more attacks. In fact, our product telemetry
Mohamed is an info sec expert with over 11 years of experience in financial and IT corporations. He started his career path as a red teamer then he continues his career path in DFIR, Threat hunting.