Insecure connections and unpatched software risk compromising company data. Juta Gurinaviciute Chief Technology Officer at NordVPN Teams discusses the main home office network risks for business
Over three quarters (85 per cent) of Chief Information Security Officers (CISOs) admit having sacrificed cybersecurity in an effort to enable employees to work remotely when the pandemic hit. According to the 2020 Remote Work from Home Cybersecurity report 84 per cent of the workforce are planning to continue to work from home after lockdown and at least half of business leaders will allow them to do so. For cyber criminals, this means a larger array of potential targets, and for cybersecurity specialists a much wider surface area to protect.
The rapid shift to home offices and the changing working environment has taken its toll on cyber protection. According to a study by IBM, 45 per cent of employees admit having received no new training before going remote, making it easier for cyber criminals to attempt a data breach and compromise valuable information.
With more employees working remotely, more devices are connected outside of the secured corporate network. That means corporations no longer have control over the infrastructure their staff use for work. People may work on their personal computers, neglect digital security requirements, connect through unsecured Wi-Fi hotspots and therefore grant bad actors’ access to the internal business networks. And if you had 3,000 employees before, now you have 3,000 sites to look after.
Cybersecurity risks posed by remote work can be classified in three key areas: people, places, and technology. To prevent cyber threats, each of them has to be addressed in every home office. Below are the five of the most vulnerable areas to evaluate when setting up a safe and protected network connection for home working.
FIVE WEAK CYBERSECURITY LINKS OF THE HOME OFFICE
- Multiple personal devices. Every internet-connected gadget is a potential hazard as hackers can utilise its vulnerabilities to gain access to personal or business networks. At home, employees may use a variety of electronic devices for work purposes: they could check workplace chats on phones, write emails on personal tablets, and access cloud services on a laptop. And even if the latter has sufficient protection, the former two may lack security layers needed to establish a completely secure connection. When the workforce moves to their home offices, enterprises should provide them with all the working equipment needed. If that’s impossible, predetermined security policies governing the use of personal devices for work purposes should be implemented. One of the imperatives for workers should be constant patching of their devices. Hackers are constantly on the hunt for software vulnerabilities, whereas vendors are trying to fix those bugs as soon as possible. However, if the end users fail to update their devices, exposures remain, and all it takes is one click or an opened file for cyber criminals to gain access. With a compromised device they are able to reach sensitive data on the corporate network.
- Insecure infrastructure. Employees access data on company servers and the cloud using their insufficiently secured home networks. Even if enterprises demand staff to use virtual private networks (VPN) for a secure gateway, they are incapable of solving hardware-related issues. Consider Wi-Fi routers, for example: even if the connection is secured with a strong SSID password, the access to the router’s settings might be protected by a simple ‘admin’ parole alone. Also, domestic devices are usually protected by weaker protocols, such as WEP instead of WPA2/3, thus hackers can get their hands on the network traffic easier. The shortest password allowed on WPA2 protocol is eight characters, yet it should be 14-15 characters long to defend the network against brute force guessing. Most devices come with predefined eight-character alphanumeric passwords which are easy to hack.
- Increased data-sharing. Working on-site, employees share important data over the intranet and other internal network structures. Now all the information travels through the public internet with malicious actors around, increasing the risk of exposure. Cyber criminals can utilise numerous weak spots that appear along the way from the end user to the company servers. Employees share most important (or even confidential) information through emails and phones without being aware of it, and this calls for a secure digital perimeter. Workers should be encouraged to use VPN services and share files only through secured channels. Many businesses now rely on cloud-based solutions; however, they should also be warned that hackers leveraged increasing remote workloads and performed 7.5 million external attacks on cloud accounts in Q2 of 2020. To mitigate the risks brought on by the increased online traffic, enterprises should implement zero trust privileges. This means that a user is granted access privileges for one particular task and they last only for the time needed to complete it. Therefore, if hackers compromise the credentials, they wouldn’t do much harm as they could only access a small fraction of sensitive data.
- Susceptibility to social engineering. The 2020 Data Breach Investigations Report by Verizon finds that almost a third of the data breaches incorporated social engineering techniques. While antivirus software, firewalls or VPNs can take care of your infrastructure, they cannot be installed on the human brain and prevent social engineering attempts. Hackers forge emails from other institutions or impersonate colleagues (even the CEOs!) to get employees to open the corrupted file or click on a malicious link. At home, there’s no one to consult with and the load of digital information is bigger, thus people fall victim to these scams more frequently. Cyber criminals tend to trigger certain behaviours and emotions to encourage the victim to act: consider, for instance, ‘the urge’, which is characteristic of most social engineering methods.
- Complicated IT support. In offices, the cybersecurity team and IT support are always at hand, so they can fix a problem immediately. Remote employees also require IT support, especially when considering the security measures, they should take. Yet logistical challenges prevent the IT team from always being present. In the event of data breach, it is harder to act immediately, as security experts cannot stop all cyber-attacks remotely. This can lead to devastating consequences. A report from Kaspersky on data breaches in the US shows that a data breach costs $28K if dealt with immediately, and $105K if undetected for more than a week.
Some of the breaches might go unnoticed for a long time, with ransomware gathering a company’s data, or malware compromising internal networks. On the other hand, sometimes an ongoing attack can be indicated by newly appearing programs which were not deliberately installed by the user. In some cases, the computer slows down, strange pop-ups flood the screen, or the user loses control of the mouse or keyboard. If any of these signs appear, employees should immediately inform the security team.
COVID-19 has set a new baseline for effective and secure remote work and many cybersecurity leaders have adapted to a ‘new normal’. Now it’s time to involve each employee in building an organization’s digital resilience and creating business value.
Even if a company plans to move back to the office as soon as possible, WFH policy should remain intact. The investments made in these turbulent times, and the lessons learned, will contribute to lasting cyber resilience. Both IT professionals and employees have had a final rehearsal in shifting to the workplace of the future.