The normal bustle inside of many office buildings has come to a halt during the pandemic switch to remote work, but these empty buildings could be inviting a different kind of activity: cyber crime.
“With any type of confusion, and certainly one at the scale of a pandemic and mass exodus from office buildings, the bad guys see opportunities,” said Michael Bahar, litigation partner and co-lead of the global cybersecurity and data privacy practice in Eversheds Sutherland’s Washington, D.C. office, in a recent episode of The Insuring Cyber Podcast. “They prey on that confusion. When you have physical office spaces and workspaces suddenly vacated, that’s a real opportunity for the bad guys to find another way to attack organizations.”
Justin Fier, director for cyber intelligence and analytics at cybersecurity technology company Darktrace, said earlier in this episode that office buildings emptied during the pandemic can present concerns ranging from something as sophisticated as entrepreneurial criminals setting up bitcoin mining systems in closets that nobody knows about, or something as simple as a criminal walking into a building and plugging into an empty ethernet port.
“The sheer fact that there isn’t a physical presence is probably the biggest concern,” he said.
Bahar said that when attention is focused elsewhere, it’s easier for malicious actors to gain a foothold into companies’ networks. This means those with vacant office spaces during the COVID-19 remote work environment need to align their cybersecurity efforts with what has been called “the new normal.”
“It’s about saying, ‘OK, here’s the new normal. What can we do in light of this new normal?'” he added.
He suggested guidance for password security and avoiding public WiFi are just a couple of simple steps companies can take to protect their networks. While some companies have permanently made the switch to remote work, meaning there’s no longer a need for the real estate, others have remained hopeful that a return to the office will happen at some point, at least in part. As companies begin to return to the office, however, Bahar and Fier say vigilance is key.
“As we do start to embrace some of the more hybrid lifestyle, it’s just a new set of security challenges, whether it’s IoT (Internet of things) or just re-adapting back to office life when we’ve all grown so accustomed to the work-from-home atmosphere,” Fier said. “When we would deploy, we would find all sorts of things customers didn’t even realize were on the network…If we couldn’t monitor those devices remotely, we are literally Trojan horse walking these things right back into our environment.”
IoT technology presents its own set of concerns, Fier said.
“How about the new host of IoT devices that our environments are going to have, like FLIR (thermal imaging) cameras checking the physical temperatures of people when they walk through the security gate to make sure they don’t have a fever or symptoms, or air quality sensors making sure the carbon dioxide levels are within specs with all of the air scrubbers that are happening all over the place?” he said. “There’s going to be a whole new host of environmental IoT devices that are going to be a part of our network. And we need to be careful about IoT, because even though we are approaching 2022, IoT is still wildly insecure.”
Bahar added that while many companies are placing a focus on the transition back to the office, it’s important that they don’t lose sight of their security plans in the process.
“When you’re laser focused on one thing, there’s always the risk that you’re distracted or you’re not that focused on something else, so I would anticipate that malicious actors are circling the gates,” he said. “They’re preparing themselves for another wave of attacks as companies try to adapt to a hybrid working environment.”
So, what can companies do to stay protected?
“Be prepared,” he said. “Hope is not a plan. Instead, you want to plan for the worst and hope for the best.”
He noted that many times, companies mistakenly believe that the worst-case scenario is a breach.
“Well, yeah. The breach is really, really bad, but it’s actually not the worst-case scenario, because the worst-case scenario can be the litigation, the regulatory enforcement action, the business interruption and the reputational damage that could come from a breach that was not optimally handled, precisely because it wasn’t well planned for,” he said. “And that is what transforms a bad day into potentially a tragic year or tragic years.”
With this in mind, companies need to be focused on carefully thinking through their cybersecurity plans while also maintaining the flexibility to quickly adapt to new threats, he said.
“We don’t want to be slaves to the plan. We want to think things through, but we have to be able to adapt, because the malicious actors—they’re real. They’re largely alive. They’re going to react to your moves. They’re going to anticipate some of your moves,” he said. “When you see in that room, that crisis response room, everybody’s head turning one way, that’s always a good indicator that you should probably look the other way as well, because something else might be going on.”
Check out the rest of the episode to find out what Fier and Bahar had to say, and be sure to check back for new episodes of The Insuring Cyber Podcast publishing every other Wednesday along with The Insuring Cyber newsletter. Thanks for listening.