In the physical world, bad actors do their dirty work on a one-to-one basis. If attackers want to get into a home or vehicle, they can only break into one building or car at a time.
But in a digital world driven by connectivity and information sharing, things become much scarier. Now you must worry about the entire ecosystem, and cyberattacks can occur at scale.
If I have one exploit, I don't have to go to one physical point to use it. I can use it to target assets, individuals and organizations anywhere and everywhere.
COVID-19 and working from home increased the threat surface
The risk of cyberattacks is an even greater problem than usual because we're all in lockdown. And we're on unmanaged home networks rather than in controlled corporate IT environments.
The activities of others in your home add risk. If you have teenagers, they might be playing online games, and who knows what they're downloading. All of that is shared on your network.
Also, when the coronavirus broke out, many people were interested in finding statistics about the disease. Johns Hopkins became a popular place to see Covid-19 hotspots and how the virus was propagating. Soon thereafter, bad actors copied and created weaponized versions of this website, which downloaded malware on the computers of those who visited these deceptive portals.
Nobody is immune from attacker exploits
Of course, sometimes attacks come to us. Even the most tech-savvy get caught in such exploits.
Imagine you just had your performance review, and you get an email from your boss asking for a response. Or you just finished a call with a vendor and receive a document that seems to be from that person. That's a great scenario for being attacked. Nine times out of 10, you just open the email or attachment. But that could be someone else targeting you with malicious content.
It's very difficult to defend against this kind of thing, but my point is that you can’t be too cautious. Cyberattackers know how psychology works, and they know how you work.
Bad actors are turning up the volume via automation and cooperation
We've seen an increase in phishing and ransomware. Most of those attacks are on the backs of automated systems, allowing bad actors to try their luck. It's a game of percentages.
What's worse, because these exploits exist as software, bad actors can sell or share them on the internet. Then other people and systems can use them, further compounding the danger.
Stepping lightly, setting rules and taking stock are good defensive strategies
To protect themselves, individuals and organizations should be aware that bad actors are going to be more opportunistic in targeting environments in which more things are connected.
Companies and people also can work to safeguard themselves, their data and their devices from attacks by taking stock of their digital assets, being cautious in deciding what to connect to, and establishing and understanding the rules for connecting.
The first step is appreciating what you have. It’s important to inventory your assets and processes, identify which of them are precious, and set policy for how to protect them with technologies such as encryption. You might also want to define what kind of websites you need to log into and what kind of keys you need to do so. You need to keep track of the data, understand what data you're protecting and keep track of the keys.
Key management is important, because losing a cryptography key is not like losing your car or house key; rather, it’s like losing a key to hundreds or thousands of cars or all of your houses. That’s because you can attach a large number and array of assets to these secrets. In a physical environment, a key will only open one door. That's why we use hardware security modules (HSMs) for key management: It's the highest bar to protect such things.
Device selection, education and penetration testing also help
It’s also a good idea for employees to only use their work laptops and phones for work purposes. That helps minimize cross-contamination and malware from personal web searches. People may also want to open website links in virtual machines to limit damage potential.
Organizations should consider offering employees training on cybersecurity best practices. Businesses also can create and share a list of the sites approved for employees to access.
Adopting an offensive mindset and using penetration testing to assess how well systems are positioned to thwart attacks, and acting on that information, also increases business resilience.
Now is the time to work on preventing attacks at scale
The work-from-home movement stemming from Covid-19 has proven that the remote model works. And in light of the pandemic, many organizations are reviewing work practices.
That includes everything from whether they should continue to pay massive real estate costs to whether they can use hot desks. In their reviews, organizations also should acknowledge that remote work adds a large element of cyber risk and decide how they can address that.