By Russ Banham
Perspectives
Consideration of the cyber risks of remote work is nothing new for company IT security professionals. For years, they’ve advised teleworkers on how to reduce the risk of a cyberattack targeting the corporate IT network from their homes. Never did they expect, however, the mass shift to teleworking nearly overnight.
With many workers across the country and the world complying with stay-at-home mandates, IT security leaders also working from home have their hands full trying to contain the risks outside of the secure office environment.
“The threat landscape has gone up exponentially,” says Ketan Pandit, Chief Information Officer at QBE North America, a large property and casualty insurance company. “We’ve seen a huge uptick in phishing attempts and DDoS (distributed denial of service) attacks from IP addresses completely outside the usual realm.”
Max Solonski, Chief Security Officer at publicly traded BlackLine, a provider of financial and accounting automation software, agreed the cyber risk environment has become more unsafe in today’s teleworking environment.
“It’s a challenge for some companies more than others, particularly those whose IT and InfoSec departments are unfamiliar with supporting and protecting employees working remotely,” he explains. “Since BlackLine is a distributed tech company, remote work is not a novel concept for our employees. Prior to the shelter-in-place mandates, many people routinely traveled on work assignments, and we’ve always allowed employees to work remotely at home on Fridays.”
Employees and IT personnel at other companies, however, may be doing this for the first time. “Their employees may not be able to identify a meticulously crafted cyberattack, and their IT teams may not have tools to detect and mitigate it,” Solonski says.
A Telework World
Another challenge is cyber risk training. Many employees at midsize and larger businesses are trained in cyber risk management and mitigation, but this training is generally confined to individuals with access to vital data, as well as employees who travel and otherwise do a fair amount of work outside the secure office environment. In fact, more than 33 percent of employees, according to a 2018 survey, receive no cyber risk training at all, with 16 percent receiving “a little.”
That’s not comforting now that nearly everyone is a teleworker. “In these days of the lockdown, we’ve got parents, kids, and even grandparents sharing devices using the same home-based network,” says Deb Holden, U.S. cyber risk services leader at accounting firm Deloitte. “The threat landscape has grown at an exponential pace to where it now commingles with our personal lives.”
Holden says, “We’ve reached the point where employee homes need to be as secure as the office.”
Mitigating the Risks
How might employees working from home offices, kitchens, and dining rooms inadvertently expose the corporate IT network and systems to a cyberattack? The biggest vulnerability is a successful phishing attempt. According to Barracuda Research, in the month of March alone, hackers launched more than 500,000 phishing attacks, marking an eye-opening 667 percent increase from the prior month’s statistics.
Approximately 9,000 of these phishing attacks were related to COVID-19. Hackers are sending emails offering needed supplies like face masks and toilet paper, home-based exercise tips now that gyms are closed, and ways to boost one’s immunity to stay healthy.
“Most everyone is in panic mode or on high alert from personal anxiety, and when they see something that promises help in some way, they don’t necessarily apply the same skepticism and distrust of a suspicious looking email that they normally would apply at the office,” Golden says.
Another possible aperture into company systems is the ubiquity of smart devices connecting to the internet over the home WiFi network. Smart systems for home monitoring and security, lighting, entertainment, appliances like dishwashers, and virtual personal assistants (VPAs) like Amazon Echo and Google Home have tiny microprocessors embedded inside them that are vulnerable to cyberattacks.
“As we move into this world of the IoT (Internet of Things), these devices pose a huge hacking risk,” says QBE’s Pandit. “Most smart devices are embedded with a default password that consumers do not change. And it’s easy for hackers to find these default passwords in the Dark Net.”
Fighting Back
What’s the optimal tactic to reduce the risk of inadvertently opening a pathway to an employer’s proprietary information assets? Multiple cyber security organizations are advising all companies to employ a dedicated Virtual Private Network (VPN), requiring teleworkers to use this network at all times outside the office. A VPN provides a securely encrypted, cable-like internet connection between a remote device and corporate servers, preferably in a highly-secure cloud environment.
This process is in place at QBE North America. “We require employees who’ve been given work-related laptops and tablets to use our VPN,” says Pandit. “This way, our IT security team and phishing monitoring tools can deploy real-time tests to detect phishing emails, preventing teleworkers from clicking on them.”
A Telework World
Another challenge is cyber risk training. Many employees at midsize and larger businesses are trained in cyber risk management and mitigation, but this training is generally confined to individuals with access to vital data, as well as employees who travel and otherwise do a fair amount of work outside the secure office environment. In fact, more than 33 percent of employees, according to a 2018 survey, receive no cyber risk training at all, with 16 percent receiving “a little.”
Solonski shares this perspective. “With the right controls in place, when a teleworker connects their work computer to the company’s VPN, IT security has the ability to protect the user with the company’s tools,” he says.
Regrettably, many companies do not have robust VPN solutions, configure them loosely, or even request that some employees use the VPN only in certain circumstances—to preserve bandwidth for other VPN users, explains Solonski. “In such cases, where work devices connect to a home WiFi network, the IT security team has no visibility, effectively disabling our ability to protect users from cyber threats,” he says.
The use of a VPN is so important that two days before nearly all of BlackLine’s employees were told to work at home, Solonsky sent an urgent email reminding them to connect to the company’s VPN.
“I wanted to be sure that all work went through the corporate network and was inspected by our corporate security devices,” he says. “When you connect to the VPN, you disconnect from the local network, making the cyber risk transparent and manageable for IT security.”
Not all VPNs are alike. Key considerations in choosing a VPN include requirements for multi-factor authentication before a user can access specific data, access control rules that specify which employees can access different data, and endpoint security—points of entry to the corporate network (like end-user laptops and tablets) that are secured to inhibit hackers from exploiting these devices.
The cyber risk experts provided a checklist of other smart tips for teleworkers to ensure a secure and productive work environment at home, including:
- Do not allow family members to use company-provided laptops, tablets, and phones.
- Employ strong WiFi, router, and modem passwords—and change them regularly.
- Update VPNs, remote work devices, and all smart home appliances, VPAs, and other devices with the latest software patches and security configurations.
- Enable multi-factor authentication on all devices, where available.
- To ensure reliable service, avoid unnecessary use of high-bandwidth applications like video streaming while connected to the company VPN.
- Alert employees to be on guard for an increase in phishing attempts, reminding them of the three typical components of a social engineering attack: unusual request, sense of urgency, and an appeal for you to take an action.
- Do not use personal devices, USB drives, or personal online storage services to store or transfer company data.
Companies cannot be complacent in the heightened threat landscape. “Adversaries have thousands of opportunities to attack and get it right once,” says Golden, “whereas companies have to be right thousands of times and never get it wrong. Fortunately, more and more companies now accept that the home needs to be just as secure as the office.”
Russ Banham is a Pulitzer-nominated journalist and best-selling author.