After the dust settled in makeshift home offices across the UK, some newly remote workforces appear to have achieved something close to 鈥榖usiness as usual鈥.
But that鈥檚 not true of the cybersecurity landscape, where new threats have arisen, from coronavirus phishing scams to less visible disruption in how workforces connect.
Devices have changed, communication has been disrupted and cybersecurity schedules have been put on ice or sacrificed entirely for the sake of continuity.
Three cyber experts spoke to 老九品茶Cloud about the new cybersecurity blind spots caused by the pandemic – and why considering the ‘lockdown’ as a temporary could increase risk.
Chris Woods, CEO of Midlands firm CyberQ Group, has 22 years of experience in cybersecurity, beginning his career at Fujitsu as penetration tester before becoming cybersecurity director at HP and working with the likes of GCHQ.
His firm, which has 33 employees across the UK, Manila and the US, does dark web scanning, digital human reconnaissance and security testing for big business and enterprise clients.
The insider threat
Among the new threats Woods has identified since the start of 2020 is an increased risk of 鈥榠nsider threat鈥, cybersecurity attacks carried out at least in part by employees.
The motivation for these attacks is mainly financial gain through the sale of intellectual property and business data on the dark web.
Woods said the dark web is not as mysterious as is often described. These marketplaces have adapted to meet customer needs in much the same way as Amazon or eBay.
Dark web customers still want a good user experience, and dark web sellers still need good ratings. The only difference in these marketplaces is the legality of the products on sale: they include drugs, weapons and counterfeit products.
Woods said there has been an 鈥渆xplosion鈥 in the sale of stolen intellectual property and sales spreadsheets on these marketplaces. During a scan of the dark web for a client, his firm found its entire sales database – headed with the name of an employee – and including potential customers’ details and turnover figures.
鈥淸The named employee] didn’t put the document on the marketplace. He was playing five-a-side football with one of his mates, who asked if he wanted to earn additional revenue,” explains Woods.
鈥淗e said ‘yes’ because he wanted to take his kids to Florida and he thought this would be a very easy crime to commit.鈥
The employee sent his friend the document, who put it on the dark web marketplace in exchange for bitcoin.
Woods says it is not often employees who instigate such a data sale, but they are the first chapter of a more complex attack.
Watch our ‘cybersecurity and threat actors during COVID-19’ event in full below
Many individuals organise the sale of business data for a cut of the profits, he says. 鈥淭he insider threat, particularly in the current economy with people being made redundant, is a potential area of growth,鈥 he warns.
鈥淪omeone working for a company may think that they haven’t got important data, but a database of sales can be very useful to competitors.
鈥淚 think most people will know if their employer is in bad shape. If they get an opportunity to raise additional money by selling some information, that could be a valid option for them if they desperate. It’s something that all organisations should be aware of.鈥
Holly Grace Williams, MD of Manchester-headquartered cybersecurity firm Secarma, agrees. 鈥淧eople might think of insider threat as people who are inherently malicious,鈥 she says.
鈥淸But] it could just be people who are under duress: someone at risk of losing their job or someone who is financially restricted.鈥
Williams points to an AT&T attack in which employees were reportedly bribed to plant malware in the firm鈥檚 systems, helping cyberattackers gain access to locked devices.
Williams spent the first seven years of her career in defensive security for the military before completing a masters and moving into penetration testing. She describes pen-testing as 鈥渂reaking into computers and buildings for living鈥.
Empty offices are still at risk
While working from home isn鈥檛 necessarily more dangerous than the office if the right systems are in place, according to Williams,聽an empty office does pose problems.
鈥淭here are a lot of organisations out there whose offices are entirely unattended now and have been for months,鈥 she says.
鈥淚t means that the location of staff members could vary. 鈥
Network or Wi-Fi access points left unattended for long periods of time could be taken advantage of. 鈥淭hat could be a simple fix. If you have an office that you know isn’t going to be used or is only going to be used during certain times, you could disable those ports, you could implement network access control, you could disable Wi-Fi,鈥 she suggests.
鈥淏ut for some companies, that isn’t at the forefront of what they’re currently dealing with, and it’s just something that’s been missed.鈥
While Williams says this threat isn鈥檛 necessarily new, its priority in the long list of potential threats has moved. So too has the notion of 鈥楤ring Your Own Device’, or BYOD.
Cybersecurity procedures for employees who want to work on their own device are well established, she says, but these procedures are less likely to have been properly carried out during the rush to keep workers at home.
鈥淗ave companies move to BYOD very quickly? Have they moved under duress or with good change management?鈥 she asks.
鈥淗ave organisations considered the fact that the perimeter may have moved? A lot of organisations consider everything within their network perimeter as the thing they’re worried about.鈥
(l-r) Harman Singh, Holly Williams and Chris Woods
Harman Singh, director of Altrincham-based Cyphere, agrees with this new approach to thinking about a company鈥檚 鈥榩erimeter鈥.
鈥淚t’s not a physical boundary, it’s a logical one. In traditional networks, we have a firewall protecting the entire company which the traffic goes in or out of, and you can keep an eye on which to allow,鈥 he explains.
Infrastructure complexity
鈥淭he advent of cloud and also mobile computing is outpacing everything else. We now have all sorts of freedom for the venders and employees to work from home or bring their own devices to the office networks, or use SaaS platforms.
鈥淭his is adding to the complexity of the whole challenge.鈥
Adding new products into the business infrastructure can also pose new threats, he says, even if these products are intended to help mitigate cybersecurity risk.
While he is not against bringing new products into the office infrastructure to help with cybersecurity, he suggests a focus on 鈥榮ecurity hygiene鈥 instead.
鈥淧roducts are being breached. During the pandemic, all the big vendors have big critical vulnerabilities being exploited,鈥 he says.
鈥淚f you keep accumulating products, these spit out data and data gets out of control, and that’s what ends up on the internet. That could be the end of a business,鈥 he says.
鈥淵ou don’t have control over all your assets, but you can have control of who is coming into your network.
鈥淵ou can have appropriate policies or restrictions in place to make sure your risk appetite is already determined and in place, so if anything goes wrong you know how to contain those.鈥