Written by Robert Bach, Director, Product Strategy – Digital Workplace at Crestron
Imagine this: Someone in your company is sent an alert that a particular billing software your firm has deployed needs an update. That someone triggers the update — but unbeknownst to them, a hacker has exploited a weakness in that very program. Even though the update came from a reputable trusted source, it was loaded with ransomware.
Yes, it’s an actual example. No, the company didn’t capitulate. The firm did, however, spend three months of downtime replacing several thousand devices, losing vast amounts of time and money in the balance.
It’s a nightmare scenario — but it’s not nearly as common as most security breaches. Successful attacks are often the result of simple human errors, lapses in judgment that bad actors have learned to exploit. Attempts to take the human out of the equation, though, can lead to a natural tension — for example, is every email that includes a link or attachment scanned for potential dangers? That seems like a terrific solution – until a PowerPoint deck presentation is delayed during a critical sales meeting.
The most cost-effective way to lessen your risk is by carefully educating everyone in a firm to potential dangers — even those who aren’t necessarily using the company’s network. Suppose an unwitting cleaning or maintenance worker has allowed a potential spy to “coattail” on their badge scan, thinking they’re performing a common courtesy to the next person desiring entrance to a building through the simple act of holding a door open for whom they believe is a fellow employee or a harmless guest. In fact, they’ve just allowed someone access who can snoop for vital info. In this case, ingress and egress sensors could be a terrific asset (does the population of the building match the number of scans today?), not to mention more traditional surveillance systems. But ultimately, helping employees understand these potential threats creates a stronger first line of defense.
The Work-From-Home Worry
The above example is a prime illustration of the ability of cybercriminals to take advantage of human nature. In this case, basic kindness is exploited; but far more often, the bad guys appeal to our natural curiosity.
It’s an interesting inversion. IT and security experts have lived with two truisms for decades: “Anything that can be hacked, will be hacked” and “Not if, but when.” As all the mechanical tools available are being deployed, refined, and updated, hackers look for increasingly more “low-tech” attacks. The “wetware” of any network — that is, the human brain — is very often the weakest link.
The sudden — and explosive — growth of remote workers triggered by the pandemic created a wealth of opportunities for those with bad digital intentions. The weak link is email, and the numbers are staggering. Take these topline findings from a recent survey by the Mimecast Threat Center:
· In 2020, email threats rose by 64%.
· Employees have been clicking on three times more malicious emails since the start of the pandemic.
· As a result, more than 60% of all companies have endured some form of an attempted ransomware attack.
Beyond the potential for an employee opening a nasty .exe file, device access is another issue: Who’s using that work laptop after hours? Is mom or dad’s device off-limits to the kids?
Hybrid Solutions for Hybrid Workers
The best way to attack the problem? A combination of knowledge and technology is likely your best bet. The pillars of this strategy are:
Training. The aforementioned Mimecast survey further noted that only one in five companies offer some form of ongoing cyber awareness training. As threats become more and more sophisticated, and as motives for attacks become more diverse — from cash to corporate espionage to political chaos — ongoing, regularly updated education for a company or government’s workforce is a “mission-critical” step.
Zero Trust Networking. In the early 2000s, we saw a simple response to some of the more famous “worms,” Nimda and Code Red, where an enterprise would “ring-fence” the network. This was a dark time for cloud service providers who fell out of vogue for a time as enterprise-based infrastructure and security blossomed in the days of enterprise-based managed services. In direct contrast to that approach, we now find ourselves in the Internet of Things market of the 2020s — and it’s the cloud providers and services that allow us to work from anywhere to keep the economy moving during the pandemic. The return to the cloud has resulted in a redefined strategy where a “defense-in-depth” approach has replaced the ring-fence.
The days of “trust but verify” are over. The model of “never trust, ALWAYS verify” — defined by Forrester a decade ago — is explained well in this post from Cisco. Simply put, this zero-trust approach to network security is a mix of technologies — the depth of defense — that “establishes trust through continuous authentication and monitoring of each network access attempt.” Zero trust is not a product but a disciplined approach or methodology to obtain layered security. The defense in depth is not the same at all levels. but is based on the need for security, which rises in kind with the value of the assets being protected. Often this is lost in translation, but to use a well-known metaphor, you don’t cure Covid by killing the patient, you apply maximum protection to your most vulnerable assets and reduce stricture as you progress through lower vulnerabilities. This enables you to partake in the offerings of IoT in accordance with your risk aversion levels per application.
Resources. Yes, you’ll need to throw money (and time) at the problem. In summation, the Mimecast survey notes that “It stands to reason that companies using advanced technologies such as AI and layered email defenses—while also regularly training their employees in attack-resistant behaviors—will be in the best possible position to sidestep future attacks and quickly recover.” Spending money on these technologies — and spending time training your people — can help prevent the disastrous drains on cash and human capital that a successful cyberattack might incur.
There’s a bit of good news in all of this, however: Governments have begun taking the threats seriously, and crackdowns on black-hat hackers are becoming a greater priority. The “Cyber Police Force” will likely one day be as ubiquitous as traditional law enforcement departments. The more deterrents available, the safer we’ll all be.