Digital Habits During Pandemic Have Lasting Impact
The unexpected global pandemic left the world scrambling to maintain their daily activities and work as best they could.
With stay-at-home orders that lasted for months on end—and some countries currently instituting another wave of lockdowns—most people resorted to consuming services and ordering goods online, encompassing everything from groceries to telemedicine and shifting work models to make do.
In the process of migrating to remote work and staying indoors, companies had to quickly transform how they offered services digitally, and most individuals opened about 15 new digital accounts with vendors they had never used before.
Account Wave Increases Digital Footprint
This account boom extrapolates to billions of new online accounts created around the world. A June IBM report found 44% of users are not planning to delete or deactivate these new accounts, meaning consumers have increased their digital footprint for years to come. This, in turn, has expanded the attack surface for cybercriminals.
“For a cybercriminal, the larger the playing field and the more data they can prey on, the better,” explained Limor Kessem, executive security advisor at IBM Security. “Every year, we bear witness to billions of leaked or stolen records; compromised passwords and identities abound. With users opting for speed and convenience, they have reused passwords that have likely already been compromised.”
Kessem explained how these new accounts can be compromised more easily, since existing credentials are already in the hands of fraudsters and available on dark web shops.
The survey showed that more than half of millennials would rather place an order using a potentially insecure app or website versus calling or visiting a location in person.
Kessem said that means users rely on their service providers for security, expecting it to be inherent to the service offered, and would forego caution if it meant convenience, in the moment.
Enterprises Must Guard Their Own Doors
With this in mind, enterprises must guard their own networks while leaked/stolen passwords become ubiquitous.
With passwords becoming less and less reliable, one way that organizations can adapt is shifting to a zero-trust approach – applying advanced AI and analytics throughout the process of granting access to users to spot potential threats, rather than assuming a user is trusted after one approved login.
Kessem said user privileges must be limited per least-privilege best practices, and two-factor authentication, at least, must be rolled out to users across the organization.
“The enterprise that best serves customers has to make sure their interactions with the business are secure inside and out,” he said. “IT and security leaders must join hands to plan projects with security built into them from the conceptual phase onward. Ease of use can come from shifting to biometric logins, authenticator apps or using other multi-factor challenges to ensure users are not solely relying on a password.”
Kessem said the responsibility for secure products falls as equally on the CIO’s office as it does on the CISO’s as they work together to scope projects, assess and quantify risk and determine how to best address risk and data protection.
Timur Kovalev, chief technology officer at Untangle, noted with recent ransomware attacks and high-profile breaches, including SolarWinds, JBS, Pulse Secure and now Kaseya VSA, IT administrators should be considering using the more secure options.
“This will also involve training their employees how to navigate the less easy-to-use tools, as well as explaining to employees why these measures are necessary and what they can do to avoid falling victim to any type of security breach,” he said.
He noted that, as workers moved to hybrid work styles, many added even more unknown software and applications to help facilitate working remotely.
While helpful at home, these could prove dangerous once on the corporate network, and with the workforce spread out across locations, using a variety of networks and devices, the attack surface grows dramatically and becomes an opportunity for cybercriminals.
“Because employees and their devices are not always behind an office firewall, workers that rotate in and out of the office could be bringing malware that is hiding in their laptops, waiting to move onto the corporate network,” he said. “Network security teams will need to be diligent to prevent employees from bringing threats back to the office.”
