Cybersecurity executives claim working from home increases the risk of attacks
UPDATED The vast majority of cybersecurity executives believe the global shift to homeworking during the Covid-19 pandemic has led to a rise in cyber-attacks, a new survey has revealed.
Published today (July 14), the third Global Threat Report (PDF) from VMware Carbon Black also found little confidence among respondents that the rollout to remote working had been done securely.
The study took a deep dive into the effects Covid-19 had on the security of remote working, with 91% of executives stating that working from home has led to a rise in attacks.
Rick McElroy, cybersecurity strategist at VMware Carbon Black, told The Daily Swig that the rise had been linked to the dispersal of workforces outside the corporate security perimeter because “phishing attacks launched at home users accounted for the bulk of the reports.”
Respondents from the UK, US, Italy, and Singapore were polled in March and April of this year.
The study found that 85% of chief information officers (CIOs), chief technology officers (CTOs), and chief information security officers (CISOs) felt that their workforce had not been properly equipped to work from home, with 28% citing “severe and significant gaps” in security.
More than a quarter (29%) cited an inability to implement multi-factor authentication as the biggest threat facing their organization, rising to 50% for financial services organizations, and 46% for companies with 251-500 employees.
Covid-19 related malware was the biggest threat to smaller organizations with 50-250 employees (43%).
The findings were discovered in the context of a larger study produced in the early days of the pandemic, which found that 90% of security professionals had already witnessed a growing volume of attacks over the previous 12 months.
Four in five (80%) also thought attacks had become more sophisticated since 2019.
Of around 3,000 professionals surveyed in more than a dozen countries, 94% had suffered a data breach resulting from a cyber-attack. Organizations experienced an average of 2.17 breaches each, down from 3.4 in the report’s previous edition – potentially because “more people are online and connected, and we have better tools to find the breaches,” suggested McElroy.
The average breach frequency was highest in France (3.7) and lowest in Canada (one breach).
Manufacturing and engineering companies suffered more cyber-attacks and data breaches than any other sector.
The “leap in attack frequency and sustained increase in sophistication” showed that “however fast global businesses may be adapting to the intensifying environment, the cyber threat landscape is evolving faster”, said McElroy in the report's foreword.
Custom malware and Google Drive attacks were the most frequently experienced forms of cyber-attack by 18% of respondents apiece, while process hollowing attacks more than trebled from 3% to 9.5%.
“Adversaries are adopting more advanced tactics as the commoditization of malware is making more sophisticated attack techniques available to a bigger cohort of cybercriminals,” concluded McElroy.
Conversely, phishing and ransomware attacks only accounted for 6% of attacks each, down from 34% and 18% in the previous two reports.
It “appears that unsophisticated ‘spray and pray’ tactics are being rejected in favor of accessing networks undetected and gaining persistence for longer term campaigns,” reads the report.
The rising adoption of third-party applications prompted 35% of cybersecurity professionals to cite “workload/applications” as the biggest security risk.
Network vulnerabilities were identified by almost as many – 34% – followed by mobile devices (21%) and endpoints (7%).
The root cause of 18% of breaches, OS vulnerabilities were the most common entry point for attackers, followed by third party application breaches and ‘island hopping’, both polling at 13%.
Seven percent of breached businesses were compromised via their supply chain.
Some 70% of security professionals felt their organization had suffered reputational damage from a data breach, although only 30% suffered financial losses – down from 44% in October 2019.
Twice as many financial services companies suffered “severe” reputational damage than respondents across all sectors – 34% versus 17%.
The vast majority of respondents – 96% – expected their budgets to grow over the next 12 months, with 46.5% anticipating a rise in 5G-focused security spending.
Threat hunting is becoming ubiquitous, meanwhile, apparently by dint of its effectiveness: 88% of respondents now deployed the defensive method, and 86% said it had strengthened their company’s defences.
Respondents were using an average of 8.91 security tools to manage their security program. This reactive, “bolted-on” approach to tackling emerging threats “has resulted in siloed, hard-to-manage environments”, said the report.
Only 56% of those polled planned to use the MITRE ATT&CK framework to validate their security posture.
“Teams have little time to strategically move on a new framework given the amount of work they already have,” McElroy told The Daily Swig. “Teams struggle to be agile and it's usually not their fault; more the internal and external constraints placed on them by their organizations’ and the threat landscape.”
This article was updated on July 15 with additional comments from Rick McElroy of VMware Carbon Black.