Remote-working leaves businesses increasingly vulnerable to cyber attacks, say experts
Enabling your employees to work remotely could create a cyber security risk and potentially damage your business, according to security experts.
Before the pandemic most people worked in offices where the IT team oversaw a traditional hub-and-spoke model. This meant emails, video meetings, instant messaging and document management were directed through a central security point.
Yet in a home-working world, employees, devices and the cybersecurity team are dangerously separated — and this has increased the threat from cyber criminals.
“During the pandemic we’ve seen a big jump in both email phishing attacks and mobile phone scams (known as ‘smishing’),” said Tom McVey, solutions architect at Menlo Security. “These messages, such as an email about the COVID-19 vaccine or text messages about failed courier deliveries from Amazon, seem genuine to the untrained eye. Look more closely and you see they contain malicious links that lead to scammers’ websites.”
There has certainly been a rise in credential phishing where cyber criminals create fake login pages or forms to steal credentials. As well as commonly used cloud services like Office365 and Adobe, the criminals are utilizing cryptocurrency wallets which are increasingly popular.
According to the 2020 Verizon Data Breach Investigations Report which analysed 32,000 security incidents, 67% were caused by credential theft, phishing and business email compromises.
One problem is that employers and workers can rely too heavily on the IT department to plug any security gaps. Yet the most likely overwhelmed IT guys are busy keeping the business running as everyone has moved to remote working and can struggle to keep on top of every cyber threat.
It could be time to bring in expert help.
“The pandemic has handed businesses an opportunity to question their legacy cybersecurity practices and processes. If your systems were previously created around protecting users in an office, it’s time to rethink,” said McVey.
He recommends that companies move to a cloud-based web isolation solution and spend more time analyzing web browsers for vulnerabilities. Businesses should also ensure their online security policy is up-to-date and that staff follow it, he said.
One of the biggest threats to companies from employees working at home can come from outdated routers provided by broadband providers. These old routers let hackers spy on users when they are online and can direct them to scammers’ websites.
Consumer body Which? investigated 13 commonly used, old router models in the U.K. and found that nine would fail new legal requirements due to come into force.
“Given our increased reliance on our internet connections during the pandemic, it is worrying that so many people are still using out-of-date routers that could be exploited by criminals,” said Which? computing editor Kate Bevan. “Internet service providers should be much clearer about how many customers use outdated routers and encourage people to upgrade devices that do pose security risks.”
She believed that ISPs should also be clearer about when routers stop receiving firmware and security updates.
Another weak point in any home worker’s security can be the choice of passwords that are easy to guess. The cyber experts recommend two-factor authentication methods. This means having fingerprint or facial recognition as well as a password.
However, these do not always protect against phishing attacks.
At New Jersey-headquartered cyber resilience and threat mitigation firm Semperis, director of services Sean Deuby agreed that the biggest dangers come from insecure endpoints. These include employees’ own devices and home networks.
“The pandemic has pushed many organizations that were considering cloud service adoption but were hesitant, off the fence into at least partial use of these services,” said Deuby. “But many use VPNs to access the cloud services, thinking it’s more secure than direct access. This is often not the case and threat actors are targeting components (such as VPNs) that may have been implemented insecurely.”
He urged employers and employees to act quickly to plug potential security threats to ensure their businesses continues to operate safely and avoids any hack that may affect their clients.
Deuby cited the hack on U.S. information technology firm SolarWinds a few months ago which went undetected for many weeks and spread to its clients. U.S. officials believe the hack originated from Russia.
“COVID-19 related attacks will continue in 2021 with healthcare and pharmaceutical sectors continuing to be targeted,” he said. “We have seen supply chain attacks, while ransomware continues unabated because it works so well. In 2021, data extortion (exfiltrating data and threatening to expose if a company does not pay a ransom) is becoming the norm.”
Deuby added that most organizations focus on prevention and detection, but equal attention needs to be paid to recovery.
“In particular, the recovery of systems after a cyber disaster that can encrypt and destroy hundreds or thousands of systems in minutes. Can your recovery processes come back quickly from such an event?”
Cheat Sheet: How new antitrust bills could force more data access from Facebook and Google (and stop them from favoring their own services)
A set of bills proposed recently could force platforms to stop favoring their own services and give more data access and tech connectivity to others.
Single-source panel measurement is key to optimizing social media planning, says DISQO report
New study is based on responses from 166,000 U.S. consumers in February and March, each of whom voluntarily allowed to have their digital behaviors observed.
BuzzFeed will finally monetarily reward its Community users for their viral quizzes, lists
BuzzFeed is testing to see if user-generated content could identify new areas of coverage for its staff, and bring in niche audiences, with a new summer program that could pay a contributor up to $10,000 for a viral post.
SponsoredIdentity solution fatigue is setting in: How to keep moving
By Kristina Prokop, CEO and co-founder, Eyeota As we move deeper into 2021, the desperate search for identity solutions that can smooth marketing organizations’ transitions to a cookieless world is reaching a fever pitch. There’s no shortage of new identifiers and identity technologies vying for attention — and that’s a big part of the problem. […]
Cheat Sheet: How Shopify’s one-click checkout expansion could help Facebook, Google compete with Amazon
Shopify's Shop Pay option will compete with Amazon’s one-click buying button, potentially making it an even bigger competitor to the e-commerce giant.
The TV upfront marketplace is moving along at breakneck speed, and eye-popping ad-rate increases
The TV upfront marketplace is wrapping up at a fast clip, with media buyers paying significant increases to secure ad time for their clients.