How can organisations, suddenly forced to adopt mass home-working, shore up their cybersecurity defences against cybercriminals?
Inevitably there are innumerably more losers than victors during black-swan events. But those who triumph, through incredible luck or agility, win big and fly high. In a trice, organisations were forced to embrace company-wide home-working in late-March and fumbled to activate contingency plans. When the coronavirus began to throttle businesses, video-conferencing tools breathed new life into them. And one, in particular, reigned supreme. Zoom became a household name, in more ways than one. But what about cybersecurity
Fittingly, the enablement of virtual collaboration and communication with loved ones was at the forefront of Eric Yuan’s mind when, in 2011, he launched video conferencing app Zoom Video Communications, which by the end of March had more than doubled in market value to $42 billion (£33bn) since the start of the COVID-19 pandemic. The organisation’s 50-year-old Founder and Chief Executive came up with his idea as a lovesick student in China in the 1990s; he would spend 10 hours on the train visiting his then-girlfriend, now his wife.
Zoom, among other digital collaborative tools – including Microsoft Teams, Google Hangouts, and Slack – has skyrocketed in popularity around the world. Apptopia found that Zoom was downloaded 2.13 million times across the globe on March 23. That was the day the lockdown began in earnest in the United Kingdom, whose stricken Prime Minister Boris Johnson conducted cabinet meetings via the app, before being rushed to intensive care with the virus. Two months earlier the download figure was a more modest 56,000.
The company came back down to earth, however, when the fashion for “Zoombombing” was revealed in early April. Unidentified individuals were hijacking meetings and spewing hateful language or sharing graphic images. While the trend of Zoombombing was unfortunate for Mr Yuan, people suddenly realised that people with malicious intentions could dial into their business meetings. A red flag was hoisted, and the question was raised: is data privacy handled with appropriate care?
So how do businesses and – given Mr Johnson’s dependence on Zoom – governments ensure data privacy measures are in place to prevent cyber attacks that will only accelerate given the added vulnerability of home-working?
Need for Speed
Thousands of businesses around the globe have had to embrace mass home-working, effectively overnight. Given the need for speed, it’s understandable that data privacy policies are playing catch up, though it is worrying that so many companies had a standing start.
“Many organisations are deploying work from home in a very short timescale, and the initial priority is to keep things accessible and working,” says Javvad Malik, Security Awareness Advocate for KnowBe4, a leading training platform. “Fortunately, the tools and technologies needed to keep information secure and private with remote working exists, and so it is a case of ensuring IT teams deploy them properly and users are provided the proper awareness and training.”
- GDPR Second Anniversary: Calls for Data Protection Regulation to be Tightened as Remote Working Increases Vulnerabilities
Mr Malik continues: “Many times when we see a privacy breach, it’s less due to a technical issue, and boils down to human error, often exasperated by the lack of a positive security culture within the organisation.”
Duncan Godfrey, Senior Director of Security and Compliance at Auth0, believes now is the time for IT teams to earn their corn. “Remote access software has been around for some time, and it’s a real old-school threat vector,” he warns. “Hackers’ and pen testers’ eyes light up when they find an open Remote Desktop Protocol (RDP) because they know their job just got easier. For security professionals, though, it’s a headache for several reasons. Firstly the software is typically very prone to vulnerabilities. It’s also straightforward to set up remote access for legitimate reasons or otherwise.
“One thing that businesses rarely consider when setting up remote access for employees is the access providers have to their data. Not only with regards to the data they are sending over their networks, but they’ve also opened up a new route into their network: if the provider suffers a breach, they’re now at risk too.”
A Perfect Storm
It is a “perfect storm” that businesses face as cybercriminals take advantage of the dramatic switch to home-working, according to Andrew Jackson, Chief Executive of Birmingham-based communications and technology company Intercity Technology. “While firewalls included within domestic broadband routers are considered sufficient for personal use and occasional home-working, they’re not necessarily capable of withstanding prolonged periods of remote-working from a large proportion of the workforce,” he says. “No wonder we are seeing more businesses and their employees become the targets of malicious hackers.”
So how, then, can organisations keep their data secure? Myles Bray, Vice President EMEA at Forescout, a device visibility and control company, argues that businesses should have prepared for this scenario. He posits those who have set up a “zero trust” model will be more confident than most. As John Kindervag, field chief technology officer at global cybersecurity giant Palo Alto Networks, says: “Trust is always a vulnerability in a digital system.” He would know, having pioneered the concept of “zero trust” – trust nothing, verify everything, and use micro-segmentation – and coined the term in 2009 while serving as a vice president and principal analyst at Forrester Research.
“The zero-trust model is an essential security practice that will help businesses maintain a high level of security during this time of mass remote working,” says Mr Bray. “This approach centralises around the idea that no device should ever receive automatic access to a network and should have to verify itself to get that privilege, which is particularly important if personal devices are used to do professional work.
“Network segmentation is another way to ensure that organisations have a high level of security. It allows the security team to lockdown one device or user which is acting suspiciously, stopping it from potentially moving laterally through the network and keeping the rest of the network fully operational.”
Quick and cheap cybersecurity wins are available, too: installing and activating virtual private networks (VPNs) on devices, for instance. “Previously, the average employee, outside of IT, would not have been asking employers for VPNs as they headed for home, but they play an integral role in creating secure, encrypted tunnels back to office systems,” adds Mr Bray.
Ultimately, the home-working trend sparked by COVID-19 should lead to better cybersecurity and data privacy strategies in the long run. In the short term, when new tools are embraced, business leaders – and politicians like Mr Johnson – need to be wary. Trust, empowerment and investment must be handed to security professionals – now is their time to shine.