Many chief information security officers (CISOs) sacrificed cybersecurity as a major priority in an effort to enable employees to perform remote work when the COVID-19 pandemic hit. Much of the workforce plans on operating this way after the lockdown, and at least half of the business leaders will allow them to do so. For cyber criminals, this means a larger array of potential targets, and for cybersecurity specialists a bigger surface area to protect.
The rapid shift to home offices and the changing remote work environment has taken its toll on cyber protection. According to a study by IBM, 45% of employees admit to having received no new training before going remote, making it easier for cyber criminals to attempt a data breach and compromise valuable information.
“With more employees working remotely, more devices are connected outside of the secured corporate network. That means corporations no longer have control over the infrastructure their staff use for work,” said Juta Gurinaviciute, chief technology officer at NordVPN Teams. “People may work on their personal computers, neglect digital security requirements, connect through unsecured Wi-Fi hotspots and therefore grant bad actors access to the internal business networks. And if you had 3,000 employees, now you have 3,000 offices to look after.”
Cybersecurity risks posed by remote work can be classified in three key areas: people, places and technology. To prevent cyber threats, each has to be addressed in every home office.
5 weak cybersecurity links of the home office
1. Multiple personal devices. Every internet-connected gadget is a potential hazard as hackers can utilize its vulnerabilities to gain access to personal or business networks. At home, employees may use a variety of electronic devices for work purposes: they could check workplace chats on phones, write emails on personal tablets, and access cloud services on a laptop. And even if the latter has sufficient protection, the former two may lack security layers needed to establish a completely secure connection. When the workforce moves to their home offices, enterprises should provide them with all the working equipment needed. If that’s impossible, predetermined security policies governing the use of personal devices for work purposes should be implemented.
“One of the imperatives for workers should be constant patching of their devices. Hackers are constantly on the hunt for software vulnerabilities, whereas vendors are trying to fix those bugs as soon as possible. However, if the end users fail to update their devices, exposures remain, and all it takes is one click or an opened file for cyber criminals to gain access. With a compromised device they are able to reach sensitive data on the corporate network,” said NordVPN Teams’ expert.
2. Insecure infrastructure. Employees access data on company servers and the cloud using their insufficiently secured home networks. Even if enterprises demand staff to use virtual private networks (VPN) for a secure gateway, they are incapable of solving hardware-related issues. Consider Wi-Fi routers, for example: even if the connection is secured with a strong SSID password, the access to the router’s settings might be protected by a simple ‘admin’ parole alone. Also, domestic devices are usually protected by weaker protocols, such as WEP instead of WPA2/3, thus hackers can get their hands on the network traffic easier.
“The shortest password allowed on WPA2 protocol is eight characters, yet it should be 14-15 characters long to defend the network against brute force guessing. Most devices come with predefined 8-character alphanumeric passwords which are easy to hack,” Gurinaviciute said.
3. Increased data-sharing. Working on-site, employees share important data over the intranet and other internal network structures. Now all the information travels through the public internet with malicious actors around, increasing the risk of exposure. Cyber criminals can utilize numerous weak spots that appear along the way from the end user to the company servers. Employees share most important (or even confidential) information through emails and phones without being aware of it, and this calls for a secure digital perimeter. Workers should be encouraged to use VPN services and share files only through secured channels. Many businesses now rely on cloud-based solutions, however, they should also be warned that hackers leveraged increasing remote work loads and performed 7.5 million external attacks on cloud accounts in Q2 of 2020.
“To mitigate the risks brought on by the increased online traffic, enterprises should implement zero trust privileges. This means that a user is granted access privileges for one particular task and they last only for the time needed to complete it. Therefore, if hackers compromise the credentials, they wouldn’t do much harm as they could only access a small fraction of sensitive data,” Gurinaviciute said.
4. Susceptibility to social engineering. “2020 Data Breach Investigations Report” by Verizon finds that almost a third of the data breaches incorporated social engineering techniques. While antivirus software, firewalls or VPNs can take care of your infrastructure, they cannot be installed on the human brain and prevent social engineering attempts. Hackers forge emails from other institutions or impersonate colleagues (even the CEOs!) to get employees to open the corrupted file or click on a malicious link. At home, there’s no one to consult with and the load of digital information is bigger, thus people fall victim to these scams more frequently. Cyber criminals tend to trigger certain behaviors and emotions to encourage the victim to take action: consider, for instance, ‘the urge’, which is characteristic of most social engineering methods.
5. Complicated IT support. In office, the cybersecurity team and IT support is always at hand, so they can fix a problem immediately. Remote employees also require IT support, especially when considering the security measures they should take. Yet logistical challenges prevent the IT team from always being present. In the event of data breach, it is harder to act immediately, as security experts cannot stop all cyber attacks remotely. This can lead to devastating consequences. Kaspersky’s report shows that data breach costs $28K if dealt with immediately, and $105K if undetected for more than a week.
“Some of the breaches might go unnoticed for a long time, with ransomware gathering a company’s data, or malware compromising internal networks. On the other hand, sometimes an ongoing attack can be indicated by newly appearing programs which were not deliberately installed by the user. In some cases, the computer slows down, strange pop-ups flood the screen, or the user loses control of the mouse or keyboard. If any of these signs appear, employees should immediately inform the security team,” Gurinaviciute said.
COVID-19 has set a new baseline for effective and secure remote work and many cybersecurity leaders have adapted to a “new normal.” Now it’s time to involve each employee in building an organization’s digital resilience and creating business value.
“Even if a company plans to move back to the office as soon as possible, WFH policy should remain intact. The investments made in these turbulent times, and the lessons learned, will contribute to lasting cyber resilience. Both IT professionals and employees have had a final rehearsal in shifting to the workplace of the future,” Gurinaviciute said.
Five tips to stay cyber secure when working remotely
How COVID-19 is affecting manufacturing cybersecurity
Hackers exploiting COVID-19 anxiety in targeted phishing scams