COVID-19 is a global macro event unlike any we have witnessed in our lifetime. While previous macro events such as the global financial crisis of 2008 certainly had a tremendous business impact and long-lasting effects, this COVID pandemic is different. Most businesses sent their staff home to continue their daily activities. That initial disruption has been well documented, with businesses needing to make sure their newly minted home office workers had secure internet connections and the necessary hardware required to do their jobs.
As we moved through the pandemic, many businesses changed their business models to work in what is fast becoming our new normal. For many businesses that did not pivot quickly enough, we, unfortunately, saw their demise. Businesses that ceased to exist have abandoned their offices – some with unpaid leases. Within these unleased offices, there may be unclaimed equipment, providing a portal into a treasure trove of data such as personally identifiable information (PII) like credit card information, addresses, medical records, and more. Abandoned systems can offer open ports to websites that once may have housed company information and e-commerce transaction software. Businesses that are still viable may also see the same types of risk since offices have most likely been unattended for over a year.
The risks of a broken lock
A physical adversary can break a real lock, walk into an office, and gain access to the company network undetected. If a company has gone out of business, abandoned its physical space as well as its computing equipment, a very real scenario is a physical breach leading to a cyber breach. Even if a company has gone out of business, its website may still be active and attracting visitors. In this case, either a cyber or physical adversary can gain root access and install malware on a website, add a few lines of code to an application to exploit vulnerabilities, and ultimately launch attacks from a defunct business. Of course, stealing physical assets is always a risk, but with many abandoned offices and hardware, now is a time where the physical criminal may strike to create a cyber incident.
We should also consider those employees who keep their passwords on sticky notes concealed under the keyboard. This gives the physical/cybercriminal an easy entry into systems. Take this a step further, and the physical/cybercriminal can probably access other accounts belonging to the person who hides their passwords on sticky notes. These people are likely to use the same password in multiple locations – professionally and personally. So, if a physical or cybercriminal finds a hidden password for work, the path of least resistance is to try that password for personal accounts such as banking and healthcare. These seemingly innocuous bits of information could be troublesome for individuals having PII exposed or websites that could be altered to include malware and ransomware to unsuspecting visitors.
Time will expose additional threats
As the pressures of the COVID-19 pandemic begin to lift, other dangers will emerge as companies adapt to a hybrid work model or shift to an entirely remote workplace. Perhaps a physical or cybercriminal installs malware on the website of a defunct business. The root cause of that malware may not be discovered for quite some time, and therefore the extent of such a breach may not be realized until it's too late to minimize its impact. Organizations should create a map of websites where their vendors may have ceased business operations and make sure they are not a target for cybercriminals via their sites. Likewise, with applications, businesses working with vendors that have ceased operations should make sure they are not using applications that have been tampered with and may include malicious code.
Some of these abandoned assets may also be sold without a complete wipe of hard drives where physical/cybercriminals have installed viruses or malware. Some of these physical or cybercriminals may use the abandoned hardware to attach to a third-party supplier or vendor and install malicious code or malware. The cascading effects across third parties may be serious and take time to decode with cyber forensics. To prevent spending immense time and effort needed to discover such threats, all hardware should be wiped clean before being re-issued, which will require a collaborative effort with security and IT teams.
As an industry, we have not seen this problem at scale, but abandoned offices, abandoned assets, and out-of-business companies are a ripe target for cyber adversaries. As organizations consider an ongoing remote working environment or even a hybrid approach, they should also consider the very real possibility of unattended offices that could unlock a plethora of security vulnerabilities – be sure to take caution now as transitions continue.
Theresa Lanowitz is Head of Cybersecurity Evangelism at AT&T Cybersecurity.