The COVID-19 crisis forced millions of people to suddenly work from home, something that presented cybercriminals with a whole new target audience for their attacks. People newly working from home tended to not be aware of what types of emails they would usually receive from their company IT admins, for example, which gave malicious actors a new phishing opportunity. There were all kinds of attacks to try: old, trusted tactics plus new ideas that users might be less alert to.
According to Europol, “With a record number of potential victims staying at home and using online services across the European Union (EU) during the pandemic, the ways for cybercriminals seeking to exploit emerging opportunities and vulnerabilities have multiplied.” Enterprises are at greater risk of being exploited, and more endpoints simply means a much larger risk surface.
What is being done about it?
Businesses and governments in Denmark and Norway have been working together to address a cybersecurity shortfall for companies in both countries. In March 2020, the Danish Centre for Cyber Security published a revised threat assessment. The cybercrime threat was assessed to be “Very High.” The report outlines the risks inherent in working from home and the potential for personal equipment and devices to become vulnerable. Governments in the Nordic region have encouraged companies to let employees work from home to try and control the spread of the virus, and advised employers to put in place requisite policies and remote access infrastructure.
This is because homeworking comes with an expanded number of risks, such as increased dependence on email, videoconferencing and unified communications and collaboration (UC&C) tools. These tools can make workers more productive, of course, but also more vulnerable to social engineering attacks. Workers using personal devices that don’t contain enterprise-level cybersecurity measures can leave the door open for cybercriminals and malicious actors. Orange recently released Security Navigator 2020, which provides up-to-the-minute information from our 10 global CyberSOCs, invaluable insights into the current threat landscape, attack patterns and statistics for your business size and vertical, and much more.
Cybersecurity as a strategic measure
Until now, working from home has been an enforced necessity – but it might go on a lot longer and become normalized. If that’s the case, it effectively becomes a standard business practice and needs to be formalized. Looking at it strategically, homeworkers and their personal devices will become parts of your corporate network, and they need to be treated and managed as such. Unsecured home routers need to be considered as corporate devices, so their passwords must be stronger, for example. In a second, more long-term step, ISPs could be encouraged by businesses to rollout “COVID-19 grade” home routers that come with reinforced security and an option to allow corporate IT teams to implement specific configurations that correspond to their enhanced security policies.
If homeworking continues as part of the new normal, you will need to create processes and procedures that cover cybersecurity for home devices. If you’re an enterprise of any size, you have probably gone through something similar to this in recent memory, with bring your own device (BYOD), where you had to ensure that devices your workers were taking to the workplace were secure enough. Now you need to do something like that but without the devices being brought to your physical premises.
What else should you do about it?
All the in-house cybersecurity due diligence in the world could not legislate for most of your workforce suddenly being forced to work from home at the same time.
So you had a new army of remote workers who were probably entirely unaware of basic cybersecurity measures. They were not used to working from home, so they would not be used to the security requirements and thinking that go with it. You can mitigate those vulnerabilities, though, and increase your company’s cybersecurity resilience. In all cases, end-user training, awareness and education are increasingly paramount: in this new era, end users need additional security empowerment more than ever.
Keep devices secure and up to date: Make sure all your remote workers have switched on all automatic security updates, antivirus and firewall. Device safety extends to networking devices, too. Be sure to check for and apply all updates for your networking devices, and make sure passwords are secure.
Strengthen your perimeter: Your perimeter used to be your office or your factory; now it extends to your workers’ homes. So you need to upgrade it, and you need to have the tools in place to identify and deflect threats before attackers can penetrate your company’s systems. Detection and monitoring controls can help you minimize your exposure to attack and limit access to your data when your teams work remotely.
Strengthen your remote access management policy and procedures: You should implement multifactor authentication for VPN access, IP address whitelisting and limits on remote desktop protocol (RDP) access and increase scrutiny of remote network connections.
Fortify end-point protection: Protect devices against standard and advanced malware, test security software to make sure it works as it should and harden and patch your devices.
Defending against phishing: It sounds simple, but make sure your employees are well trained. Set up simulated spear phishing attacks against employees to keep them alert, and try simulating attacks that promise recipients information about COVID-19 or that masquerade as IT help desks performing work-from-home checks.
Shadow IT: Monitor shadow IT, and make sure your employees who are working from home use approved apps and solutions as much as possible.
Brace for disruption
Overall, as working from home becomes increasingly normalized, you need to apply your traditional cybersecurity thinking to a wider network of endpoints. Be aware that preventative measures generally only go so far, and stay ready to respond fast in case of a breach. It typically pays to think of cyberattacks as a matter of “when” rather than “if,” but with the right measures in place, you can minimize that risk.
Gain valuable insights into the cybersecurity threat landscape with first-hand information from our global CyberSOCs in this whitepaper from Orange Cyberdefense.
Simon Ranyard is Managing Director for Nordics, UK and Ireland at Orange Business Services and is based in London, England. With 20 years' experience in ICT in sales functions, Simon is driving a revenue growth plan by focusing on the innovative services that Orange can bring to its customers and on continuously improving the way we work with them.
In his spare time, Simon is a keen cricket fan and enjoys supporting youth development in the game.