Most businesses and security experts agree that the shift to remote work has encouraged malicious actors and opened new attack surfaces for them to exploit. For example, the APWG’s new Phishing Activity Trends Report reveals that in the first quarter of 2022, they observed 1,025,968 total phishing attacks — the worst quarter to date.
According to the FBI’s Internet Crime Complaint Center (IC3), thieves have stolen US$3 billion through compromised business emails since 2016. The report also recorded a 65% rise in identified global losses between July 2019 and December 2021 and suggests the increase can be “partly attributed to the restrictions placed on normal business practices during the COVID-19 pandemic”.
Remote infrastructures invite attack
According to Forrester, 74% of organisations attribute recent cyberattacks to vulnerabilities in technology put in place during the pandemic. Over half of remote workers access customer data using a personal device, yet 71% of security leaders lack high or complete visibility into remote employee home networks. This gap is well understood by bad actors, as reflected in the fact that 67% percent of business-impacting cyberattacks target remote employees. Attacks included in the report resulted in the loss of confidential data, interruption of daily operations, a ransomware payout, financial loss, or IP loss.
Attackers are drawn to remote workers because they often represent weaknesses in a company’s security infrastructure. For example, they use the same devices for business and personal tasks, and many of those devices are out of your IT’s department’s control. VPNs and encrypted tokens will lock down a computer, but workers may access emails and texts over a personal smart phone or use home wireless printers which aren’t secured according to company policy.
Also, home networks may be unsecured. A remote employee’s personal Wi-Fi network may not be updated with the latest security and virus software. Wi-Fi routers may not be password protected or may use the default router passwords, and as the ZuoRAT attacks have illustrated, many popular routers can be compromised.
Follow best practices to lower remote risk
To help manage risk associated with remote workers, businesses should take basic steps to bolster security for these employees. It is worth consulting with subject matter experts on your detailed policy requirements, but there are some clear best practices that it makes sense to follow – and it’s important to maintain the understanding that policies will need regular oversight, review, and revision as part of your ERM process.
Strengthen password standards and requirements
Companies should update password policies so they’re harder to steal or guess, and these policies should be regularly reviewed by risk management teams as well as IT as part of the standard process. Beyond the usual tips to avoid using “Password1” or information that can easily be found in social media, you can help employees to avoid compromising passwords by investing in password managers, such as LastPass, Keeper, or Password Safe, at the company level.
Test and review network security regularly
Managing security risk requires diligence. Company security teams and IT should conduct penetration tests (‘pen tests’) on essential applications, networks, and infrastructure on a regular basis. These tests try to find vulnerabilities and lock them down before the attackers find them and help themselves to the network. The pen test results should be reviewed by your company’s business, risk, and security leaders, to ensure the results flow through into your ERM program.
Help employees implement best practices
For remote equipment that accesses a company network, employ software to ensure the latest antivirus applications and security patches are installed before the equipment is granted permission to connect. Help employees avoid phishing attacks and follow password policies with regular education offered several times a year in short segments. Where possible introduce checks and balances to ensure best practices are followed – and ensure that the results of all these areas feed into your ERM program.
Risk teams must prepare for breach and recovery resilience
Because businesses are constantly playing catch-up with the latest malware, risk teams need to enhance risk management and compliance practices around remote security. Your risk management process should assess the impact of attacks on critical business services and assets, including sensitive data loss and data or processes hijacked by ransomware. Risk leadership should also work with the security team to craft a recovery plan in case of a breach.
Companies that aren’t following a formal security protocol should consider following the ISO 27000 series of security standards and best practices. The standards offer a systematic approach to information security risk management around people, processes, and technology.
They outline proven and effective security practices, generalised for any industry and any size business.
Cyber attacks should also be an important part of your operational resilience planning process, as they represent a prominent disruptive scenario that could severely damage the health of relevant data and systems resources. Your operational resilience assessment should be based around the cyber risk information that you’ve captured as part of the ERM process.
In a post-pandemic world, remote work is standard operating procedure, but it doesn’t have to be a gaping security risk. Smart security practices, risk assessment, compliance management and operational resilience will help businesses minimise attack surfaces and recover quickly if attackers do get through.
Protecht's Complete Guide to Achieving Operational Resilience eBook gives you a detailed look at Operational Resilience, to learn exactly what makes it different from Disaster Recovery and Business Continuity and to get a list of steps to help you develop your own Operational Resilience capability. Find out more and download it now.