After the dust settled in makeshift home offices across the UK, some newly remote workforces appear to have achieved something close to ‘business as usual’.
But that’s not true of the cybersecurity landscape, where new threats have arisen, from coronavirus phishing scams to less visible disruption in how workforces connect.
Devices have changed, communication has been disrupted and cybersecurity schedules have been put on ice or sacrificed entirely for the sake of continuity.
Three cyber experts spoke to BusinessCloud about the new cybersecurity blind spots caused by the pandemic – and why considering the ‘lockdown’ as a temporary could increase risk.
Chris Woods, CEO of Midlands firm CyberQ Group, has 22 years of experience in cybersecurity, beginning his career at Fujitsu as penetration tester before becoming cybersecurity director at HP and working with the likes of GCHQ.
His firm, which has 33 employees across the UK, Manila and the US, does dark web scanning, digital human reconnaissance and security testing for big business and enterprise clients.
The insider threat
Among the new threats Woods has identified since the start of 2020 is an increased risk of ‘insider threat’, cybersecurity attacks carried out at least in part by employees.
The motivation for these attacks is mainly financial gain through the sale of intellectual property and business data on the dark web.
Woods said the dark web is not as mysterious as is often described. These marketplaces have adapted to meet customer needs in much the same way as Amazon or eBay.
Dark web customers still want a good user experience, and dark web sellers still need good ratings. The only difference in these marketplaces is the legality of the products on sale: they include drugs, weapons and counterfeit products.
Woods said there has been an “explosion” in the sale of stolen intellectual property and sales spreadsheets on these marketplaces. During a scan of the dark web for a client, his firm found its entire sales database – headed with the name of an employee – and including potential customers’ details and turnover figures.
“[The named employee] didn’t put the document on the marketplace. He was playing five-a-side football with one of his mates, who asked if he wanted to earn additional revenue,” explains Woods.
“He said ‘yes’ because he wanted to take his kids to Florida and he thought this would be a very easy crime to commit.”
The employee sent his friend the document, who put it on the dark web marketplace in exchange for bitcoin.
Woods says it is not often employees who instigate such a data sale, but they are the first chapter of a more complex attack.
Watch our ‘cybersecurity and threat actors during COVID-19’ event in full below
Many individuals organise the sale of business data for a cut of the profits, he says. “The insider threat, particularly in the current economy with people being made redundant, is a potential area of growth,” he warns.
“Someone working for a company may think that they haven’t got important data, but a database of sales can be very useful to competitors.
“I think most people will know if their employer is in bad shape. If they get an opportunity to raise additional money by selling some information, that could be a valid option for them if they desperate. It’s something that all organisations should be aware of.”
Holly Grace Williams, MD of Manchester-headquartered cybersecurity firm Secarma, agrees. “People might think of insider threat as people who are inherently malicious,” she says.
“[But] it could just be people who are under duress: someone at risk of losing their job or someone who is financially restricted.”
Williams points to an AT&T attack in which employees were reportedly bribed to plant malware in the firm’s systems, helping cyberattackers gain access to locked devices.
Williams spent the first seven years of her career in defensive security for the military before completing a masters and moving into penetration testing. She describes pen-testing as “breaking into computers and buildings for living”.
Empty offices are still at risk
While working from home isn’t necessarily more dangerous than the office if the right systems are in place, according to Williams, an empty office does pose problems.
“There are a lot of organisations out there whose offices are entirely unattended now and have been for months,” she says.
“It means that the location of staff members could vary. “
Network or Wi-Fi access points left unattended for long periods of time could be taken advantage of. “That could be a simple fix. If you have an office that you know isn’t going to be used or is only going to be used during certain times, you could disable those ports, you could implement network access control, you could disable Wi-Fi,” she suggests.
“But for some companies, that isn’t at the forefront of what they’re currently dealing with, and it’s just something that’s been missed.”
While Williams says this threat isn’t necessarily new, its priority in the long list of potential threats has moved. So too has the notion of ‘Bring Your Own Device’, or BYOD.
Cybersecurity procedures for employees who want to work on their own device are well established, she says, but these procedures are less likely to have been properly carried out during the rush to keep workers at home.
“Have companies move to BYOD very quickly? Have they moved under duress or with good change management?” she asks.
“Have organisations considered the fact that the perimeter may have moved? A lot of organisations consider everything within their network perimeter as the thing they’re worried about.”
Harman Singh, director of Altrincham-based Cyphere, agrees with this new approach to thinking about a company’s ‘perimeter’.
“It’s not a physical boundary, it’s a logical one. In traditional networks, we have a firewall protecting the entire company which the traffic goes in or out of, and you can keep an eye on which to allow,” he explains.
“The advent of cloud and also mobile computing is outpacing everything else. We now have all sorts of freedom for the venders and employees to work from home or bring their own devices to the office networks, or use SaaS platforms.
“This is adding to the complexity of the whole challenge.”
Adding new products into the business infrastructure can also pose new threats, he says, even if these products are intended to help mitigate cybersecurity risk.
While he is not against bringing new products into the office infrastructure to help with cybersecurity, he suggests a focus on ‘security hygiene’ instead.
“Products are being breached. During the pandemic, all the big vendors have big critical vulnerabilities being exploited,” he says.
“If you keep accumulating products, these spit out data and data gets out of control, and that’s what ends up on the internet. That could be the end of a business,” he says.
“You don’t have control over all your assets, but you can have control of who is coming into your network.
“You can have appropriate policies or restrictions in place to make sure your risk appetite is already determined and in place, so if anything goes wrong you know how to contain those.”