How the move to hybrid working has become a ‘buffet’ for cybercriminals
The future of work may be flexible, but are businesses – particularly small- to medium-sized organizations – investing enough time, money, and effort to ramp up cybersecurity sufficiently? No, is the short answer, and it’s a massive concern on the eve of 2023.
With the sophistication of cyber threats on the rise and the increased attack vectors exposed by hybrid working, bad actors are preying on the weakest links in the chain to reach top-tier targets.
A witticism doing the rounds on the cybersecurity circuit jokes that the hackers who have transformed ransomware attacks – whereby criminals lock their target’s computer systems or data until a ransom is paid – into a multibillion-dollar industry are more professional than their most high-profile corporate victims. But it’s no laughing matter.
“The coronavirus pandemic was catalytic in forcing organizations to move to distributed remote-work environments,” said Chicago-based Darren Guccione, CEO and co-founder of Keeper Security, a password-management firm. “This shift served as a buffet table for cybercriminals to ramp up their attacks.”
John Noble, a non-executive director on NHS Digital Board, which provides national IT and data services for the U.K.’s national health service, agreed. “With the way work trends have evolved in the last two years, there is a much greater digital dependency,” he said. “Mobile phones are growing in importance as an attack surface, cloud-related breaches are on the rise, and with cyber tools becoming more accessible, ransomware attacks are endemic.” He added that ransomware had “gone from a cottage industry run by a few competent groups to being industrialized.”
Indeed, the nefarious desires of criminals seeking to take advantage of the move to remote working spurred by the coronavirus crisis have been made more possible thanks to ransomware-as-a-service (Raas). The RaaS model means the profits are divided among three stakeholders: the person who writes the code, the service provider, and the attacker.
Ransomware-as-a-service
“RaaS has enabled even the least technically advanced criminals to launch attacks,” said George Papamargaritis, vp of managed security services at Obrela Security Industries. “Today gangs advertise their services on the dark web, collaborating to share code, infrastructure, techniques, and profits.”
Ransomware attacks have made headline news with increasing regularity since the start of the pandemic, and in 2021 attacks nearly doubled (93%) compared to the previous year, according to Check Point. RaaS has lowered the barrier of entry, and the bill for being breached is rising. For instance, in May 2021, CNA Financial, an insurance company based in the U.S., paid a $40 million ransom.
Keeper Security’s Guccione admitted RaaS is a “huge issue” now. “It’s prolific, pervasive, cartel-based organized crime in the worst and darkest way possible. They are attacking everything and no company, regardless of size or industry, is safe.” And yet 80% of attacks target smaller entities, because they have fewer resources and don’t have sophisticated IT architectures or staff, stressed Guccione.
It’s not just smaller companies that don’t have the capabilities to handle cyber attacks. In March, cybersecurity firm Bridewell quizzed 521 IT and operational technology decision-makers in the U.K. and found 79% of companies had suffered at least one ransomware attack in the previous 12 months. Moreover, 28% didn’t believe they had the right skills to support remote working.
Meanwhile, in November the Nixu Cybersecurity Index 2022 revealed that 39% of survey respondents from northern European organizations assessed themselves as having poor or deficient cybersecurity maturity. “This [statistic] indicates that cybersecurity has been driven more as a technology item than an integral part of corporate risk management,” said Jan Mickos, business area lead of managed services, at Nixu. “But the fact is that cybersecurity is all about risk management, and it should be addressed as a business issue.”
Big-game hunting
Many security professionals are concerned they don’t have the tools to help their employer should their business be targeted. The bulk (92%) of 1,600 security professionals polled in 10 countries including the U.S. and U.K. were concerned they would be unable to maintain business continuity if they experienced a cyberattack, according to a global report published in November by California-headquartered cybersecurity firm Rubrik Zero Labs. Further, one-third believed their board had little to no confidence in their organization’s ability to recover critical data and business applications after a cyberattack. The study also found that 48% of IT and security leaders were concerned about data breaches (25%) or ransomware events (23%) in the year ahead.
The collaborative approach to ransomware attacks should be especially worrying for businesses, warned Ian Pratt, global head of security at Hewlett-Packard. “Once the preserve of opportunistic individuals who targeted consumers with demands of a few hundred pounds, today cybercriminal gangs operating ransomware make millions from corporate victims,” he said. “This so-called ‘big-game hunting’ should have alarm bells ringing in many boardrooms.”
New York-based Nathan Green, a senior subject matter expert focused on cyber and the dark web at software firm Dataminr, said that the cost-of-living crisis could trigger more people to turn to cybercrime. He noted that cybercriminals are now hiding in plain sight and posting job adverts on social media platforms, especially Telegram, which is not regulated. “This is no longer something that is taking place in the shadows, in the darkest corners of the dark web where only the most highly technical people can understand what’s going on,” added Green.
What should businesses do to up their cybersecurity? “Organizations are being compromised for several reasons, but not addressing foundational cybersecurity activities is a root cause,” said Noble of the NHS Digital Board. “This includes patching – keeping software up to date is the most important thing a business should focus on, with multi-factor authentication a close second – credential management, and protecting system administrators.”
Of course, when it comes to the size of the cybersecurity attacks, it’s a spectrum. But even the smaller types of attacks, that don’t include stealing data or infecting malware, can have damaging consequences for the companies they target. For instance, in October, publisher Fast Company faced a cyberattack which led to its website being down for nearly an entire week, before its teams could investigate and fix the breach. In this instance, the hacker gained access to the content management system to send racist messages to the publisher’s subscribers – a reputational (albeit temporary) nightmare for any company.
Greater knowledge sharing
Improving cyber hygiene is vital, especially with dispersed teams, considering 95% of cybersecurity incidents occur due to human error, calculated the World Economic Forum in early 2022.
However, remote workers could still be better protected, argued Adrian Asher, chief information security officer and cloud architect at online payments firm Checkout.com. “When, as a society, we went to predominantly working at home, it exposed the inefficiencies of the security login process – two-factor authentication, for instance, is a poor use of a worker’s time,” he said. “What has become clear is that many firms have cumbersome remote-working authentication processes that have impacted productivity.”
Emma Smith, global cyber security director at British telco firm Vodafone, suggested that organizations approach cybersecurity like a soccer team. “It can’t all be left to the goalkeeper or CISO,” she said. “We need the whole team tackling the opposition at every possible line. Otherwise, we’ll never win the game.”
Given that cybercriminals are working together to maximize impact, Noble called for more collaboration and communication between organizations. “Cybersecurity professionals simply must keep pace with the attackers, and sharing knowledge is critical,” he added.
Meanwhile, Josephine Fairley, co-founder of chocolate business Green & Black’s, urged organizations to change tack and be more open when a cyber breach occurs. Yes, there are regulations in place that mean businesses have to report an incident and take steps to resolve the issue. But greater honesty and knowledge sharing will remove the associated shame and help others.
“Generally, people try and keep a cyber breach under wraps – they don’t want it talked about because they think it makes them look bad,” said Fairley. “There needs to be more openness and people holding their hands up, saying: ‘You know what? This happened to us.’”
Supply chain protection
The idea of encouraging transparency chimed with Simon Wilcox, managing director of cloud and cybersecurity firm Digital Craftsmen. “We believe in the principle of ’a rising tide lifts all boats’ and the more the business community knows, the more it will raise their cybersecurity standards and the greater the deterrent to opportunist cybercriminals,” he said.
Vodafone’s Smith said a mindset change would improve cyber defenses. “Between companies, we certainly shouldn’t be competing in security,” she said. “All of us need the whole ecosystem of companies – no matter how big or small – to be secure, resilient to cyberattacks, which will require quite a bit of collaboration and support.”
She said that with “a continuing increase in supply-chain compromise to attack” larger businesses “it’s in all of our interests to keep the whole ecosystem as safe and secure as possible.”
The onus is on top-tier companies to educate those lower in the chain. “Smaller companies must understand which services and assets are the most attractive to attackers, so they know what to protect,” Smith added.