Due to the ongoing global situation, organisations have to quickly learn how to do more with fewer resources, and under more chaotic circumstances. Gartner stated in a recent survey that IT spending will decline by 8% in 2020 due to the impact of COVID-19. This means that going forward, IT teams, who have never had a luxury of unlimited budgets, will have to reassess their resources and downsize them even more, while cyber threats will most likely continue to escalate both in scope and impact.
To survive, organisations need to set priorities and protect against the cyber threats that are either most common or damaging. Let’s take a deeper look into the threats that are prevailing now and see how these can be mitigated.
Threat #1. Phishing.
The past four months of the COVID-19 pandemic have demonstrated how diverse and sophisticated phishing attacks can be. Some recent research has found that a new type of coronavirus-related emails has emerged, disguised as training packages to ease remote workers back into office life. The number of such attacks is astonishing, as the NCSC's Suspicious Email Reporting Service has received over a million reports of scam emails within two months after it was launched. Each of those malicious emails might lead to attackers breaking into the organisation’s corporate network and stealing sensitive data.
To protect themselves against phishing attacks, organisations should take a thorough approach. It starts with using tools to prevent delivery of spam and phishing emails to users. While email filters and specialised anti-spam solutions may have hard time identifying well-crafted spear-phishing messages, they can stop less sophisticated attacks. Endpoint protection and anti-malware solutions are typically the first line of defence to prevent the impact when users fall prey and open a malicious attachment or follow a link to malware-infecting website. Yet, it is important to minimise this risk as much as possible, and to continuously educate users. Phishing awareness training might range from virtually free tools such as a newsletter from the IT security team to advanced training programmes. Using plug-ins that help users visually identify external emails or possibly suspicious links are also helpful.
However, even with all these measures in place, there is no guarantee that the risk of an attack is completely eliminated. Organisations need to plan for the worst case and be able to spot the potential attack at the early stage as well as to minimise its damage. To achieve this, it is necessary to ensure that permissions are granted according to the least-privilege principle and all sensitive data is not moved or copied from dedicated protected locations. While there are various ways to implement this, from manual processes and scripts to third-party solutions, I would recommend that organisations try to standardise the process as much as possible and look for easy-to-use tools with broader coverage and integration capabilities. All of this can significantly reduce operational costs and gain maximum value from the toolset chosen.
Threat #2. Remote access threats.
Where lockdown eases, the majority of organisations combine in-office and “Work from Home” formats, with the latter prevailing. In fact, a recent Gartner survey found that 82% of company leaders plan to allow employees to work remotely at least some of the time. This means that the challenge to ensure
secure remote access to corporate networks will remain. As well as this, many remote employees use personal devices that are more vulnerable than corporate PCs or laptops therefore meaning that the security risks grow exponentially.
A range of tools, such as various endpoint protection options or mobile device management is available to protect an organisation against such risks, but one essential measure is to secure remote access with a VPN connection. First, restrict the VPN to a particular host or subnet. One of these hosts can be an employees’s secured corporate device that is being monitored by the IT team or a terminal server. In this case, if hackers access the employee’s device, they will get to a subnet with limited access rather than into the whole corporate network with critical servers, and will have to make further efforts to break into the rest of the company. This will enable the IT team to spot and terminate the attack at an early stage. It is important that the IT team receives alerts about signs of such attacks, such as a large number of logons and failed logons, IDS signatures alerts or suspicious VPN logons from unknown IP addresses or from IP addresses from suspicious geographical locations. Last but not least, it is necessary to patch network devices in a timely manner. Since there have been a range of vulnerabilities announced over the past months, failure to do so might lead to all the above measures turning out to be ineffective.
Threat #3. Insider threats. One study has shown that 48% of employees are less likely to follow safe data practices when working from home. In most of the cases, the incidents that follow will not be malicious, but will be a result of human errors or employee negligence. Looking at these statistics, it’s important to understand the most common mistakes which pose the biggest risk. The first is unauthorised data sharing. According to the recent Netwrix 2020 Data Risk & Security Report, one third of organisations (29%) do not track data sharing among employees, and another 25% have only error-prone manual processes for tracking. Yet, when working remotely, employees are particularly prone to this mistake as they often share sensitive data or credentials insecurely just to do their job faster. Another type of mistakes is excessive content downloads. VPN failures or poor Internet connection may frustrate employees so much that they might be tempted to download as many documents from the corporate file shares as possible and store them on their own personal hard drives. Last but not least, cloud collaboration platforms pose a particular type of the risk of insider threats if regular users get more access privileges than they should or share sensitive data in insecure chats and channels.
While the common stereotype is that external attackers are more dangerous than insider threats, in reality, insiders might be even more damaging than hackers since it is harder to flag risky behaviour of a legitimate user. Therefore, it is important that IT teams have sufficient visibility into user activity across all critical systems, both on-premises and in the cloud, and are alerted about suspicious behaviour. It is essential to monitor who is downloading what content and take action if spikes in downloads are occurring. It is also important to monitor changes to group memberships in cloud collaboration tools and review who has access to what on a regular basis, to prevent data exposure and potential data breach.
In IT teams today, members have to wear multiple hats as they have keep both operations in hybrid organisations running, as well as to protect employees from cyber threats. In this context, the
prioritisation of efforts and focusing on the most critical threats is key. This includes looking for technologies that are flexible and enable them to tackle multiple tasks at the single pane of glass.