A post-mortem on corporate America’s response to security challenges posed by the pandemic would likely reveal two unfortunate trends. Too many companies refused to change their security strategies in response to the new remote workforce reality. As a result, they are ill-prepared to deal with the coming wave of new post-pandemic security threats that were conceived due to their obstinance.
The underlying issue is many companies failed to question the potential risk each employee could create in their hastily reformulated work-from-home model. They didn’t evaluate how employee behaviors could change during quarantine, unintentionally or otherwise.
Consider, for example, how some investment banks experienced a breakdown in having traders and analysts apart. Outside of the controls of the physical corporate environment, the avenues and opportunities to talk to each other suddenly became much easier. Some traders and analysts started communicating electronically from their home offices, putting the bank at serious legal risk from federal regulators for sharing information between departments. Understanding which employees were risky or less risky really came into play with COVID.
Companies also struggled to deal with the huge inefficiencies of employees leaving or joining the company in a fully remote world. Clinging to paper-based workforce processes of government agencies like Social Security, the U.S. Treasury or Immigration was particularly inefficient. The business world experienced massive problems in getting people to work because they were unprepared to deal with physical things like employees’ drivers licenses, passports and other records to confirm identities. Companies with large employee bases were especially hard-hit and unprepared. While there were technical alternatives for handling employee identities, companies simply refused to change their normal business processes.
The business world didn’t do a good job at evaluating where and how they were spending on security capabilities as well, and whether those investments were delivering a good ROI. Remote work triggered a surge in VPN spending during the pandemic to allow employees to securely connect to corporate networks over the public Internet, for example. But many companies failed to consider the huge strains it could place on their network infrastructure, or how those VPN connections could expose more network resources to remote workers than they typically should have access to. They refused to remedy the excessive access employees had to corporate data, even after they left the confines of the office.
The Next Wave of Cybercrime
One outcome of companies failing to change their ways during the pandemic was a massive uptick in insider-based cyberthreats and crimes. COVID created an environment of financial stress and economic uncertainty for many employees. Company loyalty waned, and employee churn increased. And many companies weren’t prepared to deal with the potential fallout, such as the disgruntled IT contractor who deleted his employers entire Microsoft Active Directory when he was fired.
We also saw a spike in employees with excessive access privileges get hacked, exposing the company to outsider-based cybercrime. Since COVID, we’ve seen a 47% jump in the severity of ransomware attacks, 35% increase in funds transfer fraud, and a 67% increase in business email attacks, to cite just a few statistics.
Unemployment fraud, which usually targets government agencies, has evolved as well. It is now being redirected back to companies. We started seeing a correlation between unemployment fraud scams and an escalation in executive spear-phishing campaigns. This activity suggests that the bad guys didn’t just file unemployment claims for people who are still on the payroll, they are aggregating and using that information to execute large-scale business email fraud scams against companies.
Employees are brilliant unintentional hackers. When something stands in the way of success in doing their work or completing their assignments, they will find a way around that obstacle. Whether it be using poorly protected personal devices to conduct corporate business because it was "easier", transferring sensitive data to those same personal devices, or not resolving home security weaknesses like personal routers and modems, the bad guys have been accumulating mountains of data about user behaviors and devices. It’s an important consideration because it means that all the fraud that has given rise during COVID is going to propagate into additional fraud that will plague companies in the post-pandemic world. The fraudsters have a wealth of new information, and they are going to exploit it in the months and years ahead.
Steps to Take
While my assessment sounds dire, there are a number of steps companies can take to better prepare and protect themselves from the next-generation of post-COVID cyberthreats. First, treat employee identity and access control as a real cybersecurity control. Employees may be a company’s greatest strength, but as exemplified in the case of COVID, they could also be the greatest weakness. They now present a much broader spectrum of risk to the company than ever before.
Next, know your people. It sounds like common sense, but you’d be surprised at how big this gap has become. Companies have more than their full-time employees to deal with; they have contractors, partners, and other connection points. Hiring during COVID exacerbated the problem by keeping new hires away in remote work environments. Many companies simply don’t know who they are dealing with. New technologies are available that let companies understand who works for them, and what they can access.
Finally, leverage other technical capabilities to reduce risk, such as multi-factor authentication, step-up authorization, etc. And then break free of your company’s reliance on VPNs to provide remote access and instead employ zero-trust architectures to restrict all users at all times.