Let’s face it; Covid-19 is a game changer like none other, that many have had difficulty adapting to. The challenges it's presented, to organizations, as well individuals, and even governments have forced everyone to adapt or suffer (and sadly, yes, even perish). We hope with all our heart, you have not lost loved ones. We also hope your business endures. It’s with this sentiment that this piece is written, because unfortunately, there exists new cyberthreats and opportunities for too many bad actors to take advantage of these challenges. Provided below are some of the challenges that the Work From Home (WFH) business model, that so many organizations have been forced to adopt or expand, need to consider relative to their state of cyber security.
Where WFH cyber security threats reside
Beware the Spear-phisher
Cybersecurity is no longer just about firewalls, staying clear of unsecure sites, and not opening documents or accessing links from suspicious emails (but make no mistake, these still remain critical steps needed to mitigate threats) Business email compromise (BEC) security and risk management programs are a new priority for all organizations, big and small now.
It’s as much about controlling information available on the web and more specifically on Social Media Sites (SMS). Today’s hacker/scammer is far more insidious and sophisticated. Far too many examples (and the list is growing) in which security breaches originate in large institutions because of a cyber spear-phishing, or social engineering,
These attack vectors or social engineering scams are often derived through social media details and other public sites with information too readily available. Personally Identifiable Information (PII) exposed across social media, provides details for hackers and scammers to acquire unique and personal information- that most all - is trusted information or close (spoofed) contacts relative to the user. These details are aggregated from numerous SMS and website access points are then used to target specific victims, with well crafted and more plausible messages (usually through email, but sometimes via SMS platform as well). This is just one reason to avoid accepting friend requests from strangers (or at least without being able to confirm validity of sender).
Individuals can reduce SMS exposure by fully understanding websites and platform settings, as well as avoid posting personal details that could be easily scraped by hackers and then used against them. Organization can mitigate exposure by having comprehensive policies outlined for both internal and external SMS best practices. The threat and ramifications of lax policies are very real. Even tech monoliths such as Twitter are susceptible to spear-phishing attacks(July 2020) resulting in online ransoming. You do not want to be on this list of those who have fallen prey.
Reduce threat of potential email attacks
While it might seem obvious to some - the point simply cannot be emphasized enough, never open attachments or links from suspicious emails. While most people generally understand this, where they fail to execute is in recognizing suspicious emails that look a more legitimate and have seemingly relevant messages.
For example, most people are likely to immediately recognize a fake email from an unknown deceased relative, from a foreign country, who happens to be a billionaire, and just randomly in Christian faith, decided to leave you all his money, while never even addressing you by name, AND demonstrating the grammar and writing skills of a 5th grader. Right? By now, we’ve all seen this and (hopefully) have gotten wise to the fact that this is a scam.
But what about the email purporting to be from Amazon, or Fed Ex or your Bank? These are just some of the examples of how PII is used to propagate spear-phishing email attacks. Do you or your employees have the savvy to recognize some of the hallmarks to identifying fake emails (i.e. identifying email source beyond the email alias reflected, misappropriated logos, vernacular, font, etc. – see here for example)? You might be surprised how many people are unaware of the simple means to identify emails that are well crafted scams. Mitigating exposure to PII helps reduce potential of receiving malicious emails. By minimizing the data publicly available found on SMS, one also minimizes exposure to spear-phishing, but the tell-tales to fraudulent emails exist and recognizing the attack is equally critical to avoiding downstream consequences.
Avoid opening suspicious links from emails, or instant messages. If a URL doesn’t look familiar, or if it’s sent as a shortlink (such as a Bitly URL), assume it is a scammer and review it as such. If need be, seek verification with your source to verify its validity, but DO NOT RESPOND DIRECTLY TO SAID EMAIL. Rather, seek an alternative means of contacting the purported sender; if it’s a legitimate business, there should be a phone number, if it’s a friend or family, it’s likely you have means to contact them another way (i.e. phone number, alternative email, SMS connection). Opening an email attachment or link can be the same as opening Pandora’s Box and is best left untouched or deleted entirely.
Endpoint and VPN security challenges
The challenges and security risks associated to endpoint security risks are vast and can lead you quickly down the rabbit hole as soon as you dive deeper to explore them. Beyond technical functionality, there is also the issue of end-user proper use and adoption. This means that not only are there increase strains around the hardware/software, but there is the added pressure that employees may not be effectively using all of them correctly or with current version updates (typically deployed to address performance and/or security issues). The WFH model negates the luxury of on-site IT personnel and emphasis of security best practices. The following is just a brief list of such concerns as identified by Security Magazine:
- In the rush to equip employees at home, laptops have been issued without security software or standard installs.
- Highly likely that multiple vulnerabilities exist on an employee’s home network (WEP vs WPA vs WPA2 networks – where WPA2 is the most secure Wi-Fi network option but many homes use the less secure WEP or WPA)
- Increase IT administrator burdens largely due to disjointed systems, and unfamiliar environments and networks
- Uncertainty of employee’s endpoints configuration and successful updating patch installs.
All of these points are compounded by stress that working in the Covid environment is creating on Virtual Private Networks (VPN). At the offset of US pandemic states shut down (the week of March 9-16, 2020) VPN usage grew 53% over the course of the week. While much of the country has since opened back up, the levels of WFH remain high and with this comes continued VPN stress and subsequent issues. Collectively, these present security and network issues that all warrant individual attention and concern.
VPNs are critical to securely working from home. They are the tether connecting WFH employees to enterprise encrypted networks. However, many employees access online via Wi-Fi that increase risk to being infected with malware, or compromised hardware that can be exploited for staging attacks through machines with VPN termini. Where compromises exist, hackers can stow-away on a system’s VPN. It is therefore critical that endpoint integrity review and strong authentication protocols are implemented for those organizations leaning heavily on VPN usage; even more-so during this Covid based WFH environment.
WFH shift; resources are being reallocated
As concerns around exposure to cybersecurity threats increase due to expanded WFH models, so to have organization’s allocation of resources. My former colleague, Derek Brink, Sr. VP & Research Fellow covering topics in IT Security, and Harvard Professor, has recently produced extensive research on the topic of IT security trends highlighted in The State of Information Security During the Economic Downturn (June 2020). Brink surveyed 1393 corporate IT strategies in 37 different industries and produced extensive results.
One of the intriguing trends his data revealed was that pre-Covid (entering 2020) IT security capability resources were essentially more proactive (top of the line oriented towards Identifying threats and Protection) with 55% of resources allocated in this segment. Conversely, only 45% of resources was allocated towards reactive measures (below the line such as Detect, Respond, Recover). However, by Q2 2020 the level of allocation had shrunken more evenly with 51% proactive, 49% reactive (see table 1).
Table 1: Allocation of Resources Towards IT Security (Capabilities)
Source: Aberdeen Group (2020)
The value in this data is the illustration of the resource transition. IT is now addressing or responding to Detect, Respond and Recover from incidents where prior to 2020, more resources and attention was focused upon proactive mitigation, rather than after the fact. Ideally, business and organizations will inherently seek to get ahead of such problems, but the Covid-driven WFH environment is beginning to put organizations IT security on their heels.
What should your organization do to mitigate WFH cyber-security risks?
Re-enforce best practice policies around cyber spear-phishing and email protocols
The evolving WFH business model requires an equal evolution of security policies and procedures. Corporate governance and IT can take many approaches to enhance cyber-security measures. Companies should maintain full visibility into all brand channels, and executive accounts where necessary.
Additionally, there needs to be an increased emphasis on individual responsibility to engage best practices to mitigating risk. Remind them of their personal responsibility to remain vigilant and informed about the latest cybersecurity trends, threats, as well as be mindful about what they post on their social media accounts and the potential downstream insights and data they may provide. Individuals ought to take self-assessments such as the one found here (see PiiQ’s safe social media policy-checklist).
Review WFH related resource allocation, revise where necessary
As WFH business models continue to gain traction, and become increasingly the new normal, it’s more important than ever, to ensure that budgetary, technical and technology resources are reallocated where needed. As shown, there is relevant data indicating this pivot is already underway within many organizations. If IT and security resources have not yet been thoroughly reviewed in conjunction with WFH-related changes, ensure that appropriate revisions are made accordingly.
The preliminary data shows that there has already been an adjustment in resource allocation that skews towards Detection, Recovering and Responding to security based measures. This keeps in line with many of the end-user issues presented. It is, however, possible to get ahead of such issues by ensuring best practice guidelines are reviewed and enforced. Additionally, taking pro-active measures, such as engaging in analytical PII analytical assessments, such as those offered by PiiQ (click here to see PiiQ Spear). Such evaluations can provide insights to the potential levels of exposure as well as the locations of where such online PII exposure resides.
Covid has forced everyone to greater respect unforeseen threats and viruses. It’s all anyone can do today, just to keep healthy. The same is true with business, especially those which have embraced the work from home business model. Take the necessary precautions to mitigate risk. Please be safe, stay secure and strong.
