Although we typically share research highlighting physical threats and acts of violence, we recognize that the shift in work environments has also moved the threat landscape to the home. As we know from experience, threat actors usually begin their target research by cyber-stalking their victims, e.g., looking for pictures, home addresses, etc. Therefore, it’s every practitioner’s responsibility to have the generalist knowledge that is needed to support stakeholders across the organization.
We are witnessing a transition to a hybrid work environment as a result of COVID-19, which is presenting a number of cyber risks for corporations and their employees.
- Not only do most remote employees lack proper cybersecurity awareness and training, but many are also forced to work on unsecured, personal devices making them more vulnerable to a cyber attack.
- Corporations will need to take a proactive approach to make sure remote employees are properly trained and have a secure setup to ensure long-term success.
How Has The Work Environment Changed?
COVID has reshaped and redefined the work environment forever. Since the start of the pandemic in March 2020, the majority of the global workforce has been forced to work remotely either permanently or temporarily for the foreseeable future. As unpredictable waves of the virus continue to hit the working population, employees have learned to adapt and become comfortable in their work-from-home (WFH) space.
As a result of this development, we have witnessed a transition to a hybrid workforce, with more than half of the working population wanting to work remotely even after the pandemic subsides. And researchers from Stanford are even predicting that many organizations will continue to have their workers work from home for one to three days per week even after COVID ends. Although the WFH environment provides several benefits such as flexibility, a customized workspace, and zero commute, specific policies will need to be addressed to make this transition as smooth as possible. One of the main policy issues that corporations will have to confront in this era is cybersecurity (which includes InfoSec).
Not only do the majority of remote workers lack proper cyber education and training, but many do not have company-owned/managed devices. Security Magazine recently reported that “56% of employees are using their personal computers” in the WFH environment. This utilization of personal devices is a significant factor contributing to the costs and risks associated with day-to-day business.
Employees which utilize personal devices are more vulnerable to cyber attacks (more so than employees with company-owned devices). This is in part due to employees using their private emails and messaging services and publicly sharing information on unprotected servers. Working on unprotected servers, or free Wifi networks, easily exposes employees to adversaries that might disrupt or steal data.
Other risk factors include:
- Dated software
- Public Wifi (such as in coffee shops)
- Inaccessibility to security tools such as antivirus software, a VPN, or protected firewalls (Network Security 2020).
For this reason, it is crucial that companies allocate the proper resources and funding to promote adequate security practices in the WFH environment. This will ensure a minimum standard of protection for the company in the long-term.
Why Are Cyber Threats Greater in the WFH Environment?
Before we dive too deep, it is important to address the following question: Why do adversaries target remote workers before in-office employees?
Remote workers are more susceptible to malicious cyber activity due to two main reasons:
- Lack of Cyber Awareness — More often than not, employees do not know what a cyber attack looks like, and therefore are more vulnerable to an attack (especially absent administrative oversight). Security Magazine recently estimated that nearly ¼ of employees working from home are not educated on security protocols for their machines and other devices. When users are not aware of cyber threats and vulnerabilities, they are more likely to open phishing emails, suspicious pop-ups, or download malicious software. During the COVID era especially, adversaries have been successful in their cyberattacks by advertising new information on the virus.
- Lack of Secure Setup — WFH employees tend to have unsecured Wifi networks, allowing adversaries to monitor their internet traffic and steal confidential information. Most employees do not follow basic requirements for securing their devices, such as utilizing two-factor authentication or a password manager. Additionally, workers that use personal devices tend to lack the proper security infrastructure that is necessary for preventing cyber attacks. When computers lack essential tools such as antivirus software and secure firewalls, it is easier for a type of malware to find its way onto the device. Examples of malware include: worms, viruses, ransomware and spyware — all of which jeopardize the confidentiality and overall viability of the company (Comparitech 2020).
What types of cyber attacks are impacting the WFH Environment?
Unfortunately, in this time of increased WFH activity, adversaries have found new avenues for targeting employees and compromising valuable data. Examples include:
- Zoom bombing and phishing attacks — Utilization of the conference app, Zoom, has become extremely common in the virtual work environment. Despite its growing popularity, Zoom still has its kinks, such as allowing so-called “zoom bombers” to interject in important conference calls. More specifically, adversaries have been able to successfully steal credentials and other valuable information from targets by interjecting inappropriate content to online meetings and conferences (Weil 2020).
- Phishing (COVID-19 phishing) — Research reveals that “around 300,000 fake websites were created in two weeks in March this year, trying to trick people worried about COVID-19 outbreak” (Network Security 2020). Adversaries target their victims with fake, malicious emails about new information on COVID, often appearing to be from the World Health Organization (WHO) or Centers for Disease Control and Prevention (CDC) (Weil 2020). Most of the time, users will open up the phishing email and any links or files attached to the email. Once the user makes this mistake, the adversary can successfully implement malware and steal the user’s credentials.
In the WFH environment, employees are at higher risk of an attack because they also lack person-to-person communication. More specifically, it is easier for a remote employee to fall victim to a phishing email, phone call, or other form of cyber attack because they do not see their coworkers in the office everyday as they did before. Thus, it is critical that remote workers receive the proper cyber security training so they can spot and avoid an attack that has the potential to damage the company.
Tips for Enhancing Security in the WFH Environment
There are several tips for employees to enhance the security on their devices in the WFH environment. The table below lists recommendations (sourced from GitHub) for securing assets from the most basic requirements (Level I) to more technical requirements (Level III).
Solutions for Corporations?
There are several steps that corporations can take to improve their cybersecurity resilience.
- Cyber Awareness Training — First and foremost, corporations should raise cyber awareness and provide training for all of their employees. In most cases, it is human error rather than technological vulnerabilities that cyber criminals exploit (Network Security 2020). Therefore, employees need to be educated on what a cyber attack looks like, where they occur, and how they happen.
- Secure Personal Devices — Not only should employees follow the tips in the table above, but they should also cultivate security conscious habits. These habits include: being extra cautious of phishing attempts and avoiding unnecessary email attachments, turning on log-in alerts & 2FA for social media platforms, never charging devices at public charging stations / ports (adversaries can steal your data), and ensuring that software is up-to-date at all times. By incorporating these simple habits into your daily routine, you can keep yourself, your coworkers, and your company out of danger.
- Allocate Proper Security Resources — Ultimately, corporations should be willing and prepared to allocate more resources and spending to cyber security. This includes providing employees with the most up-to-date software and secure devices, as well as the security infrastructure they need such as secure firewalls (to stop leakage from devices and prevent malicious programs from entering) (Deloitte 2020).
Corporations should also implement a virtual security help desk that helps remote workers with access issues or other security problems. This includes vulnerability management that allows security teams to scan employee machines for harmful malware or vulnerabilities. In addition, these security teams could easily monitor phishing attempts or conduct internal tests related to COVID.
By taking proactive steps for enhancing cybersecurity, corporations can enhance safety, security, and resiliency for the company and its employees in the long run. To learn more about adapting security to the needs of the remote workforce, watch our webinar on-demand Maintaining Security Vigilance in a Time of Crisis.