The Covid-19 global pandemic has pushed workers around the world into new routines and behaviours: working remotely, meeting online and facing new challenges on a daily basis. The number of people working remotely has more than doubled (nearly two-thirds of the workforce is now working remotely), and for many, work and life have mixed together in unprecedented ways, writes Paolo Passeri, Cyber Intelligence Principal at the cloud security company Netskope.
The Netskope Cloud and Threat Report (August 2020) set out to discover and report upon how these new behaviours actually manifested for web and cloud traffic going to and from enterprise devices and systems. By looking at the data traffic for millions of global users, it was intended that enterprises could become more aware of the potential threats and risks that new working models were opening. For security teams within Netskope customers, this information is all available on a per user basis, but taken in aggregate it also has value for those who cannot see such detail from among their user base – providing indicators of likely goings on.
So, what does the data show? The obvious place to start is that 64pc of workers are now remote (an uplift of 148pc compared to pre-pandemic statistics) and with that change we have seen a 97pc increase in personal use of managed devices.
Perhaps the most alarming trend within the data was the statistic that the use of managed devices to access risky apps and websites has nearly doubled during the period of global lockdowns (up 161pc). The increase in users accessing adult content – a notoriously risky part of the web, bustling with malicious activity – on corporate managed devices was 600pc.
A much more openly discussed behaviour is the sharing of corporate devices among family members for home schooling. For many, the work device may be the only way to connect children to the online learning facilities that schools have rushed to make available and we see this sharing of corporate devices validated in the data. Education app usage spiked at three times above average after the pandemic declaration, slowed over the summer, and has increased to 4.5x average at the end of August 2020 as students return to school. Most popular in this family of apps is Google Classroom, the primary driving force behind the increase.
The final user-centric story told by the data comes as no surprise; the use of collaboration apps has increased greatly (80pc) during global lockdown as remote teams aim to stay connected. Despite some countries starting to encourage businesses to return to normal (albeit a “new normal”) we are not expecting these collaboration tools to reduce much in their usage. The new normal seems to involve the acceptance of remote working to limit numbers within offices and reduce the requirement for populations to use public transport. In addition, experiments with events and networking that do not require international travel will likely continue as international travel bans make regular globe-hopping unworkable in the mid-term.
So that’s the user perspective, but how has threat delivery changed, if at all? The total amount of both cloud and web-delivered malware increased by 7pc in the first half of 2020, showing an ever-growing appetite for revenue generation and mischief by malicious actors.
Just as with their target organisations, cloud adoption by attackers (with cloud being used as the infrastructure and access point for attacks) continues to grow, with the two most common techniques being cloud phishing and cloud malware delivery. Cloud malware delivery increased its lead over web malware delivery by 4 points between February and August, to 63pc, showing that traditional web gateways are no longer a useful defence against almost two-thirds of malware delivery attempts.
As the saying goes, “plus ça change, plus c’est la même chose” (“The more things change, the more they remain the same”). Despite the increase in personal use of managed devices and access to high risk websites, the most popular enterprise cloud apps remain the leading delivery method of cloud-enabled threats and malware. The top cloud apps and services from which Netskope blocked malware downloads in the first half of 2020 were (in order of malicious use numbers) Microsoft Office 365 OneDrive for Business, Sharepoint, Box, Google Drive and Amazon S3.
The percentage of phishing attempts being delivered through cloud applications held steady at 15pc with a variety of apps used to deliver the bait, including cloud storage, webmail, web hosting, and social media apps. The top five apps used to deliver phishing attempts were Microsoft Office 365 OneDrive for Business, Microsoft Live Outlook, Blogger, AOL Mail and Facebook.
The last Netskope Cloud and Threat Report (in February 2020) reported that 33pc of users transfer data between apps. We now have more detailed information, as it was revealed that 7pc of all users transferred sensitive data (eg. regulated data, source code, company confidential data) to personal app instances. Cloud Storage and Webmail apps are the two most popular types of personal instances used to upload sensitive data, and the most common types of sensitive data being uploaded to personal instances are Protected Health Information (PHI), Personally Identifiable Information (PII), Source Code and Company Confidential Information.
Another statistic new to this edition of the report is that 14% of file uploads are images which may contain sensitive data. This underlines the need for security systems that can detect and classify images for data protection purposes.
As ever, the Cloud and Threat Report continues to provide valuable insight into the behaviours of users and malicious actors alike. Cloud adoption continues to grow and is a significant part of an organisation’s cyber terrain, and the significant trends in remote working are major forces shifting security control planes towards identity, app, and data. Remote working only adds more risks as personal use of managed devices increases in a blend of work/life online activity at home.
Cybercrime continues to abuse the most trusted and popular cloud apps, leveraging trusted domains, valid certificates, and the practice of allow-listing popular apps to bypass inline defences. Allow/deny no longer works as enterprises as data moves across many boundaries in cloud and web-based workflows.
