Even as travel restrictions slowly ease around the world, our work environment doesn’t look like going back to ‘normal’ any time soon. Working remote from home has become a reality for millions of people around the world, putting pressure on IT and security teams to ensure that employees not only remain as productive as possible, but also that they keep themselves and corporate data as secure as possible.
Achieving a balance between productivity and security is even harder, given that most organizations do not have adequate visibility or control over what their employees are doing on corporate owned smartphones and laptops while outside the office. Even less so in the case of BYOD.
Do remote workers pose a greater cybersecurity risk than their counterparts at the office?
Cybersecurity threats have risen as remote workers visit more ‘risky’ websites outside corporate networks
NetMotion recently aggregated a sample of anonymized network traffic data, searching specifically for evidence of users attempting to access flagged (or blocked) URLs, otherwise known as risky content. The analysis, which is derived from data gathered between May 30th – June 24th, 2020, revealed that employees clicked on 76,440 links that took them to potentially dangerous websites.
All of these sites were visited on work-assigned devices while using either home or public Wi-Fi or a cellular network connection. The data also revealed several primary risk categories, which were identified using machine learning and based on the reputation scores of over 750 million known domains, more than 4 billion IP addresses and in excess of 32 billion URLs. The assumption is that a large number of employees connected to protected internal (non-public) networks would have been prevented from accessing this risky content.
These are the key findings:
- Employees, on average, encounter 8.5 risky URLs per day, or 59 per week
- Remote workers also access around 31 malware sites per month, and 10 phishing domains. That equates to one malware site every day, and one phishing domain every 3 days
- The most common types of high-risk URLs encountered, in order of prevalence, were botnets, malware sites, spam and adware, and phishing and fraud sites
- Over a quarter of the high risk URLs visited by employees were related to botnets
- Almost 1 in 5 risky links led to sites containing spam, adware or malware
- Phishing and fraud, which garner an outsized proportion of news, account for only 4% of the URLs visited
- The ‘other’ category, representing 51% of the data in the chart above, is made up of ‘low-severity’ risky content, such as websites that use proxies, translations and other methods that circumvent URL filtering or monitoring.
Botnets: URLs or IP addresses found to launch attacks, including DOS, proxy jacking, spam messaging, SQL injections and others.
Malware: malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans and code.
Spam and adware: sites that illegally track or gather information, generate popups or install programs without the user’s consent.
Phishing and fraud: sites posing as a reputable site, usually to harvest personal information. Sites are often short-lived
Please also note that even if a site is suspected of hosting malware, it does not necessarily mean that the worker downloaded malware to their device. The same applies to other threats, such as phishing; the fact that an employee visited a risky site associated with phishing attacks does not mean that the target’s credentials were necessarily exposed.
IT and security organizations invest heavily to protect their perimeter. Workers located behind desks that are connected to corporate networks are generally safe, secure and productive. They are often unaware that several layers of technology, such as firewalls, are in place to protect them. With the world continuing to shift to a more mobile and remote environment, 2020 has been a wake-up call for the enterprise and the IT and security teams that support it.
As this research highlights, remote workers are frequently accessing risky content that would normally be blocked by firewalls and other security tools that monitor internal network traffic. Naturally, this poses an enormous threat to the enterprise. Added to this, many organizations have no visibility into the activity taking place on external networks, let alone any means to prevent it. With such a rapid shift to remote work, enterprise security teams have been left flat-footed, unable to adequately protect users in the face of increasingly sophisticated cyberattacks.
As a result, security leaders need to look to SDP and other edge-to-edge security technologies that can provide web filtering on any network as they seek to evolve outdated network security strategies.
Explanation of risk types
Botnets may be the most prevalent high-risk content encountered, however botnets are not always likely to visibly impact the individual visitor. Instead, these domains are associated with nefarious actors who may be coordinating more sophisticated attacks elsewhere. Despite the lack of imminent threat, few organizations will want their employees accessing these kinds of sites.
Malware continues to be a major danger to businesses, particularly given that ransomware attacks indiscriminately cripple small and large companies, and public sector organizations alike. Consider Sapiens, the Israeli company that was recently forced to pay a $250,000 ransom to remediate such an attack that took place amid the scramble to support remote working. Recent production disruptions at Honda are likewise believed to be a highly targeted attack that relied on lax security around remote employees. Fully one quarter of all risky traffic by employees is to a site that is suspected of harboring packages concealing malware – often capable of bringing entire organizations to their knees.
Spam and adware are less severe in the extent of the damage they might do to a business. However, these remain a widespread and irritating threat for IT organizations. From bloatware that slows down machines to invasive data-gathering scripts, employees risk not only their daily productivity but also access to their sensitive data. Few security leaders would allow this traffic to pass through corporate networks, and the same should be true during periods of remote working.
Phishing is one of the fastest growing social engineering threats, and remains popular among attackers due to its simplicity. Rather than exploiting a watertight OS or hunting for zero day or unpatched vulnerabilities in an application, hackers have turned to a softer target – the employees themselves. The easiest way to extract data from someone is to deceive them into sharing it. Convincing but fake websites for platforms such as Office365, PayPal, LinkedIn are more are rife online, designed to trick users into entering their credentials in the mistaken belief that these resources are legitimate. Hackers then use the stolen details to access important assets, additional credentials and PII.
*About the data: The analysis above is based on aggregated data sourced from anonymized network traffic over a 30-day period from May 21st to June 19th, 2020. The search returned a pool of 76,440 URLs that are associated with flagged (or blocked) URLs, otherwise known as ‘risky content.’
- Best practices in financial services IT: Sean Croston from Goodbody
- Voices of NetMotion: advocating for mental health
- Neuro-Diversity in IT: How remote working has created a more even playing field
- Moving to the Cloud in Legal, working from anywhere and what the future holds
- Voices of NetMotion: the gender gap