The second article in our series exploring the digital transformation, Baker Tilly probes cybersecurity challenges for the remote workforce.
Back when organizations resided in offices and centralized locations, business leaders spent billions of dollars locking down firewalls and keeping servers safe, or offshoring their data. By the end of 2019, more than US$ 121 billion was being invested in information security and risk management technology, with security services, infrastructure protection and network security equipment making up the bulk of the sector.
But now the dynamic has changed. More than 60% of the workforce is delivering at least some of their work from the home office, or the kitchen table of their share house – environments not recognized for their strong cybersecurity set-ups. Information security spending still rose in 2020 to US$ 123 billion, amid the spread of the COVID-19 pandemic, but spending on network security equipment declined, while there was sharp growth in cloud security outlay. Despite this expenditure, cybercrime soared during the pandemic. In the US alone, suspected internet crimes climbed 69% during 2020, with everything from phishing scams to ransomware costing an estimated US$ 4.2 billion in losses. It’s reasonable then to ask – is the technology failing organizations whose employees have been working from home, or is there something else?
“It’s really interesting on the work from home front, because it’s not as hard as people think to properly secure remote employees, it’s usually an organizational choice,” says Jeff Krull, Partner-in-charge of Baker Tilly US’s cybersecurity services team. Everybody thinks that security is about spending on the technology and that people are ‘hacking in’ using these really crazy sophisticated mechanisms.“ But when you start paring back some of what actually happens in most breaches, the root cause is that organizations are often reluctant to put in the proper safeguards. Not because they cost a lot of money, but because they don’t like the cultural impact. ”Cybersecurity’s weak link isn’t always technology. More than half of Baker Tilly’s client base report a basic or below-average understanding about the cybersecurity risk of working from home, according to a recent survey assessing the digital transformation impact on clients.
The rush to set workforces up to work remotely often came at the expense of security and the biggest increased risks in remote working that Baker Tilly firms saw among their clients was from phishing attacks (59.6% of respondents) and unauthorized access (51.1%). One respondent told the survey that cybersecurity wasn’t a primary concern for clients during the remote work switch, with the focus on keeping production going than putting in safeguards. Organizations are trying to mitigate risks by relying on staff to comply with security policies (60.9%) and increasing staff training (58.7%), as well as relying on detection systems (41.3%) and third-party vendors (39.1%) and increasing remote support (39.1%) to identify threats. But staff will only be as effective as the culture that exists within the organization. Many organizations hit by cybersecurity and data breaches already knew about weaknesses before they were breached, but decisions were made to accept the risk for fear that this will create some changes to the business workflow practices.
The security practices themselves are not hard to find and from a technology standpoint, they’re usually not hard to implement. It’s getting people to be willing participants, that’s the hard part and that takes executive buy in, not technology buy in. But too many executives go down the opposite path and say, I don’t want my people to have to put in a token on their phone and prove it’s really them, or I don’t want to limit who can access what, I want people to be able to use some file sharing site from anywhere. If your people can use any device to access that file sharing site, guess what, if the bad guy gets in, they can access the same thing from anywhere. Prevention from ransomware attacks is serious business.
Ransomware is gathering headlines all over the world as criminals extort huge sums out of organizations to unlock their computer networks. A US oil network was forced to shutdown in May after hackers broke into the Colonial pipeline, which resulted in a US$ 4.4 million payout to bring the operation back online. Meat supplier JBS paid a US$ 11 million ransom in June after the production plants that process roughly 1/5th of the US meat supply were knocked out. This makes ransomware to be one of the biggest cybersecurity threats businesses can face because unprepared businesses have few options. It’s a serious problem that business must prepare for and have sufficient measures in place to prevent it from happening. They should also have measures in place to recover. Business need to think like the bad guys, because they are thinking like a business. Ransomware is just another business model for criminals, and you can think of their targets as clients. Hackers try to encrypt as many clients as possible, then ask for fees. But importantly the fees do not allow the victim to go bankrupt.
A back-up strategy is also crucial because cyber crooks rely on businesses not having one or having a vulnerable one. Organizations should have three copies of the data: a primary and two backups; Two of them should be stored on different storage media; One should be offsite, physically and / or in the cloud. Without the data being backed up, organizations are hamstrung with very few options if they subject to an attack, which start with credential theft. Hackers get into organizations through the user’s email and password. This account for 61% of breaches and it is how many ransomware attacks, such as the Colonial Pipeline, take root.
Preventing credential theft is easy and one of the best solutions is the multifactor authentication. Many business only use a user ID and a password and do not worry about introducing multifactor authentication. Organizations should never need to rely on a single control or protection to keep something bad from happening. The lifecycle of ransomware is viewed as somebody breaks in and put this ransomware to lock up somebody’s computers’. The reality is, there’s multiple levels that typically go wrong for that to be successful. There’s this whole lifecycle of controls to prevent ransomware but inevitably what you hear is, hey, somebody hacked into an account and put this ransomware there. You don’t hear that there was a whole lifecycle of controls, that there are probably multiple failure levels on before that ransomware was successful. Many company leaders are fixated on one area when they do suffer a cybersecurity threat or breach, which is similar to a home break-in.
Organizations deals with this as a trade-off between paying the ransom or being able to recover to a reliable operational environment in time. It’s a matter of costs. Victims pay the ransom, when it’s cheaper to pay than to try to recover from the attack. And that’s the way the business model works. If the ransom was too high, then everybody would say, I will try to recover it another way. But if the ransom is low enough, then most people say they will pay the ransom, then I will get the key and get advice about how to prevent it from happening again. Ransomware can be prevented but it requires organizations to disrupt the criminal business model –and it begins with hardening the organizational culture. The first step to take is to be aware that it can happen to you and train your people and not to click on everything they see on an email among others. You also need to harden your systems – so for instance any protocols or services you don’t need for your operation to function should be disabled.