Cyber threats 2021: WFH security flaws and (of course) ransomware
With the roll out of coronavirus vaccines, the light at the end of the pandemic tunnel seems to be getting brighter. Immunizing billions, however, is a tediously slow process, which means our kitchens and living rooms will continue to serve as makeshift offices that are incredibly alluring targets for cybercriminals.
Even though it’s been almost a year since most office dwellers went home, many companies still remain open to attacks via the unsecured home networks or equipment used by employees. With ransomware growing to a billion-dollar industry and the average ransom amount averaging at $1 million, the temptation for many malicious actors becomes irresistible.
“There's a huge monetary incentive for performing ransomware attacks. And typically what we see in these types of things is it's not necessarily a shortage of targets, there's just a shortage of bad actors,” Mike Wilson, CTO of Enzoic, a Colorado-based cybersec company, told CyberNews recently.
We sat down with Mike Wilson to discuss what cybersecurity issues and trends are in store for us in 2021.
You predict that WFH will translate to continued growth of ransomware attacks due to security gaps created by remote working. It’s been almost a year since WFH became a global reality, so why have businesses not adapted?
Something we saw from a lot of our potential customers was that they were basically in scramble mode, trying to get it to the point where all of these people could start working from home. And anytime you have that type of short-term chaos and trying to do that quickly, it can be expensive to have proper security protocols.
I equate home environment to sort of like a coffee shop meaning that in most cases, most people's home networks are pretty dirty,Mike Wilson.
Especially when you're talking about people who may not have done this before because their business didn’t need it before. And there's just going to be things that get missed. The reason I predicted that ransomware attacks would continue and potentially even accelerate is because there's a huge monetary incentive for the people performing these attacks.
And typically what we see in these types of things, is it's not necessarily a shortage of targets, there's just a shortage of bad actors. I think there's a lot of companies out there that are vulnerable, have been vulnerable probably since the early days, don't know they're vulnerable potentially, and just haven't been exploited yet.
We’re going to see these guys continue to take advantage of the right targets and find these targets that are out there throughout the next year. And the kinds of things that we'll be talking about that caused the issue is that a lot of companies don't have zero-trust network models.
Many companies use at least some sort of protection against cyber threats on company devices, don’t they?
Well, they've opened up their internal networks to remote employees now in larger scale potentially than they had in the past. So they've got VPNs in many cases that are open for employees. And once you're on the VPN, you probably have free access to a bunch of resources that are locked down in a secondary manner.
There's going to be public file shares that don't have any type of authentication or require SharePoint instances, public databases on them that don't require any authentication to access. What makes it problematic with people working from home is not just that, you've got things opened up remotely now that didn't used to be open.
I equate home environment to sort of like a coffee shop meaning that in most cases, most people's home networks are pretty dirty. They've got a lot of IoT devices, many of which are pretty easily exploitable.
People have got lots of different devices that essentially are low security, like their kids' computers that in many cases are not going to be locked down. They're not going to have security on them. And kids are kind of notorious for having really dirty devices. Cause they tend to click on a lot of things they shouldn't. So you've got these really kind of hostile local networks.
And in many cases, the administrators for these companies are trying to push down security to the employee devices, their laptops. And it's not always going to be a hundred percent effective because the employees themselves are probably circumventing that. For instance, I've seen cases where the employee has a company issued laptop but decided that they'd rather use their old desktop at home because it has a nicer monitor and keyboard.
And they're just going to install a bit of software on that access that they may not have the company ID on. It may not have the company device management software on it to lock everything down. So there's a wide array of things like that. And then you kind of couple that with a lot of mass migration to cloud services to make things easier.
Another thing that ties into WFH related threats is various IoT devices. Do you see any uptick in attacks where smart devices are used as vehicles to infiltrate business networks?
I've definitely seen the trend and the statistics. IoT devices have been a problem for years, really, since they've been starting to gain traction. And it's typically not your big ones like Amazon Echo or Google home devices. Those aren't really the ones that we're talking about.
It's more like your less well-known brands. You kind of have white label brands that you can buy for super cheap, your smart plugs and smart switches and things like that. But you can get really low-cost devices that just have very poor security practices on the internal software.
So you're talking about weak passwords, sometimes no credentials to access the device. In some cases, if there's a cloud service, the device connects to the cloud services and makes it vulnerable. Really it just kinda depends on the device, but those are the types of things that get seen. There have already been multiple cases where the giant botnets that are essentially composed of home IoT devices that have been exploited in this way caused all sorts of issues, DLL attacks, things like that.
When it comes to businesses that are well-aware of cybersecurity dangers, do you think some companies might let their guard down as we hopefully head back to normal in the second half of next year?
I feel like in the last year, security has become a lot more high-profile, we've had several high profile ransomware attacks that have raised awareness about it. And I think companies are going to continue to look at this and things like cyber insurance since there's always going to be the next wave of things.
I don't see anything totally pushing this off the radar. I mean, the most recent thing we've had were these SolarWinds attacks where tons of companies were exploited by this thing. I think it's probably just a matter of weeks or month or two before we see the next big ransomware attack that costs somebody a ton of money and that's going to really impact the companies.
There have already been multiple cases where the giant botnets that are essentially composed of home IoT devices that have been exploited in this way caused all sorts of issues,Mike Wilson.
Would you say that cyber insurance will become sort of a standard practice for companies that were not necessarily thinking about it last year?
I think as more companies hear about these ransomware attacks and to more traditional companies too, they're going to get cyber insurance coverage because they can't afford not to when they have these types of breaches that can ruin them.
I mean, the Garmin ransomware attack was massive for them. I don't even know how much that cost them, but they probably did have cyber insurance coverage. I know there are companies that maybe a little smaller or medium sized that never thought they needed that type of thing, especially if they're not necessarily a tech company.
I think those companies are starting to look at this and become more aware of it now and say, yeah, if we had a ransomware attack shut down our systems and we couldn’t operate our logistical systems for instance, so we can no longer satisfy customer deliveries or customer orders for some period of time and, you know, got contracts, we've gotta meet things like that.
And all of that ties into the amount of costs that one of these attacks could have on one of these companies. And I think more companies have become aware of it and are increasingly becoming aware of it. I think a lot of companies that didn't really think much about specific attacks like ransomware, now are starting to.
People who work in cybersecurity for companies that aren't tech companies are saying, yeah, this is something that's on our radar now. And it's something that keeps me up at night. It's like, how vulnerable are we, if we have one of these attacks, how are we going to recover from it, what is it going to cost us, how is it going to impact our customers and our business and how can we mitigate that.