In March of this year, how employees worked (if they were fortunate enough to be able to continue to work), changed dramatically following state-led shelter-in-place orders. At first, it was hoped the shift would be a matter of weeks. But as the pandemic continued and weeks stretched to months—and now with more organizations extending their work-from-home (WFH) policies well into 2021, there’s currently no real end in sight.
What’s the impact of WFH been on security? Security firm Malwarebytes recently completed a report, “Enduring from Home: COVID-19’s Impact on Business Security,” that looks at precisely this issue. The report examines Malwarebytes’ malware data and a survey of 200 technology and information security decision-makers among large and small organizations.
The survey found that organizations are confident in their ability to transition to an increasingly remote workforce successfully. Essentially, 73% rated their organization as a high or higher in their WFH preparedness. For those organizations with fewer than 700 staffers, 84% said they moved more than half of their employees to remote work. However, 84% of larger organizations, those with 700 employees or more, said they’d moved almost all their workforce home.
Disappointingly, despite the profound changes to staff working situations, 45% of those surveyed did not conduct either security or online privacy analyses of their software tools.
Since the beginning of the pandemic, 20% of respondents said they witnessed security breaches as a result of a remote worker, and 24% said remote worker security breaches created unexpected security expenses. Further, 28% said that they now use personal devices for work more than they did previously, and 61% of those surveyed said that their employers didn’t recommend staff install anti-malware on their personal endpoints.
Not surprisingly, criminals are adapting to the new worker landscape, adjusting techniques to target poorly configured virtual private networks, cloud services and email. “There has also been a surge in phishing emails that use COVID-19 as a lure to cover up malicious activity. These emails contain commercial malware, such as AveMaria and NetWiredRC, which allow for remote desktop access, webcam control, password theft and more,” Malwarebytes said in a statement.
The study also found that AveMaria malware increased by more than 1,200% from January to April. This malware targeted primarily large enterprises, the company found. In contrast, Malwarebytes detected a near-doubling in infections from NetWiredRC, which targets small and medium-sized organizations.
What’s most concerning with these findings isn’t that criminals have shifted tactics due to a change in how staffers work; that’s to be expected and enterprises don’t have control over what attackers will do. But enterprises do have control over how they defend themselves. And as enterprises increasingly turned to cloud and collaboration platforms to make their WFH situations work, they should have updated their threat models to reflect the new reality. As this new reality continues, one can hope organizations better evaluate their current environments and adjust their security posture accordingly.