The accelerated shift to remote working as a result of the pandemic has changed the way we work forever. Now, just a year-and-a-half on from the start of global lockdowns, it’s clear that coronavirus was even more impactful than we could have imagined.
In my blogs last year, I discussed how the pandemic will increase our reliance on the cloud, accelerate business change and create new IT norms across industries. Many organizations are still implementing remote working policies, or hybrid working policies where employees can flexibly work in the office or from home. This kind of hybrid working has become routine, which is why ensuring cyber security policies are airtight is critical.
In fact, the increase in breaches due to remote working has shown that a new security structure is essential for businesses and (re)insurers to manage future cyber threats. Let’s take a look at how industries have responded to hybrid working and what organizations need to do to prevent future cybercrime.
What are hybrid working dynamics like now?
As I mentioned in a previous blog — Is the pandemic creating new IT norms? — the move to remote working was most likely going to make businesses more vulnerable to cyber attacks, especially those that didn’t implement the right cyber security policies. Over the past year, a recent survey found that 44% of organizations did not provide the appropriate cyber security training to their employees, and 68% did not offer the necessary anti-virus software for work-issued devices.
Similarly to the beginning of lockdown, attacks on remote working infrastructure are still a priority for cyber criminals, and as we move into a more set routine of hybrid working, this will only become more of a problem. Weak/bad passwords are a major issue on home routers, PCs and other work devices, Windows is still highly vulnerable regardless of location, the use of the cloud is uncontrolled and “device-hopping” is becoming even more prevalent — to name a few major concerns.
It’s not just small businesses that are vulnerable… enterprises have also been targeted over the past year.
The rise of enterprise cyber attacks
While advanced information sharing has become second nature, it has also opened businesses up to more cyber risk. Tools that were quickly adopted didn’t always have the right security measures in place, demonstrated by the half a million Zoom user accounts that were compromised in April 2020. Even large enterprises like Twitter were the target of a low-tech, low-resource attack.
Let’s look at that attack in more detail.
Why the Twitter cyber attack matters
In July 2020, Twitter was the victim of a cyber attack. Hackers were able to access Twitter’s high-level administrative system, allowing them to reset passwords and take over various Twitter accounts. Initially, the attack started as a scheme to steal and sell unique usernames on Twitter, but it soon led to the hackers hijacking influential accounts to scam Bitcoin.
This high-profile attack was a result of the work of a 17-year-old high school student who used the tactic of “vishing” (phishing over the phone, or voice phishing) during the home working period to gain access to the customer service portal in Twitter’s technology department.
This example of a cyber breach is especially concerning for businesses who have switched to hybrid working, as it highlights how any organization of any size can be targeted — and it isn’t always the work of professional ‘mastermind’ hackers. This hack caused financial and reputational damage, but it was relatively harm-free. The hack could have been politically motivated, for example posts from high-profile politicians threatening other countries could have been made, or hackers could have timed attacks to interfere with political elections.
It is clear, then, that businesses must prepare for any event, whether that is a professional or amateur attack.
What hybrid working means for organizations
Now that remote working has been so widely adopted by organizations, firewalls are no longer the first line of defence against any cyber attack. Businesses are even more vulnerable and must ensure they are implementing the right cybersecurity policies and strategies.
There is a question of who should be responsible for security when it comes to hybrid working. Businesses must consider ownership and governance of remote working policies going forward to instill a cybersecurity-minded culture.
It’s much more difficult to understand who has ownership of implementing security policies. Is it up to the individual? The organization? Or a mixture of both?
Businesses must look at who is responsible for creating a secure remote working environment in order to prevent any sort of cyber attack. (Re)insurers also need to be aware of any new vulnerabilities that businesses could have during hybrid working. Understanding the adequacy of an organization’s cybersecurity policies is a must to ascertain its susceptibility to many forms of cyber attacks. Getting it wrong could lead to phishing and credential theft, which is when ransomware happens and can lead to increasing losses.
Find out more about how ransomware attacks are changing and what it means for (re)insurers in our latest report — Enterprise Ransomware.
A blueprint for hybrid working going forward
If hybrid working is going to stay (and it looks like it is!), businesses need to create a blueprint for what happens next. For organizations that are permanently adopting this approach, IT departments need to consider what policies should be implemented immediately, and continually maintain and update them going forward. Let’s look at the various issues that could arise and the ways to tackle them.
The threat of phishing
In 2020, phishing was the most common kind of cybercrime, according to the FBI. That’s why it’s more important than ever to teach your employees simple tricks to avoid phishing scams through emails, for example, how to:
- Detect fake websites — if a website doesn’t look right, use Ctrl+F5 on Windows or Command+R on MacOS to reload the page. If it still looks suspicious, stay away.
- Avoid links — check the source of links before clicking them in emails. Use the telephone or an app to verify whether it can be trusted.
- Make sure it’s HTTPS — any sites that display HTTP should be avoided, as they are considered unsecure. Don’t log into any website that doesn’t use HTTPS.
Social engineering
Social engineering (SE) was, and continues to be, very popular during the pandemic, as it allows hackers to manipulate remote workers into giving out confidential information. There are many different types of SE so organizations must ensure employees are well versed on the various forms SE may take:
- Physical: “Tail-gating”, “Dumpster Diving”, staged interactions
- Social: Use of authority, playing on emotion (greed, curiosity, anger)
- Technical: Password hacking, social-media trawling
- Socio-technical: Baiting, vishing, phishing, spear phishing
- Reverse-social Engineering: Establish a “trusted entity” and wait for the victim to come.
Educating employees about the types of SE will help make sure they are double-checking the information they are giving out.
Poor password management
Research has found that many workers store their passwords digitally in an unsecured way: 51% save them in a document, 55% save them onto their phone and 49% save them in the cloud. Because hackers can easily access accounts through weak passwords, robust password management is essential, especially with hybrid working.
Employees should use strong passwords everywhere for every device that connects to the internet, e.g. routers, printers, cameras, tablets, etc. Multi-factor authentication (MFA) should be implemented whenever possible. Organizations should also ensure that their employees use varying, strong passwords that are changed on a regular basis.
Other corporate best practices for hybrid working
- Implement updated staff education that incorporates secure remote working policies
- Security test new cloud applications
- Mandate use of VPNs when conducting business from any device
- Ensure the installation of anti-virus software across devices
- Implement regular mandatory backups on all remote working devices
- Make sure Operating Systems are regularly updated, including the latest security patching.
The future risk of hybrid working
Cyber risk is fast-evolving, and with technology constantly changing, organizations must do everything in their power to prevent cybercrime. Regardless of the policies and strategies put in place, businesses should regularly review and update them.
Understanding future cyber threat trends is also vital — they are sure to impact businesses of all sizes, just as recent attacks on enterprises like Twitter, as well as SPoF attacks on organizations like SolarWinds and Colonial Pipeline, have demonstrated.
To reliably quantify the ever-changing landscape of cyber risk, (re)insurers require a cyber risk analytics solution that evolves in lockstep with the risk, including the varying levels of risk as the world heads into a new working paradigm. With CyberCube’s end-to-end solutions, developed by the largest, cyber-dedicated team in the industry, (re)insurers can know that the analytics they rely on are up-to-date and allow them to make decisions with confidence.
Learn even more about how the pandemic has impacted cyber risk in our free report — Pandemic Under the Microscope.