Work-from-home network traffic spikes: Are your employees vulnerable?
A shift to work-from-home culture
Social distancing during the COVID-19 pandemic has forced employees to work from home, and many businesses were unprepared to provide cybersecurity in this new environment. Some had just 24 hours to make the switch, which means security measures likely fell through the cracks.
Even after states relax their mandates and offices start to reopen, work from home is likely here to stay for many organizations. The shift to a long-term remote culture means security strategies need to change too, with both technology and processes focusing on the biggest vulnerability: employees.
Work-from-home brings network traffic spikes
When businesses had to choose between shattering operations during the coronavirus lockdown or implementing a remote-work policy, many chose the latter. A survey of 365 employees by B2B ratings and reviews platform Clutch found that 66 percent worked remotely during the pandemic, compared to only 17 percent before work-from-home was required.
As this newly remote workforce had to access corporate networks and cloud apps from their home as well as communicate via videoconferencing, network traffic saw significant spikes. Akamai CEO Tom Leighton put it this way in an interview with the Data Center Frontier: “I’ve been looking at traffic graphs for over 20 years now and I can’t recall seeing anything like this.”
Residential internet providers reported traffic peaks throughout the country starting in March. Comcast, for example, reportedly saw a 32 percent average increase, with areas like Seattle and San Francisco — tech hubs where more employees were likely to work from home — nearly double that, to a 60 percent spike.
Some of those patterns can be attributed to remote learning as schools closed, as well as people filling their extra free time by streaming shows. But data analytics and broadband company OpenVault reportedly observed a 41 percent jump in March broadband use during business hours specifically, compared to January. Likewise, network-analytics company Kentik noted that a lot of the traffic surge came during the 9-5 business-hours window — with video conferencing traffic, in particular, up 200 percent.
This unprecedented shift didn’t just test organizations’ ability to support their newly remote employees — it also opened them up to risks they hadn’t had to consider before. Working outside of the corporate IT infrastructure leaves employee devices vulnerable to a variety of threats, regardless of whether they use corporate laptops or their personal devices.
Increased exposure in remote desktops
Cybercriminals are quick to take advantage of current events, and COVID-19 is especially advantageous for them not only because of the work-from-home trend but also because of the uncertainty of the circumstances. Things changed quickly and employers implemented new protocols hastily, while many people let their guard down due to panic and fear about their personal and work situation.
A large number of coronavirus-themed phishing campaigns began circulating just as employees started to work from home — and thus, accessed corporate assets in less secure environments. Google, for example, reportedly saw 18 million malware and phishing scams related to the pandemic on a daily basis in one week in April, and that’s on top of the 240 million on a typical day. Researchers from security company Barracuda also observed a steady rise in spearphishing attacks during the first three weeks in March.
In numerous campaigns, scammers were impersonating health authorities such as the Centers for Disease and Control and the World Health Organization. One campaign, distributed via emails claimed to be COVID-19 advice from WHO, contained an executable attachment with HawkEye, a keylogger and credential-stealing malware. The fraudulent emails prompted the WHO to issue a warning to consumers.
The phishing campaigns weren’t just targeting personal emails. Organizations like the Massachusetts Institute of Technology saw coronavirus-themed phishing emails circulating to employee addresses. Even during normal times, we’ve seen numerous cyberattacks begin with phishing emails distributed to employees. During the more chaotic COVID-19 environments, especially with lighter staffed IT departments and employees using unprotected devices, the risks became exponential.
Increased exposure in remote desktops
Another area exploited by bad actors during the pandemic was remote desktop protocol (RDP) vulnerabilities. RDP is a common way for computers to connect to a Windows workstation remotely, and it has many identified vulnerabilities. Among them is the BlueKeep bug, which an attacker could exploit to remotely inject and execute malicious code. While Windows has issued a patch for it in May 2019, not all organizations have a regular vulnerability management and patching processes in place.
Open port scanning is a common technique that hackers use to find services they can exploit, and researchers saw an increased interest in this method as the pandemic took hold. The scanning service Shodan noted an increased exposure of RDP ports — both standard port 3389 and the alternative 3388, which administrators often use in an attempt to hide a connection. Likewise, a SANS researcher noted a significant increase in scanning of port 3389 (an average of 3,540 IP sources scanning for the port in March, vs. 2,600 in October through February).
The long-term implications for organizations
Many experts believe that the pandemic has changed the way both employers and employees view remote work. Although things were touch-and-go as everyone adjusted to the new reality, both sides found many advantages in the ability to work from home.
A March survey of more than 300 finance leaders and chief financial leaders by Gartner found that 74 percent planned to make at least 5 percent of their workforce permanently remote. And almost 25 percent planned to make that shift for at least one-fifth of their previously on-site workers.
“This data is an example of the lasting impact the current coronavirus crisis will have on the way companies do business,” said Alexander Bant, practice vice president, research for the Gartner Finance Practice.
One of the lasting impacts needs to be in the way businesses approach their security. Numerous organizations, especially in the healthcare industry, were hit with cyberattacks during the pandemic, including ransomware. Phishing emails were often the origin of the threat. While they weren’t necessarily related to remote work, these attacks, coupled with the cybersecurity exposures that became evident during COVID-19, emphasized the urgency to reconsider cybersecurity strategies.
A new business normal will emerge after the pandemic — and that business normal will be the shift toward a more blended workforce with on-site and remote teams. Before you embrace the new opportunities that a remote workplace brings to your organization, consider the long-term security implications and make sure you have the tools and processes to mitigate the new risks.
- Working From Home During the Coronavirus Pandemic: The State of Remote Work, Clutch
- Data Network Traffic Impact From COVID-19, Data Center Frontier
- Comcast: Peak network traffic rises 32% as millions stay at home, Light Reading
- Verizon sees almost 20% increase in web traffic in one week due to COVID-19, FierceTelecom
- Trends in Network Traffic in Correlation with COVID-19, Kentik
- Coronavirus-themed domains 50% more likely to be malicious than other domains, Check Point
- WHO chief emails claiming to offer coronavirus drug advice plant keyloggers on your PC, ZDNet
- Beware of phishing scams related to the coronavirus, Massachusetts Institute of Technology
- Google saw more than 18 million daily malware and phishing emails related to COVID-19 last week, The Verge
- Threat Spotlight: Coronavirus-Related Phishing, Barracuda
- Trends in Internet Exposure, Shodan
- Gartner CFO Survey Reveals 74% Intend to Shift Some Employees to Remote Work Permanently, Gartner