A hastily designed distributed workforce can massively impact the pre-existing risk profile of any enterprise
As we all know by now, the Covid-19 pandemic is a game-changer. It is the biggest paradigm shift in both business and social norms that we have seen in our lifetime. The workforce has shifted from the office buildings, which are now desolate and empty, to the safety of their homes. Our houses and apartments are our new offices. And this was not voluntary or thoroughly planned out, but a desperate attempt to survive, ensure out continuity and keep from obliteration.
As fleeting as we hoped this situation to be, we must accept and prepare ourselves, because this "distributed workforce" or "work-from-home" culture is here to stay for the foreseeable future. And, many of us have done a great job of adjusting our businesses rapidly amidst such uncertainty... but at what cost?
As an entrepreneur, business owner, and manager, we need to understand that few corporate systems and infrastructures were primarily designed to operate such a large distributed workforce. A hastily designed distributed workforce can massively impact the pre-existing risk profile of any enterprise.
It can open up new attack vectors and further burden the ones having to defend the enterprise, which is a difficult job in any condition and environment. This rapid and unplanned shift to a remote environment has exponentially increased the threat and we need to acknowledge this early on.
Over the past few weeks, there has been a volatile spike in cyber-attacks. In recent weeks, we have seen many data breaches and system compromises that can be attributed to the shift to a distributed workforce. Threat actors (bad hackers) are taking advantage of this chaos and attacking more and more systems. Recently, even a few new APT (Advanced Persistent Threat) groups, also known as cybercrime groups, are sprouting up.
The distributed workforce has even changed the day-to-day interactions we do for business, both at technical and operational levels. This surge in a remote work environment has forced us to increase our usage and dependencies on several potentially vulnerable services. Just recently, as people were becoming dependent on it, the popular video conferencing platform Zoom suffered a massive data breach where hackers dumped over 500,000 valid Zoom accounts on different hacker forums for less than a $1, and sometimes for free.
This lead to what is now known as a "Zoom-bombing" prank and other malicious activities. This is just an example of how severely and suddenly these hackers can affect us if we are not careful from the start. According to reports, Zoom is still good enough to use considering the steps they have taken to mitigate their vulnerabilities.
They have recently said that they will not provide end-to-end encryption for their free users because they want to comply with law enforcement agencies. So, based on that, I would not recommend sharing private and confidential information over the free version of Zoom.
While working from home, we need to access the company IT infrastructure, for various reasons. And for that, we needed to create a Virtual Private Network into infrastructure, for employees that who did not ever think work would be anything other than on-premises.
Many companies have gone from having to use absolutely no VPNs, or very limited VPNs, to having to establish hundreds, even thousands, of new connections practically overnight in a desperate attempt to adapt to this new environment. How many of these new overnight connections have compromised the enterprise's security posture? Do we know for certain what is on our home network? What about our wireless security?
Open and weak networks are easy targets for opportunistic attackers.
One other thing we should be careful about is that we now have to give access to VPN to a wide range of remote employees. Regardless of what their access privilege is, multiple layers of employees will most likely be using the same VPN connection to gain access into the enterprise infrastructure, and not all devices will be company-owned. Not all of the employees sharing the same connection may be equally aware of their security posture. This can present a lot of new vulnerable points that may be exploited to gain entry into the enterprise IT infrastructure.
Home devices, more often than not, are shared with family members. Maybe the children use it for online classes, maybe the wife uses it for her work. Maybe you even have a shared, single user account on your computer. How does the organisation secure and monitor these personal endpoints? How do they distinguish between employee and non-employee activity? How does the organisation verify the security of a random device in the employee's flat home network?
All of these are difficult enough to control in an enterprise environment, let alone in a home office domain.
Your company's security is in your hands, it always has been. Even as you are prioritising Business Continuity and Disaster Recovery and playing out contingencies, as you should, I believe that everyone needs to consider the longterm risks along with the short-term gains. Even before Covid-19 came to being, everyone knew that enterprise IT infrastructures were always at risk with their cybersecurity and this situation, through no fault of our own, has increased the threat to our enterprises multifold.
It is more important now that we broaden our understanding of the risks in this new, emerging threat landscape and be aware of our cyber risk posture. Emphasise on security testing and assessments. If needed, adhere to a Zero-Trust model and secure all VPNs as well as the external perimeter of your organisational IT environment.
Prioritise security along with business continuity and disaster recovery, always. It will pay off eventually. In cybersecurity, it always pays off to be proactive, rather than being reactive.
Stay Home - Stay Safe.
Mohammed Muqeet Halim is the Chief Executive Officer of Beetles Cyber Security Ltd.