Cyber News Roundup: Exploiting Weaknesses, Cybersecurity Best Practices for Remote Workforces, Going Passwordless

Editor’s Note: This is your cyber news roundup with the latest cybersecurity news and tips from the Cyber Oregon team to help you and your organization stay safe online and protect your digital assets. We examine cybersecurity news and developments from across the Northwest and the Nation that are important to all Oregonians including individuals, businesses, non-profit organizations, government entities, and educational institutions. Sign up to receive ongoing updates here.

Corporate networks are at risk. A hacker can get into an organization’s internal network in 30 minutes, according to a ZDNet article. Add to that the growing and possibly more permanent remote workforce — with more attack surfaces — and you’ve got a recipe for cybersecurity challenges. As companies shift employees to permanent remote positions, “organizations need to rethink how they approach security with working from home being the normal,” says Mike C. Wilson, founder and CTO of PasswordPing in an Infosecurity Magazine article. Indeed. Gartner reinforces that 41% of employees will work remotely even post-pandemic.

“[Companies] need to adopt a mindset that assumes that all employees are working on networks with the equivalent security of the local coffee shop. They then need to implement strategies that reflect this new dynamic, or they run the risk that the blending of personal and professional results in laying out the red carpet for cyber-criminals,” cautions Wilson. He offers key steps to take to reduce the security vulnerabilities that come with a distributed workforce:

  • Zero-Trust Approach. Enterprises must adopt this mindset now that there is no security perimeter. All systems need to be appropriately secured and require additional identity verification before remote employees can access corporate resources.
  • Educate Employees on How to Set Up a Home Network. IT departments should encourage and educate employees on how to set up an isolated Wi-Fi network solely for work usage. Employees need to be aware that every device and service, including those belonging to their family, can open up the business to a host of security-related issues.
  • Prioritize Password Policy. With the widespread adoption and reliance on digital services, the risks from password reuse are rapidly spiraling. Companies need to deploy a layered approach to password policy to ensure that only strong, unique passwords are in use.
  • Make Multi-Factor Authentication Mandatory. Sensitive systems and data require more than a simple login layer for security. Organizations need to add additional layers rather than hoping that one will suffice.
  • Evaluate Security Vulnerabilities Before Adding Tools. With employees remote, IT needs to put in place a process to vet apps and software before they can be integrated into the corporate environment. Otherwise, employees are likely to add tools that they already use in their personal lives.

CNN also covers the growing cybersecurity threats as a result of remote working, with the rise of cyberattacks, external and insider breaches accelerating, and a 100% rise in SMS phishing attacks. Gary Steele, CEO of Proofpoint offers insights about the risks:

  • Remote users migrating data to the cloud
  • Use of personal email, apps from corporate devices
  • Logging on from unsecured Wi-Fi networks

Proofpoint outlines these cybersecurity best practices that are important for organizations to think about before pulling the plug during a prolonged crisis:

  1. Threat actors and cybercriminals are opportunistic. Fear, curiosity, and uncertainty run high among individuals during a time of crisis (like a widespread natural disaster or pandemic). Fraudsters take all opportunities to exploit these emotions among end users. It’s critical that employees be made aware of the lengths attackers will go to, and the ways threat actors will attempt to fool them.
  2. Users may end up in unfamiliar working environments. Crisis situations might force employees to shift to temporary worksites or other remote working situations. Users likely need to consider an expanded set of cybersecurity best practices in these settings. Don’t make assumptions about the security of remote networks, and don’t expect employees to figure things out on their own.
  3. People often seek certainty in times of uncertainty. This point builds on the prior two. The average person wants to feel as empowered and centered as possible during times of uncertainty. If you take your voice out of the mix, you will give threat actors more power. It’s critical that, from a cybersecurity perspective, a trusted authority remain the voice of reason and provide guidance on what to do to stay more secure — and how to do it.
  4. Your coworkers may be willing and able to assist you. During times of crisis, many individuals are willing to stretch beyond regular skillsets and/or responsibilities in order to support the “greater good.” Don’t discount the role that direct managers, HR, legal/ compliance, and even marketing teams may be willing to take on in order to communicate important messages related to cybersecurity best practices. Others may be able to keep a program running while information security and IT resources are tied up on other things.
  5. Doing something is better than doing nothing. There could be situations in which you have to temporarily suspend formal phishing and training exercises because of an ongoing emergency environment. But we encourage you to go into “awareness mode” rather than completely stopping a security awareness training program. You can do this by focusing on information-sharing tools.

Cybersecurity Tips for Small Businesses

In an Entrepreneur article, Imran Tariq states that 15% of small businesses do not expect to survive the recession, and that a cyber-attack could be devastating. Tariq offers these cybersecurity tips:

  • Train staff on security protocols. Because startups have leaner budgets, it’s essential to implement the right security protocols that mitigate most of the risk. Employee training should be at the top of the list. Knowledgeable workers make it difficult for con artists to gain unauthorized access to networks, files and bank information. 
  • Make your devices and platforms hacker proof. “In certain situations, it’s better to store valuable items off the grid and to minimize online connection possibilities as these are all potential attack vectors for hackers or scammers,” says Ruben Merre of NGRAVE.
  • Install anti-virus and anti-malware software. Low-cost solutions that have major impact is the way to go. Entrepreneurs should install the latest anti-virus and anti-malware software that find and identify threats. 

Going Passwordless?

“Stolen passwords are behind 80% of attacks,” writes Mary Branscombe in a TechRepublic article. What are passwordless options and when will they come into play? Authenticator apps and biometrics could replace passwords. “Moving on from passwords to strong authentication and adaptive access policies is key to improving security without hurting productivity, especially given the increase in remote working,” Branscombe states. “Usernames and passwords are just inherently not secure,” says Joy Chik, CVP of Microsoft’s Identity Division says. “The better way to protect the user is to provide a more intuitive, more friendly experience and a more secure way through passwordless.”

Remote workforces will continue for the foreseeable feature. This puts security, identity and mulit-factor authentication in the top five investment areas for security leaders to improve security for remote workers without reducing their productivity, says Branscombe.

Partner blog of interest: Splunk: From Feeding Families to Empowering Students: How Data Is Fueling Amazing Outcomes During COVID-19