By this point in 2020, most of us feel like runners who left the starting line expecting a 5K and realized we were actually running a marathon. Or an ultramarathon. Or Forrest Gump’s open-ended run across America. Who actually knows? Every week forces a new revision of our pace and overall strategy as the finish line keeps running away from us.
Much of the IT world is still living on stop-gap measures thrown into place in March when it became obvious that ideas about a dispersed workplace were materializing in the span of a week or two. Arizona State University research shows that about 13% of employees worked from home a few weeks before COVID. Now, about 66% of people who still have jobs are working from home.
The old analogy of building a plane while we’re flying it doesn’t even cover the full challenge. Thanks to hackers, we also have people trying to hijack the plane we’re building in mid-flight.
Pratum’s cybersecurity experts have been working daily during the pandemic to help clients adjust to 2020’s constantly revised realities. Here are some key lessons we’ve shared with clients so far:
It’s time to focus on long-term solutions. We can all give ourselves a pass for thinking that the dispersed workforce would be a two-to-three-month phenomenon. But now that we’re hitting five months with no end in sight, it’s time to work on sustainable setups. That requires an investment. It will probably take weeks of discussions among multiple stakeholders to address all the implications of a much larger percentage of employees in a work-from-home environment. Company leaders must be ready to devote those resources to the job.
The “data-centric” mindset is now. Many IT leaders had already started shifting cybersecurity architecture from a focus on devices to the data itself. But the pandemic’s current has pulled in even late adopters. Business now happens in the cloud on a wide array of devices, many of which companies don’t own. That’s forcing IT teams to reconsider how to protect critical files, wherever they travel.
The cloud has its own requirements. Practically overnight, organizations nationwide shifted systems and processes to the cloud or provided remote access before proper security reviews could be completed. Unfortunately, many failed to properly configure their systems, leaving open doors for hackers. This spring, for example, researchers found a real estate database on Google Cloud that required no password or authentication. It contained detailed information on more than 200 million American homeowners.
Personal devices are part of the plan. Most IT teams built security policies for a handful of remote employees, not an almost entirely remote workforce. So revisions are in order to account for a wave of personal device usage that goes far beyond BYOD (bring your own device) phones. Hackers aren’t waiting around for companies to plug the holes. Ransomware attacks have spiked this summer. And one attack earlier this year penetrated a company’s mobile device management platform, giving it access to nearly every connected device.
Social engineers thrive on disrupted processes. Hackers are also capitalizing on the muddled processes that come with dispersing a workforce for the first time. At the beginning of 2020, an office worker who got an unexpected e-mail about an invoice might have shouted over the wall to confirm the payment with a co-worker or manager. Now the communication requires a phone call or e-mail, which may or may not clarify things, and may not even happen. Hackers are counting on that.
Phishing season is wide open. By some estimates, phishing attacks are up 70% since the spring of 2020. Social engineers have long recognized that remote employees often make easier targets since they may feel less connected to the organization and could be less aware of security best practices. Hackers also keep honing their phishing strategy with messages tailored around research into specific organizations and individuals. In today’s phishing e-mails, the tip-off may be as subtle as a mismatched font or referring to someone who goes by “Steve” as “Stephen.”
Clearly 2020 is forcing all of us to rapidly adjust plans while the ground shifts under us. Pratum’s consultants can help. Contact us today!