Josh Horwitz is COO of Enzoic, a provider of compromised credential screening solutions
With virtually every non-essential business forced to rely on new technology and embrace different ways of working, the coronavirus pandemic has presented organizations with numerous obstacles. While much attention has been paid to how companies can best navigate these challenges, it’s important that we also recognize another truth emerging from our new normal: enterprise security still leaves much to be desired.
According to Gartner, “COVID-19 has changed the way businesses around the world operate. Many of these changes—the shift to working remotely, an increase in automation, and the addition of new technologies—have direct consequences in security and risk…it’s vital that security and risk management leaders understand vulnerabilities and prepare for changes.” While the new approach to working has certainly introduced some new threats, it has also exposed existing security weaknesses that companies must address as they plan for the post-coronavirus period.
Following are a few examples and what organizations can do to educate employees on the risks and mitigate the threat.
Zoom is a prime example of this trend. Since the pandemic forced most business and school activities online, Zoom has experienced a 535% rise in daily traffic to its download page. As usage surged, however, so did takeover of the teleconferencing software due to some inherent security vulnerabilities. Lack of end-to-end encryption, in-app surveillance measures and shadowy data sharing policies are also among Zoom’s security flaws.
While the company has taken steps to address them, Zoom is far from the only business-critical technology with some significant security concerns. As the New York Times’ Brian X. Chen put it, “If there is something déjà vu about all of this, you aren’t wrong. That’s because we find ourselves dealing with the same situation over and over again, focusing on the convenience of easy-to-use tech products over issues like data security and privacy.” It’s critical that the industry as a whole prioritize the latter so that security is more equally balanced with convenience. In the near-term, however, there are a few things for companies to consider:
o Ensure that employees always activate security settings: In the case of Zoom, the optional meeting passwords feature protects against account takeover. Particularly when utilizing software with weak security architecture, it’s important to ensure that employees are availing of all security features—always.
o Check for updates: It’s a security best practice, but it’s often forgotten or delayed, particularly in our current climate, when people are struggling to balance work with new pressures at home.
Phishing is a pervasive security threat, however, the pandemic has illustrated that the hackers behind these attacks have become increasingly sophisticated. For example, a recent campaign in which hackers impersonated communications from Microsoft Teams was extremely realistic and directed users to landing pages that appeared legitimate. Because many of the pandemic-related phishing attacks exploit people’s fear and confusion surrounding the virus, companies should issue guidance on how they will communicate and encourage vendors to do the same.
It’s also a good idea to include phishing reminders whenever there is a change in working structure. For example, as lockdown restrictions lift and some companies resume normal operations, it’s important to encourage employees to be vigilant about “return to work” themed phishing scams.
With employees adopting more online services in the era of remote working, many are defaulting to a common security mistake: creating simple passwords and reusing them across multiple accounts. If these credentials have been exposed in a prior breach, this is essentially laying out the welcome mat for hackers to gain access into the account or accounts in question and, from there, the corporate network.
Researchers from Virginia Tech University found that over 70% of users employed a compromised password for other accounts up to a year after it was initially leaked, with 40% reusing passwords which were leaked over three years ago. Companies must eradicate this persistent security vulnerability as they plan for the post-coronavirus period. With data breaches happening on a near real-time basis, it’s highly likely that a password that was once secure could become compromised down the road. As such, it’s important that organizations consider not only how to enforce the use of strong, unique credentials, but also monitor the security of these passwords on an ongoing basis.
The pandemic has altered nearly every facet of our personal and professional lives, and it’s likely some elements of our new working structure will remain even after all restrictions are lifted. As companies plan for this return to operations, however, it’s important to consider security and take steps to address some of the vulnerabilities that the coronavirus response brought to light.