Cybersecurity and the remote working era
The second article in our series exploring the digital transformation, Baker Tilly probes cybersecurity challenges for the remote workforce.
Back when organisations resided in offices and centralised locations, business leaders spent billions of dollars locking down firewalls and keeping servers safe, or offshoring their data.
By the end of 2019, more than US$121 billion was being invested in information security and risk management technology, with security services, infrastructure protection and network security equipment making up the bulk of the sector.
But now the dynamic has changed. More than 60 per cent of the workforce is delivering at least some of their work from the home office, or the kitchen table of their share house – environments not recognised for their strong cybersecurity set-ups.
Information security spending still rose in 2020 to US$123 billion, amid the spread of the COVID-19 pandemic, but spending on network security equipment declined, while there was sharp growth in cloud security outlay.
Despite this expenditure, cybercrime soared during the pandemic. In the US alone, suspected internet crimes climbed 69 per cent during 2020, with everything from phishing scams to ransomware costing an estimated US$4.2 billion in losses.
Find more statistics at Statista
It’s reasonable then to ask – is the technology failing organisations whose employees have been working from home, or is there something else?
“It’s really interesting on the work from home front, because it’s not as hard as people think to properly secure remote employees, it’s usually an organisational choice,” says Jeff Krull, Partner-in-charge of Baker Tilly US’s cybersecurity services team.
“Everybody thinks that security is about spending on the technology and that people are ‘hacking in’ using these really crazy sophisticated mechanisms.
“But when you start paring back some of what actually happens in most breaches, the root cause is that organisations are often reluctant to put in the proper safeguards.
“Not because they cost a lot of money, but because they don’t like the cultural impact.”
Cybersecurity’s weak link isn’t always technology
More than half of Baker Tilly’s client base report a basic or below-average understanding about the cybersecurity risk of working from home, according to a recent survey assessing the digital transformation impact on clients.
The rush to set workforces up to work remotely often came at the expense of security and the biggest increased risks in remote working that Baker Tilly firms saw among their clients was from phishing attacks (59.6 per cent of respondents) and unauthorised access (51.1 per cent).
One respondent told the survey that cybersecurity wasn’t a primary concern for clients during the remote work switch, with the focus on keeping production going than putting in safeguards.
“The practices themselves are not hard to find and from a technology standpoint, they’re usually not hard to implement. It’s getting people to be willing participants, that’s the hard part and that takes executive buy in, not technology buy in.”
– Jeff Krull
Organisations are trying to mitigate risks by relying on staff to comply with security policies (60.9 per cent) and increasing staff training (58.7 per cent), as well as relying on detection systems (41.3 per cent) and third-party vendors (39.1 per cent) and increasing remote support (39.1 per cent) to identify threats.
But staff will only be as effective as the culture that exists within the organisation. Mr Krull says many organisations who are hit by cybersecurity and data breaches already knew about weaknesses before they were breached.
“There was almost an implicit decision that, ‘we know this is a risk, but we’re not going to run harder and faster to close that risk down’,” he says.
“Again, in my experience, that’s because closing down that risk will create some changes to the business workflow practices. That’s the challenge, the desire to embrace good security practices.
“The practices themselves are not hard to find and from a technology standpoint, they’re usually not hard to implement. It’s getting people to be willing participants, that’s the hard part and that takes executive buy in, not technology buy in.
“But too many executives go down the opposite path and say, I don’t want my people to have to put in a token on their phone and prove it’s really them, or I don’t want to limit who can access what, I want people to be able to use some file sharing site from anywhere.
“If your people can use any device to access that file sharing site, guess what, if the bad guy gets in, they can access the same thing from anywhere.”
Prevention from ransomware attacks is serious business
Ransomware is gathering headlines all over the world as criminals extort huge sums out of organisations to unlock their computer networks.
A US oil network was forced to shut down in May after hackers broke into the Colonial pipeline, which resulted in a US$4.4 million payout to bring the operation back online.
Meat supplier JBS paid a US$11 million ransom in June after the production plants that process roughly one-fifth of the US meat supply were knocked out.
Ransomware is one of the biggest cybersecurity threats businesses can face, says Marcello Smalbil, Director of IT Advisory at Baker Tilly Netherlands, because unprepared businesses have few options.
“Ransomware is just another business model for criminals, and you can think of their targets as clients. They try to encrypt as many clients as possible, then ask for fees. But importantly the fees do not allow the victim to go bankrupt.”
– Marcello Smalbil
“It’s a serious problem, it is something that our clients need to prepare for and have sufficient measures in place to prevent it from happening,” he says.
“But if it does happen, they need to have measures in place to recover.”
To prevent a ransomware attack, business leaders need to think like the bad guys, because they are thinking like a business.
“Ransomware is just another business model for criminals, and you can think of their targets as clients,” he says.
“They try to encrypt as many clients as possible, then ask for fees. But importantly the fees do not allow the victim to go bankrupt.
“It is a trade-off between paying the ransom or being able to recover to a reliable operational environment in time. It’s a matter of costs. Victims pay the ransom, when it’s cheaper to pay than to try to recover from the attack. And that’s the way the business model works.
“If the ransom was too high, then everybody would say, I will try to recover it another way.
“But if the ransom is low enough, then most people say they will pay the ransom, then I will get the key and get advice about how to prevent it from happening again.”
Ransomware can be prevented but it requires organisations to disrupt the criminal business model – and it begins with hardening the organisational culture.
“The first step to take is to be aware that it can happen to you and train your people and not to click on everything they see on an email among others,” Mr Smalbil says.
“You also need to harden your systems – so for instance any protocols or services you don’t need for your operation to function should be disabled.”
A back-up strategy is also crucial because cyber crooks rely on businesses not having one or having a vulnerable one. Mr Smalbil suggests following a 3-2-1 rule as a good guide – it states that organisations should have:
- Three copies of the data, a primary and two backups;
- Two of them should be stored on different storage media;
- One should be offsite, physically and/or in the cloud.
“Without the data being backed up, organisations are hamstrung with very few options if they subject to an attack,” Mr Smalbil says.
Attacks start with credential theft
Hackers are looking for weaknesses to get into organisations and for many attacks, it starts with a user’s email and password.
Compromised credentials – that is, a stolen login and password – account for 61 percent of breaches and it is how many ransomware attacks, such as the Colonial Pipeline, take root.
Yet a good solution to preventing credential theft is a simple one, says Mr Smalbil.
“One of the best solutions I can think of is multifactor authentication,” he says.
“We see a lot of clients that only use a user ID and a password, and we always advise to introduce multifactor authentication if possible because then, the whole problem of forgetting or writing down difficult passwords is gone.
Mr Krull says organisations should never need to rely on a single control or protection to keep something bad from happening.
“If you look at the lifecycle of ransomware, everybody views it as, ‘somebody broke in and put this ransomware in that locked up somebody’s computers’. The reality is, there’s multiple levels that typically go wrong for that to be successful.
“There’s this whole lifecycle of controls to prevent ransomware but inevitably what you hear is, hey, somebody hacked into an account and put this ransomware there.
“You don’t hear that there was a whole lifecycle of controls, that there are probably multiple failure levels on before that ransomware was successful.”
Many company leaders are fixated on one area when they do suffer a cybersecurity threat or breach and Mr Krull likens it to a home break-in.
“If somebody breaks in and the bad guy launches ransomware or whatever it is, then the company will go right to that spot and say, there it is, there’s a broken window with a lock that they undid, that’s how they got in, let’s put some plywood up to fix that window,” he says.
“What they should be saying is, do we have any other windows unlocked? Do we have any other doors unlocked? Do we have any doors just sitting open? But they don’t, they just focus on that window.
“Any good organisation will say, let me holistically check all the windows, check all the doors and think about what I’m doing.
“There is a mad rush a lot of times after the fact, and unfortunately sometimes those mad rushes are good because there’s the appetite to enforce some of those cultural changes.”