As remote workers settle in at home, cybercriminals are also getting cozy.
If there’s one positive outcome from the Covid-19 pandemic, it’s that many business and organization leaders are now more confident their employees can be productive and successful from home. The perk that many have long struggled to attain is now becoming the new norm. But at what cost?
Over the last couple of months, more organizations have been safeguarding the health of their employees by allowing them to work at home. According to a recent Gallup poll, more than 60 percent of Americans say they’re working from home during the crisis. And three out of five prefer to stay there after public health restrictions are lifted.
CFOs are also benefiting from this shift as they see an alternative to money spent on office space and utilities. According to a recent Gartner CFO survey, 74 percent of CFOs expect that five percent of their employees will never return to their regular office environments.
So, thanks to the internet and cloud-based applications, collaboration and video conferencing tools, employees can be productive from anywhere. Meanwhile, cybercriminals around the world are also more productive in this new landscape, exploiting a perfect storm of distracted workers, unsecured Wi-Fi connections, and unapproved personal devices to create a new pathway from the cloud to corporate networks.
Since the start of Covid-19, cybersecurity solutions provider Trend Micro has detected more than 2 million ransomware attacks in February while the IT security company VMWare Carbon Black reported a whopping 148 percent increase in March.
The most common tools cybercriminals are using include phishing, where they pose as someone else or as a legitimate source to lure employees into providing sensitive data; ransomware, where malware is introduced into a system and encrypts the victim’s files until a payment is made for a decryption key; and business email compromise (BEC) attacks with emails impersonating a company’s supervisor, CEO or vendors.
Before the pandemic, organizations worked to combat these attacks by securing office-based workers behind a security fence of access-point protections and IT security compliance measures. Now with workers at home, those points of security are more difficult to maintain, and a compliance frame of mind is tougher to enforce.
According to Datto, which provides data protection solutions, home office networks are 3.5 times more likely than corporate networks to be infected by malware. These risks expose corporate assets, which typically sit behind a company firewall, to a world of cyber threats.
Many of these vulnerabilities are created when remote employees combine work and personal devices to conduct work over unsecured home networks. Any device such as a thumb drive or a gaming device can become infected with malware and connect to a company’s network through an unsecured home network and a work laptop.
“The situation becomes even more challenging when remote employees use personal devices for work-related tasks, or there are several devices and users of varying technological skill using the same home network,” said Ryan Weeks, chief information security officer (CISO) for Datto. “It becomes infinitely more difficult to control the flow of potential threats coming across the network. Personal devices are a threat because an organization cannot vouch for what security software or updates have or have not been installed.”
Distracted employees and unsecured home networks are a dangerous combination that can potentially open new access points for cybercriminals. In the office, employees are usually focused on the work at hand and are aware of the constant presence of firewall restrictions and company policies that might block access to certain websites and use of personal devices.
However, anyone at home can be distracted by children or household issues and click into an email link that leads to a compromised website—especially on personal smartphones. It’s also easy to use a work laptop to switch between business and personal emails. All of this opens new attack surfaces where an innocent-looking link can usher in a phishing or ransomware attempt.
“When working at home, the risks are so much higher because you have an uncontrolled network of unapproved devices and users,” said Frank Krieger, a CISO consultant. “All it takes is for someone’s kid to download something on their device that contains malware that pings other devices on the home network, ultimately reaching a work laptop and installing something there. While your office might be a more controlled and secure environment, at home where your personal and work digital lives intermix, it all gets a little more complicated.”
Remote workers are especially vulnerable to online communications and sites that impersonate Covid resources to trick recipients into clicking into malicious links for the latest infections in their area or information on stimulus funds.
“When you see links in your email with this kind of information, a lot of people are going to click into them,” Krieger said. “And those links are more likely to be clicked by someone viewing an email or text over their phones because we typically don’t spend as much time analyzing the source when using our personal devices. And that applies across all ages and generations.”
Video conferencing—now a mainstay for at-home workers—is also being exploited in what the FBI describes as “Zoombombing,” where hackers break into calls and video conferences with spam and hate messages. The same approach can be used to collect personal information or slip in code that opens the door to malware.
To help minimize these threats, Krieger recommends IT departments maintain weekly communications with safety tips, reminders and security alerts of recent hacking attempts. IT also needs to expand support skills and services to help employees understand how to secure their networks and implement practices to make their at-home work environment more secure.
“This is going to be a learning experience for IT professionals because they will have to change the way they support employees,” he said. “They too will have to evolve from a delineation from work and home and become more responsive and experienced in helping employees remotely in their home environments.
“Because we probably won’t see a massive return of people to their traditional offices, companies should use the money they’re saving and apply that to their IT security and support resources to be prepared for the next big disruption.”