In the immediacy of COVID-19, organizations quickly turned to remote work to keep their businesses afloat. But many didn’t realize how vulnerable this move made them. Sungard Availability Services’ (Sungard AS) Asher de Metz, Security Consulting, Senior Manager and Richard Hahn, Consulting Manager, Information Security join IT Availability Now to break down the impact the pandemic has had on cybersecurity and the challenges remote working presents to security teams:
- How remote working can undermine a company’s overall security posture
- The relationship between the pandemic and cyberattacks
- Simple, impactful steps businesses can take to protect themselves
Oliver Lomer is a Senior Solutions Marketing Manager at Sungard AS, where he illustrates business challenges and how technology can solve them through engaging content. Oliver has six years’ experience in marketing, commercial and sales enablement roles in global technology organizations.
As Security Consulting, Senior Manager at Sungard AS, Asher de Metz helps companies identify risks and secure their systems by conducting security audits and tests to avoid cybersecurity attacks. With almost 20 years of experience in information technology and security, Asher has been involved in hundreds of IT-security projects and has provided security counsel to some the largest companies throughout the U.K., Europe, Middle East and North America within the financial, government, retail, healthcare, insurance and manufacturing industries.
With over 20 years of experience in information security and risk management, Richard Hahn has extensive experience developing security and privacy programs, performing security assessments, delivering vulnerability management and data governance solutions, and more. As Consulting Manager, Information Security at Sungard AS, Richard advises organizations on information security solutions and the health and protection of organizational data.
The full transcript of this episode is available below.
OLIVER LOMER (OL): COVID-19 has opened new vulnerabilities for hackers. From unsecured work-from-home environments to a surge in phishing attacks, organizations must rethink their approach to cybersecurity on top of everything else. I’m your host, Oliver Lomer, and this is IT Availability Now, the show that tells stories of business resilience from the people who keep the digital world available. Today we’re talking about the impact COVID-19 has had on cybersecurity: How remote work has created new challenges for security teams, and the new threats they’re facing. I’m joined by Asher de Metz and Richard Hahn. Asher is Security Consulting, Senior Manager and Richard is Information Security Consulting, Manager at Sungard AS. Welcome to the show.
RICHARD HAHN (RH): Thank you for having us.
OL: So, Asher, Richard, as we all experienced, COVID-19 forced businesses and organizations to rapidly implement remote working. So, what has this huge transformation, this huge shift meant for their overall security stance and their security posture.
ASHER DE METZ (AD): Well, some companies were prepared to work from home, but many weren’t. I’ve seen a lot of companies that didn't have the right infrastructure, bandwidth, or security measures in place to make a smooth transition to remote work and as a result, the shift left huge vulnerabilities in its wake. Employees are connecting to resources in a completely different way than they were before, and that’s opened up new vulnerabilities such as the use of personal devices at home, less secure home networks, shadow IT, and of course a greatly expanded network perimeter that's much harder to defend. Additionally, IT staff were and are swamped. And this leaves them with less time to focus on monitoring and responding to alerts and attacks. There's been reports that some teams didn't even have the bandwidth to investigate things like phishing emails. And to illustrate this, in April, the ISC2 annual survey of security practitioners showed that nearly half of respondents had been fully or partially taken off security duties to assist with other IT-related tasks, and 15% said their security teams didn't even have the resources they needed to support a remote workforce.
RH: And to that point, now resources are scarce, but the threats have actually increased since the onset of the pandemic and the large-scale shift to remote working. Cyberattacks have greatly increased across the world, with more employees working from home. Ransomware attacks alone are up 109% in the U.S. in the first half of the year. Cyberattacks related to COVID-19, for example, grew from fewer than 5,000 a week in February to more than 200,000 a week in April. All of these cyberattacks have increased by 34% in May and June compared to the same period in March and April. In addition, here's another one: 60% of all email in May or June was reported as being fraudulent by Bitdefender. So, again, at the same time that you have resources being low, the threats and the demand on IT security practitioners has greatly increased.
OL: So it sounds like there are a lot of stats that show the risks are going up and certainly there's been lots of news stories to that effect but on the other hand, companies are saying by and large that remote work has been going quite well since the start of the lockdown and beyond. So, do you have any insight on the success rate of cyberattacks during the pandemic?
RH: I wouldn't say that remote work is going quite well from a risk perspective. A lot of times, successful attacks go unreported for long periods of time, and some companies might not yet be aware that they've suffered a breach. For example, the Department of Health and Human Services saw a great increase in reported breaches between February and May - actually 50% increase year over year - and the FBI cyber division has received three to four times as many daily complaints as it did before the pandemic.
OL: Okay, so it sounds as if there's real data showing that the risks really are going up and there's been an increase in attacks. So, with this increase and with the new work environment, what concrete steps can organizations take to protect themselves in this new risk environment?
RH: There are quite a few steps. Let me give a little bit of context to that. Before the pandemic offices were built to enforce complex privacy controls. If employees are using home devices, you don't know what's on those devices and you also don't know what other systems are on the network. So, you have this slew of other systems, without the proper segmentation controls and without visibility into the computing environment, that are now closer to your office network. So, in summary, your work from home, actually bypasses your ability to enforce those complex privacy controls. So you actually need to have sound controls because hackers are taking advantage of the chaos and the lack of dual controls and are exploiting single points of failure. For example, I like to talk about the Twitter hack. The Twitter hack happened because there was a tool that gave one administrator the ability to make change to a verified account. And verified accounts in the Twitter world are the stars. This kind of power was exploited to give the hackers an opportunity to take advantage of that tool and take advantage of the chaos from the overnight change in the way that companies do business.
AD: Yes, indeed. What companies need to do is focus on the basics, the absolute essentials that have always been needed. These are things like patching, passwords, hardening, all of the basic essential elements. This is where companies get caught, this is where they get hacked. Also, it’s really critical for companies to remove power from any single employee, so they don't have the ability to make mistakes and give something away to an attacker. This is a way of inoculating themselves from an attack. So one thing companies can do is ensure they have MFA (multi-factor authentication) on anything that's critical, especially on the internet facing systems, such as email and VPNs. Alongside that, it's really critical for companies to implement really strong egress filtering. So what we're doing here is we're removing as much risk as we can to inoculate users from attack, and then beyond that, what we need to do is educate the employees to cover the rest of the risk. It's also really important to align oneself to this security framework, such as NIST or ISO, and this is really going to help companies get a handle on security – on what they're doing and what they need to do. And it's going to have the added benefit of enabling them to track improvements over time and also demonstrating a return on investments.
OL: Okay, thanks. It sounds like there's some interesting steps there. As we know right now with everything that's going on in the economy, lots of organizations are under pressure, they're having their budgets frozen or having their budgets cut. So what would you say to those organizations? Should they focus on these basic steps, or where should they prioritize their efforts and their budget?
RH: Right off the top, I would advise CISOs to double their budget for employee security awareness and education training, notably around phishing attacks and ransomware. The second thing I would do, is recommend that leaders of security programs build a metrics program that shows your return on investment for implementing security controls. This helps show that you're not so much of a cost center, but instead a business enabler. The reason is, you're going to be battling for your budget, and if you can't articulate your program's ability to recognize risk in a way that's quantifiable, then you're going to be in a tougher spot to defend that budget. Now, metrics programs, they're always rife with what metrics to use. I love using top format - like a top five, but I seem to land on eight, not only five. Now, the areas that I like to focus on are monitoring employees privileged use. I also recommend that security investigations over a period – whether that period is annual or quarterly depends on the churn of your business and the threat profile of your business - is also put in your metrics program. Incident time to detect and respond – that is an area that might be hard for some organizations because they may already have attackers in their network that they don’t know about, but I still recommend that they put this in their security metrics program. Incident time to recover - that metric is a little more applicable to business functions because that includes a hard time of actually getting back to business. I also like to profile the number of systems with known vulnerabilities, which, in many cases, is also technical debt, but should not be forgotten in your metric program. Third party review is an area that is probably more critical in the remote workforce world because of the expanded use of cloud and cloud services (including software-as-a-service as well). I recommend that people not just get a report from their third party suppliers and check the box off, but that they take some time and look at those reports and highlight areas that cause concern and work with those third parties on mitigating those areas. Another area that I see critical to maintain in a metrics program is your number of SSL certificates that are configured incorrectly. Again, using more cloud services, this becomes a more important area than it would if you're having systems in-house. And last but not least, track the number of exceptions you put in your policy that you've had to do to support remote work, whether that's password resets being disabled, whether that's putting a pause on your cybersecurity tabletop exercises annually, or your disaster recovery work, disaster testing and the like. A lot of companies had to put exceptions in place to support remote work, thinking that maybe this is going to be a short-term event, but this is not a short-term event. So you need to monitor what you've done to support remote work and increase risk, and track that in your metrics so you can work to reduce that risk moving forward.
OL: Thanks Richard. Jumping ahead a bit, what impact will the pandemic have on security in the coming years? What do you expect will be the long-term fallout, and how can companies prepare?
RH: I see air gapped backups as a long-term area. Notably, tape backups are seeing a bit of a renaissance, and that's because the technology is better and it's a little bit more cost effective. Ransomware does not appear to be slowing down anytime soon, and even as companies move applications to the cloud, air gapped backup will really be your key control of mitigating ransomware and other wormable threats. Also supplier management will be key, especially as companies take on more cloud suppliers for productivity and collaboration tools. Also one area that companies need to put some emphasis around are policies for video and microphones. Everyone knows how to use teleconferencing tools, but they could inadvertently divulge company secrets by saying something on a hot mic or having some information leaked through the background of a video shot.
AD: Yes, that’s critical, Rich. And more and more companies will see the value of being in the cloud, but they need to make sure everything is more secure. Security will be focused less on a single office environment and more on the thousands of office environments where employees are taking the endpoints. You can’t control the home networks where employees take their laptops, so what we really need to do is enact strong policies around those devices.
OL: Well thank you both for your insights from the frontline of cyber security. These are certainly interesting times and I think it's fair to say that we’ve yet to see the full security impact unfold. So, as many organizations continue working remotely in the wake of COVID-19, they must reevaluate and adjust their security programs to account for changes in work environments and the security landscape. What's been clear from our discussion is that firstly, ransomware and other attacks are on the rise, and companies need to focus on the fundamentals of security that Asher mentioned, such as patching and password security. And education, access and privacy controls, supplier management, and backups will be key both now and moving forward. And it's also important as ever to show the hard results of your security program with defined and agreed metrics and KPIs. So on that let me summarize and wrap up by saying Asher Richard Thanks very much for joining us.
AD: Thank you.
RH: Thank you for having us.
OL: Asher de Metz is Security Consulting, Senior Manager and Richard Hahn is Information Security Consulting, Manager Sungard AS. You can find the show notes for this episode at SungardAS.com/ITAvailabilityNow. Please subscribe to the show on your podcast platform of choice to get new episodes as soon as they’re available. IT Availability Now is a production of Sungard Availability Services. I’m your host, Oliver Lomer, and until next time, stay available.