Understanding your business’s threat landscape

To gain an insight into how the cyber threat landscape has changed because of  COVID-19, security experts Dmitry Galov and Artem Karasev spoke in detail about how Kaspersky has been tracking the evolving threats of all businesses now face and how enterprises can take practical actions to make their company resilient to attack.

Dmitry Galov [DG]

Dmitry Galov is a Security Researcher in the Kaspersky Global Research & Analysis Team (GReAT), responsible for researching non-Windows malware, APTs and IoT-threats. He joined Kaspersky in September 2015 and became part of GReAT in August 2018. Dmitry is currently completing his studies at Lomonosov Moscow State University, taking part in various capture the flag events as a member of the ‘Bushwhackers’ team. Dmitry has always been interested in programming and reverse-engineering and started participating in different international competitions while still at high school. Nowadays, Dmitry is an experienced specialist with a deep knowledge of Android malware. Some of his research, including on non-Windows malware and future connected healthcare, has been published on Securelist.com.

Artem Karasev [AK]

Artem is the Senior Product Marketing Manager responsible for Kaspersky’s extensive Cybersecurity Services portfolio – everything from Threat Intelligence and Threat Hunting to Incident Response and Training. With almost a decade’s product marketing and business development experience, working with IT security industry market leaders, Artem is a natural communicator with a passion for the application of innovative approaches to today’s and tomorrow’s business security challenges.

As the pandemic has continued, businesses have had to adapt to radically different working practices. Has Kaspersky seen a new awareness of the security threats these changes have delivered, or are businesses still mostly ignorant of the cybersecurity threats their enterprises and staff now face?

[DG] At Kaspersky, we have seen several changes to the cybersecurity landscape because of     COVID-19. Whether business leaders are paying enough attention to these risks is something we take very seriously, as this helps us advise and then create cybersecurity protocols for our clients.

Of course, the significant change is the remote mass working that is now the norm for millions of workers. From a corporate perspective, our research clearly indicates that nearly half (46%) of the workers surveyed had not worked remotely before. This lack of experience is one of the fundamental reasons for – in some cases at least – a low-level of cybersecurity awareness amongst these workers.

If we also look closely at how these workers were equipped, we found 55% of employees had to use their own devices such as notebook PCs and their own personal phones, which in many cases were not correctly set-up for corporate-level cybersecurity such as robust VPNs.

A good example is RDP (Remote Desktop Protocol), which is used extensively by corporations. Kaspersky researchers observed a 242% growth of brute force attacks on RDP compared to last year and 1.7 million unique malicious files disguised as apps for corporate communication. Both of these findings reflect the ways attackers set their sights on users that work from home.

The key here is not that the sudden demand for online services – be they work-related or for food delivery – grew. Many new users were people who, in principle, avoided being so digitally exposed in the first place. They did not necessarily disregard the need for cybersecurity – they had simply chosen not to use digital services before and were less educated about what can happen online. This group of people turned out to be one of the most vulnerable during the pandemic – their level of awareness of online dangers was very low. It seems like we have been given a big challenge worldwide, and I hope that helped increase the level of cybersecurity awareness among ordinary users.

[AK] From a security product perspective, the BYOD (Bring Your Own Device) movement has increasingly become an issue from a corporate security perspective. What has been taking place is often highly sensitive information was shifted to these personal devices without adequately protecting this information from malicious attack. The speed at which remote working has been used usually meant security wasn’t a priority for many businesses.

We have seen even those businesses that had the foresight to connect their new remote workers with robust VPNs, found many of these remote workers would be using these connections for their personal use as well as for work. This, of course, opens up many potential security issues with the possibility of inadvertently installing viruses or ransomware.

Businesses really need to ensure the basics of their cybersecurity is covered. This includes up-to-date endpoint security applications and VPNs that are properly configured for corporate use. Also, the most critical component is educating the remote workers to raise their awareness of the security threats they face and how changing their behavior is one of the most effective ways to combat cybersecurity attacks.

There is a range of security applications all businesses can use no matter their size. However, is the human element still the weakest link of any corporate cybersecurity?

[DG] Yes, that is absolutely right, which is why we created Kaspersky Adaptive Online Training to teach the skills needed to have high levels of cybersecurity awareness.

My colleague Denis Barinov, Head of the Kaspersky Academy, says: “If employees see no danger in risky actions, let’s say, in storing sensitive documents in personal storage, they are unlikely to seek advice from IT or IT Security departments. From this perspective, it’s hard to change such behavior, because a person has an established habit and may not recognize the associated risks. As a result, ‘unconscious incompetence’ is one of the most difficult issues to identify and solve with security awareness training.”

For example, many businesses had given their remote workers administrator rights, which, in some cases, led to security protocols being disabled on these remote machines opening them for an attack. Our research also found employees sharing inappropriate data via mobile devices (47%), the physical loss of mobile devices exposing their company to risk (46%), and the use of inappropriate IT resources by employees (44%).

Are you also hearing from your customers that employees are pushing back on the question of who is responsible for the security of the equipment and networks they are using?

[DG] I think there always has to be a balance. Business leaders and their workforces all need to work together to create a secure environment for everyone to work within. But I do think employers need to show the initiative that they have thought about how security across their business has to change and how their workers will play a vital role in creating these secure environments for them to work within.

What we are advocating today is to create cyber-immunity and not just cybersecurity. Our approach is to look beyond the kind of security we have now, which is often some form of installed security application.

We are saying the next stage of security protection is not to react when a security breach occurs but to prevent that breach from happening at all. A preventative approach means using several tools including endpoint security applications, breach analysis and tracking the trends in cyberattacks, to develop an overview of potential threats that can be defended against using comprehensive and integrated cybersecurity services.

[AK] We are seeing that as companies change in the face of mounting cyber threats that themselves are also expanding and mutating, the security approach businesses must take also has to change.

The protection businesses need today has to be integrated. This is a critical change to how security may have been approached in the past with separate applications and security protocols for highly defined risks for attacks. Today, we can see this approach must change. As the threat perimeter is expanding and businesses have to manage multiple attack vectors, a new security approach is what Kaspersky has been developing that has multi-vector defenses allowing full network and endpoint security. This gives the business more agility and a foundation of security it can rely upon.

As businesses change how they are organized, the threat landscape also changes. Are business leaders looking to – where possible – automate as much of their cybersecurity as possible?

[AK] Yes, and Kaspersky hears this a great deal when speaking to our clients. What I am hearing is the lack of skilled security professionals’ businesses need continues to be chronic. And as budgets are also being squeezed and frozen, many enterprises are turning to automation.

The approach businesses need to take is to audit their threat exposure. Once these potential risks have been identified, the threat landscape comes into focus. With these insights, systems can be developed to mitigate these threats, with many of the components these systems consist of can be automated. This is one way businesses can react to their limited IT security resources yet create a comprehensive and robust security environment across their enterprises.

As we move into a post-COVID-19 business landscape, how could the digital security risk change, and what kind of threat actors will a business’s security systems have to identify? Is Zero Trust now the only valid security stance enterprises can take?

Having a Zero Trust approach to security isn’t easy for businesses to install. It requires security systems approach an education approach to ensure all employees have comprehensive security training that they implement every day. However, a business’s time and resources on developing its Zero Trust initiative will deliver future benefits, including reduced security costs.

[DG] I think the approach businesses need to take a four-step process: Step one is to think about the end-users. As employees can be one of the most severe security issues, tackling this with a program of education is a critical first step. Step two is to then consider what security technologies you can implement to deliver hardware and software security. Step three is risk management, which means understanding the procedures your business will follow in the event of a security breach taking place. And finally, step four is to ensure your security protocols fully support the compliance your business has to support.

As no two businesses are the same, the make-up of their workforces. Their location and the systems they are using will all be unique, isn’t today’s security about personalizing the threat detection and the response a business takes?

[DG] It is true that the security systems business now needs to develop are not one size fits all. Business leaders must look at the unique aspects of their processes and how their workforces are organized. This will lead them to a deeper understanding of the threats they face and then enable them to mitigate those risks. No security is 100% effective – there will always be unforeseen security breaches. However, businesses are not powerless to act.

At Kaspersky, we can see that one of the biggest security threats that will continue is the use of mobile devices. These are now ubiquitous and essential to almost all employees to work efficiently. My own area of focus is to look at this mobile landscape to identify how this ecosystem of mobile devices can be made more secure. A centralized approach to smartphone security isn’t really possible on a practical level. Businesses can at least use certificates to ensure that the use of third-party applications is limited and policed as much as possible to reduce their security risk.

COVID-19 has meant all businesses have had to, in some cases, radically alter their digital transformation roadmaps. Looking forward to post-COVID, what should a business security stance look like?

[DG] At Kaspersky, security is always an evolutionary process. We can see how the pandemic has changed the threat landscape and consequently the kinds of cyberattacks businesses now face. The shift to mass remote working looks set to become permanent. With the threat perimeter shifting to employees’ homes, securing these spaces and connections will be paramount.

Our reaction to the massive change businesses are moving through is to help them understand the threats they face and deliver the tools and education they need to combat the cyber threats today and their dangers in the future.