Four thoughts on home working cyber security during 2021
The now common practise of remote working continues to cause major cyber security headaches for companies and individuals. Criminals continue to take advantage of lax cyber security with staff no longer having ready access to IT security to help them stay cyber-safe.
What do home-hackers have in store for us during 2021 and what can firms do to protect themselves?
1. Poorly protected team networks remain a source of vulnerability
Last year Japanese giant Mitsubishi fell victim to just such an attack. A group network used by home-working Mitsubishi employees was penetrated by third-party malware. The data breach occurred when an employee unwittingly downloaded the malware, triggering a leak of private company data along with names and email addresses of those on the network. Subsequently, Mitsubishi issued company-wide warnings, implemented virtual private networks and new password requirements.
Talking with a tech security colleague about VPNs, he came up with an unexpected analogy. He likened VPNs to the difference between a medieval town expecting every building to have its own defences, to constructing a wall around the whole town. He said: ‘The VPN isn’t the wall, it’s the tunnel that lets citizens living outside that wall in and out.
To put that in more contemporary terms: Virtual Private Networks let staff access company data via an encrypted network connection, and users can be authenticated with strong password requirements and/or Multi-Factor Authentication for additional security.
2. Staff must be open and honest about cyber-security and feel comfortable sharing any cyber concerns they may have.
A report published last month by global cyber security firm Avast found that almost 40% of small business staff think if they unwittingly fall for a phishing attack, they could be held responsible for any subsequent data breach. The concern being that to protect themselves, employees may not admit to having clicked on what turned out to be a suspicious link. On their website, the National Cyber Security Centre notes: ‘staff who fear reprisals are less likely to report promptly.’ (https://www.ncsc.gov.uk/guidance/home-working)
Avast’s Head of the Threat Intelligence Systems, Jakub Kroustek said: ‘Cybercriminals are constantly innovating and looking for new ways to circumvent today’s powerful personal and business security solutions. It is harder for people to spot malicious emails or suspicious links and attachments, making attacks more likely to be successful.’
3. Fraudsters will continue to use the pandemic as a cover for their criminal activities.
An egregious example surfaced recently when it emerged that fraudsters were attempting to ‘sell’ Covid vaccines. In a widely reported scam, a message was sent to potential victims saying the recipient was ‘eligible to apply for your vaccine’. The criminals then asked for their credit card details supposedly ‘for verification.’
Chief Technology Officer Tobias Powell said: “Phishing messages that use Covid as the cover story are likely to be with us for some time. Pretty much all employees need to be alert for a constant background of low-level phishing and scams; some employees in higher risk companies can expect to be targeted with much more targeted, personally tailored attacks. Companies will need to invest more in monitoring and security tools to cover home workers with Bring Your Own Devices (BYOD).”
4. The use of BYOD and personal wi-fi connections will remain a risk
Staff working from home will often feel more comfortable using their own personal computers. Unfortunately, these devices may not have the same level of security found in corporate computers. Firms must investigate what hardware employees are using to make sure it is appropriate and must insist that software is kept up to date. Staff will almost inevitably connect to domestic wifi which can also mean easy pickings for cyber criminals. Many bigger companies now have infosec officers who look after remote working security, but staff must remain alert to potential hacks and scams.
Once out of the office, employees are more likely to lose their computers or have them stolen. Firms should insist that data held on their devices is encrypted. Most modern computers feature encryption, but it often has to be turned on. (I know this because I had to do it!)
The National Cyber Security Centre makes the point that because of the pandemic staff may already be stressed and not in an ideal position to learn new technologies and they may not be able to ask a co-worker for help. When it comes to security, staff must know how to report problems particularly if a device is lost or stolen.
Home working had been with us for some time prior to the pandemic, but in March of last year Covid-19 put rocket boosters on the trend which is unlikely to go away. Just as staff are getting used to working from home so companies are learning what the implications are for their corporate cyber security.
About the author
Crisis Management Director, YUDU Ltd