The worst-case cyberattack scenario for a corporation is no longer that a cybercriminal hacks into your network and steals your data, says Tom Kellermann, head cybersecurity strategist at VMware Carbon Black.

“It’s not about whether your data will be stolen or destroyed,” he said. “It is whether your entire brand, your digital persona, your transformation efforts will be used to attack your customers and your partners. There’s no coming back from that. And that is becoming par for the course now in how these miscreants operate.”

And, he adds, the newly remote workforce exacerbates this threat because it massively expands the attack surface. Companies’ security analysts, who are also working remotely, need to protect and hunt for threats across home infrastructures, laptops, tablets, and mobile devices outside of the usual boundaries because cybercriminals are hunting large enterprises at their executives’ homes.

The FBI warned on April 1 that it expects cybercriminals to target businesses and government agencies working from home during the COVID-19 pandemic. “In recent weeks, cyber actors have engaged in phishing campaigns against first responders, launched DDoS attacks against government agencies, deployed ransomware at medical facilities, and created fake COVID-19 websites that quietly download malware to victim devices,” the alert said. “Based on recent trends, the FBI assesses these same groups will target businesses and individuals working from home via telework software vulnerabilities, education technology platforms, and new Business Email Compromise schemes.

Staying safe and healthy — physical security to defend against COVID-19 — is everyone’s top priority right now, Kellermann said. “And the No. 2 priority must be the fact that their corporations are being hunted through their home.”

This requires a more wholistic approach to security, or what VMware likes to call intrinsic or built-in security, he said. “There’s an over-reliance on [virtual private networks] to protect remote users. VPNs are not bulletproof, and greater attention needs to be paid to what type of cloud you’re going to employ. Not all clouds are created equal.”

Companies also need to secure their clouds, and they must increase visibility and security across all of these new endpoints where remote workers store and access corporate data and networks. Capturing unfiltered data on the endpoints is “imperative” because it helps security teams identify any unusual behavior that could indicate an attacker has hacked the device and has access to the corporate network, Kellermann said.

He suggests conducting regular threat hunting exercises that include executives’ homes and devices they use at home — an approach that Kellermann admits “used to be taboo. But that needs to change.” Additionally, he advocates extending threat hunting exercises to enterprise supply chains and third parties such as outside general counsel and marketing firms as well as cloud services providers.

Integrated security controls is also a must-do. “If you’re using security controls to protect your workforce and they are not integrated, you’re already behind the ball,” he said. “Frankly, you never had enough personnel to man those controls to begin with and now it’s even worse because people are trying to monitor these things remotely.”

However, companies shouldn’t overlook basic security hygiene such as microsegmentation and updating VPNs, applications, and operating systems regularly. “Everything you use on a daily basis, just do it,” Kellermann said. “Turn everything on to auto-update, but some devices need to be manually updates like your router by unplugging it from the wall for 60 seconds. Those critical updates are basically steel plates on holes that hackers use to get in.”

Additionally, practice “digital distancing” of your networks, dedicating one network to work devices and the other to family and home devices. Consider what browser you use for work — Kellermann suggests Firefox. And don’t forget multi-factor authentication.

“I know this sounds like a lot, but your security team can’t go in and secure your home and your home network across the board if you’re a large organization or a large corporate entity,” he said. “You have to take on some of these responsibilities. We need to do a better job of actually checking our home to make sure no one is in it metaphorically prior to going to bed.”