Author:Tara Seals March 19, 2020
A poll of Threatpost readers shows that security preparedness is uneven as organizations make an unprecedented transition to remote working.
As the COVID-19 pandemic continues to sweep the globe and Americans are told to isolate from others, many organizations are sending employees home to work. While most respondents in a Threatpost poll this week said they feel prepared from a security standpoint for this transition, a fifth of them said they’re still struggling with the process.
At the same time, a full 40 percent of those companies reported seeing increased cyberattacks as they enable remote working.
In a survey of more than 200 Threatpost readers, about half (52 percent) said that their organizations are mostly prepared, but still have groups of employees that present security challenges for work-from-home (WFH) strategies. Only 30 percent said they feel fully prepared to move to all-remote working.
Further, 13 percent said they are only ready to move a minority of workforce/students to online platforms; and 5 percent said they’re not prepared at all.
These stats come as a not-so-healthy 40 percent said they’re seeing more attacks on their remote footprint.
“Honestly, [all kinds of attacks] happen on a daily basis,” said one poll-taker. Another said that there have been “many attacks, no penetrations we are aware of.” Yet another noted, “attacks come in everyday, especially social engineering and automated scans.”
Phishing or other social-engineering efforts are far and away the main threats that respondents have seen, with about a quarter (23 percent) reporting these kinds of attacks. About 10 percent said that they’ve seen an uptick in coronavirus-themed scams. That said, the good news is that business email compromise (BEC) attacks and data exfiltration were reported by less than 3 percent of respondents; and less than 1 percent said they have been affected by ransomware.
Entrepreneur Dmitriy Akulov told Threatpost that cyberattacks should be top-of-mind, even if some of the more disruptive types have yet to rear their heads.
“[This could] really compromise your team and business,” he said in an email interview. “Also, it’s important to keep in mind the daunting task that comes with having multiple workers signing on to non-safe connections, such as [personal] Wi-Fi. It’s easier to secure a network with everyone is in one place. Forget about how hard it is to secure your employees on a global level.”
A Look at Preparedness
For 70 percent of respondents, enabling remote working is fairly new. A third of respondents said that less than 20 percent of their user bases telecommuted before COVID-19 social distancing started; another third said they only had a handful of remote workers who telecommuted, and then only as needed. Another 11 percent said only “road warriors” worked remotely.
In contrast, by the end of this week, 81 percent said that at least 50 percent of their workers will be WFH.
In terms of whether security teams had an emergency plan in place to shift an on-premise workforce to one that is remote (say, as part of an existing disaster recovery plan), about half (47 percent) said they did not. About 41 percent said that they did, and that it’s been successful; and 11 percent said they did, but that the plan was out of date or insufficient.
Amidst all of this, a full third (28 percent) of respondents said they were “extremely” worried about cyberattacks as they move employees or students to home working. Half (55 percent) said they were “somewhat” concerned. For the other 17 percent, security is a back-burner issue or not an issue at all.
Challenges and Weak Links
The challenges involved in securing a work-from-home footprint can be myriad, according to security professionals. For instance, a lack of IT resources can bite many organizations as they move to enable remote strategies. And when workers and students are sent outside the normal perimeter, managing device sprawl, and patching and securing hundreds of thousands of endpoints, becomes a much bigger challenge.
In the Threatpost survey, end-user security awareness was the top challenge cited by respondents in securing their remote footprints, with 43 percent noting the issue as their No. 1 concern. The next-biggest concern was housing sensitive data off-premise and transmitting it via the open internet (cited by 20 percent). Just 10 percent said patching and updating was the largest challenge; followed by lack of footprint visibility (9.35 percent); mobile security (6.54 percent); and the cost of VPNs (6 percent).
On a related note, Threatpost asked about weak links. Accordingly, a lack of end-user security awareness was cited by half of respondents (51 percent) as the weakest piece of the puzzle, dovetailing with the perceived security challenges.
“It’s key to take some time out and train a remote worker,” Akulov told Threatpost. “Don’t simply expect them to work from home the same way they work from your offices. It can help both security and productivity if you take some time to train properly and provide your employees with key security software that can keep them (and your company) safe.”
In terms of securing sensitive data, 58 percent said they have specific concerns arising from working in a regulated industry. About a quarter (24 percent) handle financial information, while 17 percent handle healthcare information. Poll-takers also said they work with customer credit-card data, student records, government data, and the security of oil/gas/operational technology environments.
Meanwhile, a quarter of poll respondents (26 percent) said they’re nervous about home Wi-Fi and network security, and personal devices and BYOD was the top weak link for another fifth (19 percent) – these results contradict the low number of respondents who saw outside networks and mobile devices to be security challenges.
When it comes to the cloud and SaaS applications, just 4.29 percent of respondents said they consider these technologies a weak link. And a full 55 percent of respondents said that cloud security has not become more of a focus as their user base goes remote – even though, presumably, cloud and SaaS technologies are underpinning many of their teleworking efforts.
However, security pros said this area deserves a much-larger security focus – especially given that employees will be tempted to use their own SaaS apps to accomplish their work.
“Security teams need to work closely with stakeholders to ensure all cloud environments are secure, and avoid the shadow IT trap,” Otavio Freire, CTO and co-founder, SafeGuard Cyber, told Threatpost. “It’s a matter of empowering your employees to use these apps securely so they can do their best business, not saying ‘no’ to ignore the problem. Instead, teams should work together to understand what tools are needed to conduct business, and why they need them. By developing a close relationship, you avoid being asked for approval at the last minute, or worse, finding out the team adopted an app without asking.”
He added, “Cloud security is evolving, your security solution should too. Start by taking an inventory of your cloud apps and extend your security policies to those environments.”
Securing the WFH Footprint
In terms of best practices for securing remote footprints, ensuring device security was the top strategy among Threatpost poll respondents, cited by 34 percent. End-user security education was close behind (33 percent), followed by implementing a zero-trust approach (20 percent); taking inventory of the devices attaching to the network (10 percent); and performing risk-assessment on an employee-specific basis (4 percent).
When it comes to the end-device security efforts that respondents have undertaken, a fifth of respondents (22 percent) have required multifactor authentication for all SaaS, mobile and cloud applications. About 11 percent have provided secured laptops to users; and 5 percent or fewer said they have implemented mandatory antivirus, hardware tokens or mandatory strong passwords. However, the percentages should be taken in the context that a full 30 percent said they have done all of these things, not just one or a handful of them.
On the VPN front, only 37 percent are requiring workers to use VPNs to access corporate resources. Some respondents said they’re using alternatives to VPNs, such as direct access via a cloud service, or Citrix remote desktops.
David Wolpoff, CTO and co-founder at Randori, noted that organizations should be prepared for hackers prioritizing breaking into VPNs.
“To prevent that, patching known bugs is step one (and absolutely critical), but it’s not enough,” he said via email. “There are unpatchable weaknesses and non-public issues that hackers can exploit. To secure against these unknowns, companies need to look at the fundamentals. Specifically, segment your network…your VPN shouldn’t be able to talk to everything. And, “least privilege” should be your standard. Don’t let users or systems have more access than they need….Your VPN should land into a ‘DMZ’ that lets users have the minimum access.”
Given that the coronavirus pandemic shows no signs of abating soon, organizations will continue to build out their WFH strategies. Some readers told Threatpost that the process has actually offered up a few security-related silver linings. In fact, 67 percent said they’ve seen positive outcomes in having a majority remote workforce.
One reader found that it’s now easier to force security compliance as a contingency of being able to connect; another noted that it has given the security department an excuse to push through resistance to other cyber-improvements. Another similarly noted that the effort has brought security awareness to the forefront with management, and the process has reinforced the need for emergency response planning, disaster recovery and business continuity technology investment, and multi-factor authentication.
“Lessons learned: Practice disasters before they happen,” concluded one respondent.