It’s a perfect recipe for cybercrime: a global pandemic that has increased the corporate attack surface, made employees more susceptible to social engineering, and hobbled security measures. But while most stories have focused on the huge and rising volumes of Covid-19 phishing emails and online scams targeting home workers, the heart of the challenge for organisations lies with their IT and cybersecurity staff.
Unfortunately, new reports out over the past week point to unprecedented challenges in this area. Hopefully many of these will be overcome as the situation stabilizes. But in some cases, there will need to be a major security rethink about how to support the distributed workforce.
A recipe for risk
Across the planet, organisations have done remarkably well to support the sudden requirement for home working, as government lockdowns forced most employees in white-collar jobs to practice social distancing. But in many cases, the delicate balance between productivity and security has tipped overwhelmingly in favour of the former, increasing cyber risks.
A large part of this is down to the new working arrangements IT and security staff find themselves in and the resources they’ve been given. A survey of global cybersecurity professionals by certifications organisation (ISC)² reveals that nearly half (47%) have been taken off some or all of their typical security tasks to support other IT-related jobs, such as remote working. It highlights a struggle in many companies between the need to roll-out remote tech quickly and the need to do it securely. The security issues around video conferencing platform Zoom illustrate the problems that can come from rushing in to adopt new tools before assessing security risks.
Even for those that are still working full-time on security, there are issues around the support they’re getting. The report claims that 15% of respondents don’t have adequate resources, while another third (34%) say they do, but only for the time being. This is echoed by a recent poll of over 3,700 members by industry body ISACA, which finds that only around half (59%) feel their cybersecurity team has the right tools and resources at home to perform their job effectively. As a result, only 51% are highly confident that these teams are ready and able to detect and respond to rising volumes of threats.
VPNs are coming under particular strain. A quarter (23%) of global firms say they’re experiencing major disruption to network security, with 61% claiming VPNs have suffered connectivity issues, according to Neustar. If these secure channels aren’t working properly, IT security teams will have trouble applying vital patches to remote working endpoints. Poor planning is a possible reason: nearly a third (29%) admit to not having a fully executable business plan for network security in the event of a major crisis.
These challenges are, of course, being compounded by the fact that many home workers are using less secure personal PCs and devices, and are working on networks shared by users including children who may engage in risky online behaviour. And the desire for the latest news about the pandemic, which entices many to click through on phishing emails. Barracuda Networks reported a spike in such emails of over 600% between the end of February and the end of March.
Phil Muncaster is a technology writer and editor with over 12 years’ experience working on some of the biggest technology titles around, including Computing, The Register, V3 and MIT Technology Review. He spent over two years in Hong Kong immersed in the Asian tech scene and is now back in London where information security has become a major focus for his work.