From the Fall 2020 Issue

Remote Workforce, Insider Threats, and the Pandemic

Justin Petitt
Director, Cybersecurity Center of Excellence | Edgewater Federal Solutions

Larry Letow
CEO, U.S. | CyberCX

The COVID-19 pandemic requires organizations and individuals to embrace new practices such as social distancing and remote working. While the world is focused on the health and economic threats posed by COVID-19, cyber-criminals around the world are actively capitalizing on this crisis. Organizations around the world have instituted remote, work-from-home policies.

While some organizations have maintained a robust remote work structure for years, many organizations had few full-time remote workers and typically restricted most employees from working at home. However,  even with organizations that had previously maintained a remote workforce, the breadth and depth of remote work have dramatically increased for all parties. Business units and critical functions that have never been done remotely are now required to operate in a fully remote mode. During these rapid changes, security experts are rightly pondering what new risks are being actively introduced.

Increased Security Risk from Remote Working

With large percentages of employees working from home and students learning virtually, enterprise Virtual Private Network (VPN) servers have now become a lifeline to companies and schools. Their respective security and availability will be a major focus going forward. However, there’s a possibility that an organization’s unpreparedness will lead to security misconfiguration in VPNs, exposing sensitive information on the internet, and also exposing the workstations and servers to Denial of Service (DoS) attacks. A lack of IT qualified, secured resources can bite many organizations as they move to enable remote strategies.

With large percentages of employees working from home and students learning virtually, enterprise Virtual Private Network (VPN) servers have now become a lifeline to companies and schools.

When employees and students are sent outside the normal IT perimeter, managing device sprawl and patching/securing hundreds of thousands of endpoints becomes a much bigger challenge. In addition to this, many users end up utilizing personal computers to perform official duties, and vice versa. This compounds the potential risk to organizations. Organizations should ensure that VPN services are safe and reliable, as there promises to be a lot more scrutiny against these services. Furthermore, employee policies should be both clear and enforced against using personal computers for official purposes.

Phishing campaigns related to COVID-19 are increasing.  For example, many are well-disguised as reputable health organizations. Cybercriminals are sending emails with malicious attachments or links to fraudulent websites in order to ploy victims into revealing sensitive information or donating to fraudulent charities or causes. Attacks like these can propagate quickly and extensively, impacting an entire enterprise network.  Furthermore, these attacks directly contribute to identity theft and submissions of fraudulent claims for payments and benefit programs.

Delays in Responding to Cyber-Threats

The functioning of many security teams is likely to be impaired due to the COVID-19 pandemic and their extra duties. These added pressures make detection of malicious activities difficult at best, while they make responding to these activities even more complicated. Updating patches on systems may also be a challenge if security teams are not operating at typical efficiency. Organizations should evaluate the security defenses they have in place and explore the use of co-sourcing with external consultants. This is especially true for areas where key main risks have been identified.

Influx of Cybercriminals

Globally, many companies are downsizing their workforce to cope with the effects of this pandemic. This level of impact can often be an impetus to encourage the growth of cybercriminals. Those who feel attacked or under-valued may see an opportunity to earn money or just extract their pound of flesh by way of this pandemic. Organizations that are considering laying off staff should enforce proper exit plans, with accessibility and infrastructure components clearly tracked and managed.

Evaluating Insider Threats

With the rise of employees teleworking, organizations have never before been under such significant risk to ensure the security of their enterprise. The average annual cost of insider threats has skyrocketed in the last two years, rising 31% to $11.45M. Under the new paradigm of telework, there is greater opportunity for security incidents and greater data security responsibility with less oversight. Remote work poses its own challenges for enterprise risk managers as well, such as addressing evolving vulnerabilities and threats unique to new environments. One area that will need to be monitored, now more than ever, is that of the Insider Threat.

Risk management and security leaders need to manage the delicate issue of the Insider Threat during a time when many employees have concerns, need support, and require protection. Employees subject to new working arrangements may well react maliciously due to limited hours, lowered compensation, reduced promotion opportunities, and even expectations of redundancy. These concerns at work can be compounded by increased levels of stress outside of the work environment due to worries about the health of their families, livelihood, and uncertainty about the future. Under these conditions, employees might become resentful or disgruntled towards the organization. This could result in occurrences of information leakage as well as the theft of intellectual property.

Employees subject to new working arrangements may well react maliciously due to limited hours, lowered compensation, reduced promotion opportunities, and even expectations of redundancy.

The most significant complication in addressing the Insider Threat in a COVID-19 remote workforce world is that the security controls designed to monitor and capture activity may not be as capable as they were in the traditional on-premise world. Employees may be connecting from new devices and new networks where the security controls aren’t on par, or sharing a network with compromised equipment. Therefore, organizations should conduct an insider threat risk assessment on their critical business functions: How do employees connect to the applications that are in scope? What types of devices are the employees now using? What security controls are in place to capture activity and alert upon suspicious behavior?

In the pre-pandemic world, identifying Shadow IT was easier; outbound web traffic would often be used to identify services procured outside of the IT department. However, that traffic is now being routed through ISPs like AT&T and Spectrum. In response, organizations should work with accounting departments to identify Shadow IT expenses. Once identified, these services and applications should be incorporated into Single Sign-On (SSO) solutions with Multi-Factor Authentication (MFA) enabled. When it comes to identifying insider threats, it is all about visibility. The adage “logs or it didn’t happen” is applicable. Companies must ensure that the tools for monitoring the remote workforce are effectively deployed.

Post COVID-19 Cybersecurity Posture

The COVID-19 pandemic has caused a huge strain on the global economy, with some experts predicting a recession as part of the after-effects of the pandemic. Organizing COVID-19 pandemic strategies might include downsizing by cutting off business lines considered non-critical. This may include cybersecurity operations. However, this short-term plan might prove to be “penny wise and pound foolish” in the long haul, as this will further increase the impact of attacks on the organization. Organizations are advised to update their Continuity Plans and remote working policies/practices whilst prioritizing cybersecurity during the post COVID-19 re-strategizing process.

These potential threats are placing significant stress on many enterprises, who are already operating on tight financial budgets with respect to IT infrastructure maintenance. Personnel and Systems Administrators, already tasked with tremendous workloads, are having to pivot in real-time to address user concerns related to remote access. This is all while ensuring that the strength of the organization’s security posture is robust and sophisticated to prevent unwanted intrusions. Security teams need to adjust their threat detection and response approach to address new threats to networks and endpoints, as the shift to remote working has created different challenges. But this can come at a detrimental cost that potentially leaves the organization open to exposure.

Furthermore, it is becoming increasingly difficult for organizations within the IT realm to provide 24×7 support during this time. Teleworking employees are often challenged to provide the same level of customer support necessary during this period without their full access to infrastructure and resources. This challenge is reflected in the quality of services delivered. Organizations are unable to boost productivity due to constrained budgets and diminishing revenue forecasts. This, in turn, places even greater stress on existing personnel. During this time, it is common that organizations are genuinely re-thinking global operational strategies, including IT policies and procedures. Implementing new guidelines, while essential, requires Systems Administrators to pivot from the help-desk role of assisting employees to focus on longer-term strategies and solutions. With limited funding to augment the workforce, this poses a genuine concern for all organizations.

In an era of cyber-everywhere, with more technological transformation, the use of cloud, and broader networking capabilities, the threat landscape continues to increase. Cybercriminals will look to attack operational systems and backup capabilities simultaneously in highly sophisticated ways, leading to enterprise-wide destructive cyberattacks. Organizations can improve their defense posture and attack readiness with good cyber-hygiene, incident response strategy, architecture, and the implementation of cyber-recovery solutions to mitigate the impact of cyber-attacks. A viable cyber-resiliency program expands the boundaries of traditional risk domains to include new capabilities like employee support services, out-of-band communication and collaboration tools, and a cyber-recovery vault.

COVID-19 will change our lives forever with new work styles, new cybersecurity issues, new proposed policies, personal hygiene, and more. The fight against this pandemic is not just for the organization, employee, or customer; it requires a joint effort from everyone. It is also apparent that after COVID-19, organizations will need to rethink their cyber-risk management measures. Cyber strategies should converge across business, operations, business continuity/technical resilience, and crisis management functions, as well as employ unique methods that reveal network exposures, detection of advanced threats, and discovering systemic Incident Response process gaps. Organizations should ensure their detection and alerting capabilities are functional while keeping an eye on the impact of having many remote workers. lock

Larry Letow Justin Petitt

Leave a Comment