As distributed work continues to become an everyday norm for countries around the globe, it is important for organisations to consider the impact this new work scenario is having upon the cyber-security landscape. IT leaders are being encouraged to deploy relevant systems that will protect their remote workforces.

By Chris Mayers, chief security architect at Citrix

In the rush to get remote working up and running quickly at the beginning of the pandemic, there was limited opportunity to ensure that security and data protection procedures were fit for purpose. In fact, Citrix’s recent global Workquake survey, of 7 500 office workers, found that currently over a third (39%) of employees are using apps that have not been sanctioned or that have been explicitly banned by their IT teams.

Criminals are exploiting people being at home: online fraud against consumers has increased, but also, criminals are targeting home workers. They are finding success by exploiting human vulnerabilities that the Covid-19 situation and homeworking has created, and specifically, stress. Stress on individuals, stress on teams, and stress on security staff.

Stress on individuals: phishing attacks that win by distraction

The volatility, uncertainty, complexity and ambiguity (VUCA) of the pandemic is now into its second wave, or even third wave. Whether it is caring responsibilities, home schooling or other pressures, individuals can all too easily be distracted into falling for a carefully crafted phishing e-mail.

Stress on teams: targeting business processes

Stress can also affect whole teams. Even though IT is working hard to keep people supported, they may not be able to react quickly enough to external events. IT teams can no longer rely on informal face-to-face contact to deal with an urgent and unusual situation. They may also have established new, but insecure, working patterns to cope with this stress. Criminals know this and can exploit the gaps in high-risk business processes, with a watering-hole attack, for example.

A watering-hole attack works by identifying a website that is popular with users within a targeted organization, or sensitive job function (such as finance). That website is then compromised to enable the distribution of malware, to that whole group of people at once. Individuals in sensitive positions should be advised that a familiar website can still be untrustworthy.

Stress on security staff: multiple, simultaneous attacks

Criminals can create new stresses. Organisations are seeing more ‘cover’ attacks, in which cyber criminals launch an obvious attack on a business, such as a denial-of-service on a public corporate website. Their aim is to distract security response staff from noticing the quieter ‘real’ high-impact attack that is going on at the same time.

IT and security teams should not treat obvious attacks as routine, and make sure they are prepared to detect and react to more than one attack at one time. As work practice, it would be wise to rehearse this situation, as a security response exercise. These kinds of regular exercises may have been delayed, while security staff have been adapting to working at home, but it is now time to catch up.

To tackle these new patterns of attack, here are three key considerations for all organisations in 2021:

* Analytics can play a central role – Analytics technology is a powerful tool for immediately detecting a security anomaly. This could be straightforward, such as logging in from an unusual location (for example a country an individual has never visited). It could be more complex, such as an untypical pattern of work spanning multiple sensitive applications. When an anomaly is detected, the system can respond, for example by requiring a manager to authorise access. Attacks on systems may be hard to notice but do follow predictable patterns. Analytics technology can recognize these patterns and help security staff, by intelligently grouping these anomalies together. This allows multiple simultaneous threats to be processed, in real time.

* IT teams to be available, visible and approachable – More than ever, IT staff need smooth interactions with workers, so that they feel comfortable contacting IT with security concerns. One simple idea is for organisations to incorporate online communications tools within their new security controls. Consumers are used to seeing chatbots; consider designing a security chatbot into a new system, so that users who get stuck can get guidance at the point of need.

* Helping those who are most at risk – Every organisation contains high-risk groups: these include senior executives, finance staff, and system administrators. These groups certainly need regular security training against the specific threats to their groups, and updates to business procedures that address these threats. However, the burden of responsibility should not rest on their shoulders alone. Enhanced security technology (including specialised application controls, and latest hardware) together with a dedicated support team (‘hypercare’) completes the security protection and support they need.

The next wave of attacks will target the hybrid working environment

As vaccines continue to roll out more widely and we move out of full time working from home, the hybrid model of working is expected to become most prominent.

Currently, 62,5% of South African workers state that they would move to a fully remote mode of working, and in Citrix’s own Workquake study, 44% of respondents said they would like to work from home more often once the pandemic eases. Future attacks are likely to target that hybrid working environment, which will create new ambiguities and weaknesses. Criminals will gather detailed knowledge before an attack; not just about the systems, but about the people.

Organisations should therefore assume that attackers know a great deal about them, and plan accordingly. Crucially, in the fight against cybercrime, every individual should know it is better to check than be compromised. If a communication is unexpected, or the request unusual, it should always be checked before any action is taken.