Over recent months, organisations have had to evolve rapidly with employees working remotely, often with limited capacity for remote access to support the high volume of work from home.
In some cases this has led to a weakening of perimeter controls by enabling employees to access corporate networks remotely using less secure protocols. Corporates have also seen individuals remotely connecting without using multi-factor authentication.
In these scenarios it becomes easier for cybercriminals to steal credentials they can use to access the corporate network to deploy ransomware or obtain access to an executive’s mailbox and trigger a business email compromise.
When we talk to corporates the message is ‘you have already made the shift very quickly to working from home, now what can we do to improve your policies around remote access?’
Adapting to the new normal
It is also more challenging to maintain strong performance management and controls oversight when staff are working from remote locations. Many corporates have started to consolidate their treasury and accounts payable departments into a single service, but with employees working from home there needs to be more reminders for people to follow standard procedures for authenticating callers, reporting suspicious activity, or approving changes to accounts.
Under normal circumstances, when an organisation suffers a cyberattack it will bring together in a single location all of the key executives to lead its response. However, coronavirus restrictions don’t allow for this to happen so it is vital that organisations can rely on their business continuity procedures.
Companies were reluctant to test these procedures in March when there was so much change going on. However, testing business continuity plans becomes much more important in a distributed environment where resilience capabilities are reduced.
There has also been a shift in the way adversaries operate. In 2017, a large scale attack led to many organisations not being able to close the quarter, not being able to recognise revenue, or make payments.
Cybercriminals shift their focus
Corporates responded by implementing back-up strategies to ensure they would be able to continue to process payroll and make debt repayments; and so cybercriminals have shifted their focus to extracting sensitive financial data, encrypting it, and threatening to leak it.
We have seen situations where organisations have had account information exposed; that creates risk where vendor names and bank accounts are revealed, as well as helping adversaries prepare for a bigger attack down the line. This scenario has led to some organisations choosing to pay a ransom for their data to be returned.
Corporates can reduce their vulnerability by ensuring that their network cannot be accessed via single factor authentication (in other words, with just a password).
The other area to look at is email and web security - strong filtering of inbound email and outbound web communication will prevent attacks because most malware is delivered through inbound email, which then connects outbound to a command and control infrastructure from where it is controlled.
Protecting administrator accounts vital
Privilege management is also important. The tools used by cybercriminals require access to administrator accounts, so protecting those accounts within the organisation is vital.
Corporates benefit from a strong relationship between the cyber security department and the treasury department, ensuring that technology controls and business controls work hand in hand.
Verification has become increasingly important during the pandemic. Under normal circumstances a payment request might be authenticated by calling the person initiating the request and using caller ID to verify their location, but in a work from home environment, a cybercriminal who gains control of an employee’s email can change their contact number.
Corporates should run assessments of how money leaves the organisation and build out the appropriate controls. This might involve working with their bank to detect anomalous payments.
They should also treat security awareness as an ongoing process, making sure employees are aware of new threats and what they can do to prevent cyberattacks.
These are challenging times, but every crisis is an opportunity to improve processes. There is always room for improvement and that is where testing and play books become so important – organisations that test their processes regularly fare much better when something malicious happens because they know exactly what to do.