It may feel too simplistic to be talking about cyber hygiene with CISOs. But in my years as a threat researcher, and now running a global team of threat researchers, data analysts, and forensics experts, I can say authoritatively that the lack of consistent cyber hygiene is the largest and most persistent threat inside most organizations. And the risk continues to grow as organizations continue to grow their networks and expand their attack surfaces without a holistic security architecture or management system in place.
The concept of cyber hygiene is a deceptively simple one: It involves a series of practices and precautions that, when repeated regularly, keep us safe and our devices working as they should. But that’s easier said than done with distributed networks, IoT everywhere, the adoption of multi-cloud infrastructures, and a growing reliance on SaaS application usage. Add the convergence of IT and OT, and the number of aging devices that cannot be taken offline because they monitor or manage critical systems 24x7, and the risks are greater, and the table stakes are higher, than ever before.
One of the most critical places on which to focus cyber hygiene efforts is remote workers. The rapid growth in a mobile workforce and their reliance on personal devices and home networks is just the latest example of the challenges that IT teams face. Unfortunately, enforcing cyber hygiene for remote workers seems to be low on the list for overworked IT teams – somewhere below keeping the business up and running and ensuring access to business applications and essential resources.
Of course, the challenge is that employees working from home are using unsecured personal devices, from laptops to smartphones to tablets, to stay connected during the workday. And these devices, attached to weaker and far more vulnerable home networks, have created the perfect platform from which cyber criminals can launch attacks on enterprise data.
Over the past several months, cybercriminals have combined social engineering tactics that exploit fears about the Covid-19 pandemic with older exploits targeting unpatched vulnerabilities found in devices deployed in many home networks. They have also modified their strategies, switching from email-based attacks, which many remote users have been trained to avoid, to new browser-based attack vectors. And once the corporate network has been breached, cybercriminals are delivering new, more malicious strains of ransomware and other malware.
While 2020 is currently on track to break the record for the number of vulnerabilities identified and published in a single year, these vulnerabilities also have the lowest rate of exploitation ever observed in the 20-year history of the CVE (Common Vulnerabilities and Exposures) list. Instead, vulnerabilities from 2018 have claimed the highest exploitation prevalence (65%). And more than 25% of firms have reported attempts to exploit CVEs from 2005. At the same time, exploits targeting consumer-grade routers and IoT devices have been among FortiGuard Labs’ top IPS detections according to our research. While some of these target newer vulnerabilities, a staggering volume have targeted exploits first discovered in 2014.
The critical lesson is this: Do not assume that older vulnerabilities, including those more than 15 years old, cannot cause problems.
What these trends show is that cybercriminals are extremely agile. Within days of seeing that companies were switching workers to remote status, the dark web was filled with phishing exploits targeting novice workers. Within weeks, threat sensors saw a dramatic drop off in threats targeting corporate resources and a corresponding spike in new attacks targeting consumer-grade routers, personal devices, gaming systems, and other devices connected to home networks. Cybercriminals are clearly more than willing to put in the work to find vulnerabilities that still exist within home networks that can then be used to enter the corporate network.
Of course, many of these attacks are based on the same bad tricks these criminals have relied upon for years simply because they work. With this in mind, organizations must do two things. First, act swiftly to inform employees about cyber hygiene practices. And second, prepare them and their defenses to repel traditional threats like phishing scams and ransomware attacks, as well as new browser-based web attacks, especially as they continue to work remotely. Hosting video conferences to spread cybersecurity awareness across all arms of the business, sending out regular email updates, and urging employees to keep an eye out for unusual or suspicious emails and webpages are just a few examples of the initial steps to take.
Thankfully, despite the continued prevalence of ransomware and the spike in HTML/phishing attacks, there are a number of simple steps organizations and their employees can take to build a stronger barrier against threats. Some of these steps are as simple as creating stronger passwords and performing regular software and application updates. Others may require the addition of newer, more advanced endpoint security software.
It’s also important to note that certain types of business resources are at particularly high-risk for attacks in the current climate. These include financial systems, customer support systems, and research and development resources. Extra measures and precautions may need to be taken beyond the steps outlined below to protect these sensitive, high-priority assets.
In the wake of COVID-19, CISOs have been faced with a seemingly impossible task: Keep enterprise networks secure while employees continue to work from home, perhaps indefinitely. And they have needed to do so on a limited budget, fewer resources, and a team of security professionals that’s already stretched thin. The solution? Enact an organization-wide cyber hygiene protocol, building the remote network security infrastructure from the ground up.
By focusing on training, awareness, and education, employees will be better able to perform basic security tasks such as updating devices, identifying suspicious behaviors, and practicing good cyber hygiene across teams. After that, it is essential that organizations invest in the right systems and solutions – from VPNs to anti-malware software and encryption technologies – that enable clear visibility and granular control across the entire threat landscape. Complexity is the enemy of security, so the best response to an increasingly complicated and highly dynamic digital world is to get back to the basics. And that starts with cyber hygiene.