On Monday, March 9, 2020, Andrew Huang’s world fell apart. His company became another victim of data theft.
Huang is no IT illiterate. In fact, he is what we call a privileged user. He holds the keys to critical systems that his medium-sized brokerage firm depends on for his business.
Digital bread crumbs
Stealing sensitive information is nothing new. While the art and science have evolved, the fundamentals are the same: there is deception, emotional blackmail, loss of credentials, and sensitive data is bought.
The COVID-19 pandemic just made it easier. Before, privileged users worked in a “castle” protected by “moats” of firewalls and intrusion detection systems.
“The reason for the castle and moat approach to security is largely due to perimeter security concepts and methodology. And given today’s IT environment which is highly dispersed, the approach is much harder in practice to guarantee the quality and responsiveness needed to secure your infrastructure, employees and data,” observes Fleming Shi, chief technology officer at Barracuda Networks.
Richard Addiscott, senior director for security and risk management programs at Gartner, feels companies need to ground themselves in the hard truths — especially in a remote working environment like now. They “need to recognize the shifts to their security threat environment and how any working arrangements that are in place could be amplifying what may have been only low level risks previously when there was a much lower proportion of staff working from home,” he adds.
It is also not foolproof — even before the pandemic. In its ongoing cyber risk-maturity survey research, McKinsey noted that only 5% had mature risk-management capabilities. There was also no correlation between spending levels and risk-management maturity, which means all companies regardless of the security budget are fair game.
Huang’s firm was one of them.
When a global crisis occurs, the first emotion everyone has is fear. Hackers know this very well, leading to attacks on previous high-profile victims like Marriott International — successfully.
“With anxiety levels so high, people become highly susceptible to fake news. The recent case about the Johns Hopkins University site showed how well scammers are taking advantage of the fear factor,” Huang notes, pointing to how a fake website used fear to harvest credentials.
It also takes a single human failing to let the hackers through. So, Barracuda Networks’s Shi feels companies need to do more than just reinforce their old approach. “I would suggest looking into a new approach that involves elements of Zero-Trust, Segmentation and Cloud Security Posture Management,” he adds.
Huang and his peers, being privileged users, had additional training and procedures to follow. Unfortunately, privileged access holders are prized targets for hackers, as they “have the keys to the kingdom,” admits Huang.
When remote working became the new normal, employees faced a reality: the collision of their personal space and company workspaces. As the lines blurred, hackers saw their chance to exploit.
“In this pandemic situation, we are practicing ‘Social Distancing’ to avoid transmission of health-threatening viruses. It should be the same for systems, especially since employees are working-from-home during the pandemic,” says Barracuda Networks’ Shi.
Sometimes, your consumer devices may undo your policies. “The security posture and features of your home router and other IoT devices are far inferior compared to devices utilized by security-conscious organizations,” adds Shi.
Huang admits that it takes incredible discipline to use different devices and workspaces for their work and personal lives. The lines are further blurred as consumer apps vie for corporate status. This has led to issues made famous by Zoombombing.
It comes down to risk assessment, says Gartner’s Addiscott. “The more prospective clients decide not to buy a piece of software due to security concerns, the more likely it is that the vendor will take steps to remedy the situation and deliver a more secure product to the market,” he adds.
Another problem with the relentless online attacks is that hackers already have the credentials, thanks to past breaches.
Stealing records and credentials is only the first step. Often, the information is shared, bartered, exchanged and sold on the dark web. “Then, hackers will use automated bots to drive credential testing,” says Huang, sometimes using other online sites like digital banks, financial exchange servers and e-commerce sites, to test the validity of the stolen credentials.
Hackers are weaponizing this stolen data. Done well, they already have the keys to the “kingdom.”
Which is what happened with Huang. A series of data breaches saw hackers taking home sensitive information with credentials harvested.
But Huang considers himself lucky. His company enacted measures to contain the breach and data loss. The backup data was also left untouched, unlike more sophisticated breaches where hackers corrupt the backup data and leave the company defenseless.
Addiscott believes that companies who do not recognize that their threat landscape is very different right before pandemic are most vulnerable. “Organizations that haven’t taken stock of the new threat and risk environment will unlikely have taken steps to protect their remote workforce and the information they’re accessing.”
For Huang, his company did. The right policies and procedures helped. It allowed him to sleep better — for the moment.
This article is part of a CDOTrends eGuide. You can download the entire copy here.
Photo credit: iStockphoto/Jolygon