As remote workers settle in at home, cybercriminals are also getting cozy. Know the security tips to stop them.
If there’s one positive outcome from Covid-19, it’s that many businesses are confident their employees can be productive from home. The perk that many have long struggled to attain is now becoming the new norm. But at what cost? Read on for security tips to help safeguard your business.
More organizations are safeguarding the health of their employees by allowing them to work at home. According to a recent Gallup poll, more than 60 percent of Americans say they’re working from home during the crisis. And three out of five prefer to stay there after public health restrictions are lifted.
CFOs are also benefiting from this shift as they see an alternative to money spent on office space and utilities. According to a Gartner survey, 74% of CFOs expect that 5% of their employees will never return to their offices.
So, thanks to the internet and cloud-based applications, collaboration and video conferencing tools, employees can be productive from anywhere. Meanwhile, cybercriminals are also more productive, exploiting a perfect storm of distracted workers, unsecured Wi-Fi connections, and unapproved personal devices.
Cybercrime of the Times
Since the start of Covid-19, cybersecurity solutions provider Trend Micro has detected more than 2 million ransomware attacks in February; the IT security company VMWare Carbon Black reported a whopping 148% increase in March.
The most common tools cybercriminals employ are phishing, posing as someone else to lure employees into providing sensitive data; ransomware, where malware is introduced into a system and encrypts the victim’s files until a payment is made; and business email compromise (BEC) attacks with emails impersonating a company’s supervisor, CEO or vendors.
Before the pandemic, organizations worked to combat these attacks by securing office-based workers behind a security fence of access-point protections and IT security compliance measures. Now with workers at home, those points of security are more difficult to maintain, and compliance is tougher to enforce.
According to Datto, home office networks are 3.5 times more likely than corporate networks to be infected by malware. These risks expose corporate assets, which typically sit behind a company firewall, to a world of cyber threats.
The Vulnerable Network
Many of these vulnerabilities are created when remote employees combine work and personal devices over unsecured home networks. Any device such as a thumb drive or a gaming device can become infected with malware and connect to a company’s network through an unsecured home network and a work laptop.
“The situation becomes even more challenging when remote employees use personal devices for work-related tasks, or there are several devices and users of varying technological skill using the same home network,” said Ryan Weeks, chief information security officer (CISO) for Datto. “It becomes infinitely more difficult to control the flow of potential threats coming across the network. Personal devices are a threat because an organization cannot vouch for what security updates have or have not been installed.”
Distracted employees and unsecured home networks are a dangerous combination that can potentially open new access points for cybercriminals. In the office, employees are usually focused on the work at hand and are aware of the constant presence of firewall restrictions and company policies that might block access to certain websites and use of personal devices.
Anyone can be distracted by children or household issues and click on an email link leading to a compromised website. It’s also easy to use a work laptop to switch between business and personal emails. All of this opens new attack surfaces where an innocent-looking link can usher in a phishing or ransomware attempt.
(Lack of) Remote Control
“When working at home, the risks are so much higher because you have an uncontrolled network of unapproved devices and users,” said Frank Krieger, a CISO consultant. “All it takes is for someone’s kid to download something on their device that contains malware that pings other devices on the home network, ultimately reaching a work laptop and installing something there. While your office might be a more controlled and secure environment, at home where your personal and work digital lives intermix, it all gets a little more complicated.”
Remote workers are especially vulnerable to online communications and sites that impersonate Covid resources to trick recipients into clicking into malicious links for the latest infections in their area or information on stimulus funds.
“When you see links in your email with this kind of information, a lot of people are going to click into them,” Krieger said. “And those links are more likely to be clicked by someone viewing an email or text over their phones because we typically don’t spend as much time analyzing the source when using our personal devices. And that applies across all ages and generations.”
Video conferencing is also being exploited in what the FBI describes as “Zoombombing,” where hackers break into calls with spam. The same approach can be used to collect personal information or slip in code that opens the door to malware.
Safety First: Security Tips
To help minimize threats, Krieger recommends IT departments maintain weekly communications with security tips and alerts of recent hacking attempts. IT also needs to expand support skills and services to help employees understand how to secure their networks.
“This is going to be a learning experience for IT professionals because they will have to change the way they support employees,” he said. “They too will have to evolve from a delineation from work and home and become more responsive and experienced in helping employees remotely in their home environments.
“Because we probably won’t see a massive return of people to their traditional offices, companies should use the money they’re saving and apply that to their IT security and support resources to be prepared for the next big disruption.”