Working from home complicates efforts to defend the enterprise from bad actors, but returning employees to the workplace is likely to be a slow process.
Before the novel coronavirus outbreak, 2020 was on track to see fewer—although more-costly— cyberattacks than the previous year, according to experts.
The number of companies reporting cyber incidents over the previous 12 months fell to 39%, from 61% the prior year, wrote the authors of the Hiscox Cyber Readiness Report 2020; yet losses from such incidents rose to $1.8 billion from $1.2 billion. The business insurer surveyed 5,569 cybersecurity professionals between December 2019 and February 2020 for the white paper. Financial services, manufacturing, technology, and media and telecommunications companies proved to be the most popular targets for bad actors. Approximately 44% in each of these sectors reported at least one incident or breach.
When Covid-19 began spreading like wildfire in March and April, however, cyber-criminals took little time to pivot to the health care sector generally and any organization related to pandemic response. In mid-March, the University of Brno Hospital, in the Czech Republic, temporarily shut down all of its computers due to a cyber breach, which delayed the hospital’s Covid-19 testing. The next day, Hammersmith Medicines Research, that works with the UK government on Covid-19 testing, suffered a ransomware attack. The day after that, the US Department of Health and Human Services became the victim of a distributed-denial-of-service attack—which overwhelms the target with server requests.
Hackers also targeted transportation and logistics companies, including DHL, FedEx and UPS with phishing and malware campaigns that used malicious email attachments and Covid-related links to entice victims to click, according to Deloitte Cyber Threat Intelligence.
The introduction of enforced local lockdowns by regional and national governments has only encouraged bad actors, says Emily Mossburg, global cyber leader at Deloitte.
“There was a huge surge in remote working, and the workforce moving to work from home was a period of chaos and change,” she says. “It was outside the norm, and adversaries looked—and continue to look—to exploit the situation and any period of social doubt where they can gain an advantage.”
Before the outbreak, only 10% of employees worked from home full time and 19% did so part time, according to Brian Kropp, chief of human resources research at Gartner. “We’re going from about 30% engaging in remote work to approximately 50%,” he says, noting that the two categories should each see a further 10% increase.
Such rapid growth in remote connections broadened the amount of infrastructure vulnerable to cyberattackers, says Mossburg.
For Chumash Casino Resort, owned by the Santa Ynez Band of Chumash Indians, who operate three hotels besides the casino, northwest of Santa Barbara, California, the migration of its roughly 1,700 employees who could work from home about a week
“We ramped up our effort pretty quickly,” says Kris Rosson, IT security manager at Chumash. “Our support desk worked around the clock getting devices. We pulled laptops from wherever we could, reformatted them and got them ready for the remote workforce.”
The casino operator relied heavily on its business continuity plans, which included the use of two-factor authentication, VPN concentrators and cybersecurity training for employees working remotely.
“If we had not already had a work-from-home policy and a security policy in place, we would have had to scramble a lot more,” Rosson says. “Having solid best practices in place and solid documents in place let us lean on those a bit and relieved a little bit of the pressure and panic that might have ensued if the leadership said that everyone would be working from home starting tomorrow.”
In a recent online poll conducted by (ISC)2, a nonprofit industry association for cybersecurity professionals, 96% of the respondents said at least some of their firm’s employees work from home; 47% said they had moved all of their employees to the new arrangement.
Hardening the Endpoints
As more employees conduct their day-to-day functions from home networks, companies must factor bandwidth limitations, security constraints and interoperability issues into their regular procedures. When the pandemic hit, however, many companies did not have the necessary resources to provide employees with secure company devices, forcing them instead to connect their personal devices to corporate systems, says Mossburg.
In response, organizations have hardened the endpoint around remote workers, using such means as blocking ports on devices that remote workers use, restricting access to certain URLs and limiting what the remote users can download, says Wesley Simpson, COO of ISC2, a nonprofit industry association for cybersecurity professionals.
Chumash Casino Resort also took the opportunity to update its employee cybersecurity training.
Rosson values keeping employees current with regular scam updates. He flags articles to Chumash employees regarding timely threats, such as scammers trying to abscond with the stimulus checks issued to employees by the US government. “It is more specific to the pandemic,” says Rosson.
The pandemic has not generated new types of cyberattacks, some experts say, merely refinements of existing phishing and spear-phishing attacks—which typically seek information by masquerading as a trusted source—placed in a Covid19 wrapper.
“It’s easier to send out an email with a Covid19 map and get a higher click-through than with a generic phishing email,” says Matthew McMahon, acting product security officer with Siemens Healthineers for the Europe, Middle East and Africa region, and a member of Siemens’ Cybersecurity Training Board.
The US Federal Bureau of Investigation issued a security alert in April that warned remote workers to be wary of “urgent” emails about last-minute changes to financial transactions and new upfront payment requirements. Such emails may fail to provide any means of communication other than email. All of these should be a red flag for users, the agency noted.
But emails are not the only vector of attack that companies need to guard against, says Kropp.
“We’ve heard stories of scammers just sitting outside of large apartment buildings where they know there’s a bunch of employees from a particular company who are not going to work, and they just steal their information as they go through their home Wi-Fi network,” Kropp says. “There are all sorts of new layers of security that need to be created to protect a much more remote workforce.”
Getting Back to Work
A majority of respondents to the ISC2 poll [, which it conducted during a May webinar], only 4% indicated that their entire staff had returned to work while 34% of said that a portion of employees had done so.
Of those who have not returned, 51% said that their company had not developed plans to bring them back to the workplace and only 40% said their employers had done so.
“Every company is taking a slightly different stance depending upon the size, craft and location of the organization,” says ISC2’s Simpson. “We’re adhering to all the standards and safety practice that has come out of local, state and federal governments. However, there is an issue of geography. We have locations around the world, so we are taking other jurisdictions’ recommendations as well.”
The process of bringing employees back to the workplace should be nothing like their hectic departure, argues Deloitte’s Mossburg. Kropp predicts that companies can bring back only 30% of their workforce before running out of office space if they adopt social distancing recommendations. This could force them to take new approaches to scheduling—truncated workweeks, for example, perhaps with multiple shifts per day.
Chumash Casino Resort reopened for business on June 10 after a closure of just over 12 weeks, after implementing a “Safe + Well” program of intensified cleaning, personal protective equipment, social distancing and more. In contrast to its initial rapid response to the health emergency, it brought employees back in phases, reacquiring any technology tools they had been issued.
But companies whose business does not require on-site employees are moving more slowly. Some say they’ll start bringing staff back in September; others expect to wait until the beginning of 2021, according to Gartner. And some are eyeing the prospect of rent savings. “Most companies—even after they have been allowed to have their employees come back to the workplace—are taking a very slow approach, if not delaying it entirely,” Kropp says.