Reports are that reported breaches are down. This is likely not due to the fact that there are less breaches, just less reports.
Wait six months and see what the breach reports look like.
Security firm Tessian released their State of Data Loss report and here are some of the things they found.
52 percent of employees feel they can get away with riskier behavior at home like sharing confidential files by email.
Part of the reason for not following safe practices is that many employees are using their own computers rather than a company issued one.
Another reason is that security and IT are not watching them.
Employees have more distractions at home, making it difficult to concentrate. Distractions include kids, roommates and not being in their normal office environment.
Some employees say they are being forced to cut security corners because they are under pressure to get the job done.
Half of the people said that they had to find workarounds to the rules in order to work efficiently.
None of this is news.
Employers are the ones that will get to pay for this in the long run. If an employee causes a breach by cutting corners you may fire them (and you may also get sued by them because they may say that you forced them to cut corners – whether true or not), but even if you do, you will get to write that check for thousands or millions of dollars. And suffer the reputation damage.
Many companies do not have good (or any) real time security monitoring and alerting systems in place. The effect of this is that even if you are breached, you won’t know about it.
Do you know the most common way companies find out about a breach?
YUP, it is when some third party like the POLICE, FBI or CREDIT CARD COMPANIES tell them they have been breached.
So while no one really wants to spend the time and money right now, now is the time that you have to spend time and money.
Alternatively, you can spend that money in breach response.
While the subject line shouldn’t surprise anyone, we are beginning to see more data on the subject. Here are some examples:
Threatpost surveyed their readers about their “comfort level” regarding remote work preparedness. 52 percent – roughly half – said that they “feel” prepared for the transition. 20 percent admitted they were struggling. Given the fact that in normal times we hear about breaches every day, feeling prepared doesn’t give me a lot of comfort. 40 percent say they are seeing an increase in cyberattacks as the move to work from home. That, of course, doesn’t address the VAST majority of small and medium sized businesses that have no monitoring in place to detect such activity beyond traditional anti-virus software, which isn’t really up to the task.
13 percent of the respondents said that they were only ready to move a small part of their workforce to work from home and 5 percent weren’t ready at all.
For 70 percent of the responders, enabling remote work is new for them. I suggest this means that they don’t even know what the attacks will look like, so the 52 percent who “feel” prepared are likely optimists.
In fairness, at least 28 percent said there were “extremely” worried about cyberattacks as they move to more work from home activity.
A different Threatpost article talked about some of the issues facing organizations as they move to major remote work status.
Organizations have traditionally assumed that their perimeter security provided a strong line of defense and, historically, it has been important. Unfortunately, the rapid move to remote work doesn’t give organizations time to plan for the security implications of the move.
Already researchers are seeing an uptick in corona virus themed attacks. This includes remote access trojan (RAT) attacks that quietly take over a user’s system and silently steals their data.
As people work from home, they mix personal and business use of their systems, users get distracted or forget. The hackers take advantage of that.
Then we have a lack of IT resources. It is much easier to support users when they are located in a company office, on a company network and using company computers. Users will try to figure out how to “fix” things themselves when the help desk is not down the hall.
Home WiFi is, for the most part, a dumpster fire, as are home firewalls – if they exist at all. After all, when was the last time YOU patched your OWN home firewall or WiFi access point? When was the last time you checked the security configuration of those devices?
Any company using legacy, proprietary software is also probably at greater risk. Those systems are often designed to work in a closed environment. The software configuration might have to be changed to even work remotely.
Cyber crooks, however, get to take advantage of everything that they have used in the past to try and trick businesses and employees who are operating in a new environment that no one is prepared for and for which no one had time train employees on new and different practices.
The bad guys did not waste any time using the Coronavirus pandemic to attack folks who are suddenly Working From Home (WFH) or Studying From Home (SFH). Here is some information to help those of you who are WFH to navigate the perilous path.
Given that many WFH programs were created out of nothing in almost zero time or scaled up from zero to 60, it is no surprise that there might be a security hole or two.
This applies not only to employees working from home but also to students attending school from home.
First of all, hackers are pumping out tons of malicious emails themed around Coronavirus. The malicious emails are compromising systems with password stealing malware and remote access back door software, among other goodies. And don’t forget that old favorite – ransomware. More on that later in this post.
Given how stressed people are, they are likely to forget their security training.
Another challenge for WFH/SFH – making sure that all devices are fully patched. That is going to fall more on the end user now. Companies who have fully automated that are in better shape, but lots of organizations are not set up for that. THIS INCLUDES PHONES AND TABLETS!
Another problem is home and public WiFi. At work, the company can control the setup of company WiFi, but at home it is a bit of the wild west.
For example, when was the last time you patched your WiFi server and your Internet router, modem or firewall?
When did you last have a security expert check the security configuration of those devices?
If your company uses older, in the office systems, they likely do not work very well for remote workers. There is no quick fix for this. It is fixable, but the fix requires new hardware and employee training.
Companies who are in regulated industries such as healthcare, finance or defense have additional problems. How do you continue to comply with the security laws and regulations that these industries have to comply with? In fact, in many of these industries employees are not allow to work remotely by regulation or law.
To make matters worse, in many cases, IT doesn’t have the right tools to securely assist workers who are no longer at the office. If an employee uses a virtual private network (VPN) to connect to their work network, it usually makes it even more difficult for IT to securely connect back to them in order to provide tech support. Even in cases where it does work technically, many times the company has not bought the right support tools to make this possible.
Of course employees who are using their mobile devices more open up yet another attack vector. Many phones and tablets are horribly out of date when it comes to security patches. Many phone manufacturers do a crappy job or releasing patches and for older phones – say more than 2 years old – many times the manufacturer says they are no longer supported and leave the user wide open to a whole raft of attacks.
Companies need to conduct a risk assessment of the remote work environment to make sure that they understand what new risks the company is accepting.
Companies need to consider whether they even have enough security software licenses such as VPN connections. Employees will create unsafe workarounds if the company can’t provide them tools that are secure.
Here is a screenshot of a malicious email. It pretends to be from the CDC, but the email address in the red box shows that this is not the real CDC. The URL in the second red box looks like it is from the CDC, but if you hover over it, it turns out that it is not.
The spam emails might claim to provide information on the Coronavirus or perhaps provide a way for people to contribute to those who need help. Unfortunately, the only one these people are helping are themselves.
KnowBe4 published a picture of an email containing a QR bar code asking for donations (see below). If you want to make the folks in China or North Korea rich, you should donate.
This piece of spam, also from KnowBe4, asks you to watch a Coronavirus video.
It promises secret information that the government isn’t telling you. If you buy their book for $37.00.
That is actually good because some of them tell you that you need to update your software in order to view this secret video. In fact the update is software that infects your computer, steals your passwords, empties your bank account, encrypts all of your data or some combination of the above.
In the following email, if you just click on the link, some dude will tell you everything you need to know about the Coronavirus and how to stay alive. NOT!
Suffice it to say, this is a bit of a mess and it is not likely to get any better soon.
Companies will, unfortunately in this time of uncertainty, need to up their security spending. The alternative might be a bit of a train wreck.
If you do need help or have security questions. Please reach out to us. After all, we are staying home to stay safe :).