If employees working remotely got a call from “Jack, the new IT guy” asking for their password so he could perform maintenance on the staffers’ work accounts, would they give it to him?
They might, experts say, particularly if they saw that he had a LinkedIn account that showed he worked for their company.
In that real-life scenario — which has happened to numerous companies over the years — employees have been tricked into giving hackers access to a company’s sensitive data.
This social-engineering scam is just one of the many cybersecurity threats that work-from-home employees face, said Nimmy Reichenberg, head of strategy and chief marketing officer for New York City-based cybersecurity company Siemplify.
“The bad guys never take a break,” he warned.
Tommy Todd, vice president of cybersecurity company Code42, shared two cases demonstrating the damage caused by a different threat: insider risks.
In one, a high-ranking executive stole proprietary data right before he left to work for another company. (He was caught before he could share the information with a competitor.) In another case, an employee accidentally shared a cloud-based link, and sales data ended up in a competitor’s hands.
Employers have had to reassess their cybersecurity strategies over the last year because simply blocking employees from sharing data “stifles the collaboration that’s now required as part of the work-from-home model,” Todd said. “As a result, organizations are starting to look at investing in alternative solutions that provide visibility into [how and when data is moved around.]” so that the data team can find a “right size response.”
According to The State of Remote Security Operations report published by Siemplify, unsecure home networks (47 percent) and cloud adoption (46 percent) posed the top two risks listed by the almost 400 security operations professionals surveyed. A majority (57 percent) reported seeing more phishing threats since the shift to remote work.
In addition, there are many new so-called Trojan viruses and botnet variants, and increasingly sophisticated ransomware attacks that can target small and mid-size businesses (SMBs) and cause real damage, according to Corey Nachreiner, chief technology officer at WatchGuard Technologies, a cybersecurity firm based in Seattle.
Still, convincing smaller companies to invest in cybersecurity has not been an easy task.
In a March 2020 report published by the internet security company Bullguard, almost 60 percent of SMBs in the U.S. and the U.K. believed they were unlikely to be targeted by cybercriminals, even though 18.5 percent of them suffered a cyberattack or data breach within the prior year.
The cost of breaches is high, with companies telling Bullguard that they spent $10,000 or more to resolve attacks. More than 50 percent of them said it took 24 hours or longer to recover from the attack, 25 percent reported losing business as a result and almost 40 percent said they lost crucial data.
So how should companies address these concerns?
The first step: Assessing the cybersecurity landscape
The first step in tackling these threats is to understand the cybersecurity risk landscape and the gaps in a company’s virtual armor, experts say.
“The difference between good cybersecurity and bad cybersecurity is not so much to prevent an attack, but the ability to detect an attack quickly and mitigate it before it causes substantial damage,” Siemplify’s Reichenberg said.
While risks are increasing for SMBs, the number of cybersecurity workers are dwindling as competitors race to hire to meet the surging demand for security services, he added.
With about 4 million jobs in cybersecurity unfilled, the quickest way to improve security is to hire managed services companies that will help businesses lock down vulnerabilities and identify how, when and where breaches occur, Reichenberg said.
At the same time, many companies are turning to cloud networks, particularly to support remote workers. Nachreiner at WatchGuard advised, “Now is the perfect time to start or revisit a deep technical diligence dive into the cloud security practices, technologies and products” available for public infrastructure-as-a-service (IaaS) offerings.
These include Amazon Web Services (AWS) and Microsoft Azure, as well as many individual software-as-a-service (SaaS) solutions, he said.
The second step: Employee training and company policies
The second step recommended by experts to curb cybersecurity risks is to implement employee training and cybersecurity policies.
More than 52 percent of SMBs didn’t regularly allow employees to work remotely before the pandemic, according to research by Alliant Cybersecurity. As a result, 22 percent said they didn’t have clear policies to mitigate or prevent cybersecurity threats/attacks when remote work went mainstream in early 2020.
Todd of Minneapolis-based Code42 said that while employees are 85 percent more likely to leak files now than they were before in Covid-19, the number of people sharing the data for malicious purposes is small.
“A lot of that has to do with the fact that users don’t have the proper education on how to use collaboration tools properly, so they unintentionally share data or overshare,” he said. Therefore a good training program for remote employees is critical so they understand how and when they can share sensitive information, Todd said.
It’s also a good idea for organizations to update their employee acceptable use policy (AUP) — rules for using a website or internet service — for remote-work situations, he added.
Other employee-centered suggestions include requiring employees to keep computers up to date with security patches; having robust passwords that employees change periodically; only using sanctioned software, online services and cloud storage; and restricting family members from using the work computer.
Todd also recommends making employees an ally instead of an enemy by creating a “trust but verify” approach that includes spelling out how security personnel will respond to security risks, such as using unsanctioned software or sharing sensitive data inappropriately.
“The process needs to be addressed,” he noted. “How does security respond? What does it look like? Is it just a message? Is it a video call? Is it more aggressive than that?”
Systems that track when employees are logging on and what they are doing on their computers while working can help employers understand an employee’s workstream, which may have changed while they work remotely.
Todd says it’s good to investigate, for example, if an employee who never worked at 3 a.m. on a Saturday appears to be doing that on a regular basis. Asking, “Is that a usual behavior for you?” will establish a cybersecurity context that can be responded to or not, he added.
The third step: Updating security protocols
The third step in mitigating risks is to implement better security protocols, according to Nachreiner of WatchGuard.
“Most companies have to expose more remotely accessible services to their home-based employees today,” he said. “These services can give attackers an avenue into the corporate network if they can obtain one of your user’s credentials. While credential-based attacks obviously existed pre-pandemic, they have become even more popular now.”
To counter this, companies should require multiple authentication methods that include not just strong passwords, but also verification codes sent by text, e-mail or other methods to ensure that the person logging in is an actual authorized user. This will frustrate hackers’ efforts to gain easy access, he added.
Without a robust authentication process, “all attackers need is a single employee credential, and they have an easy path to get into your network,” Nachreiner said.
Siemplify’s Reichenberg said other ways to ensure network security is to use VPNs (virtual private networks), require installation of the latest security patches and use software to monitor cloud services.
Even if smaller cyberattacks — that “only cost a measly few millions of dollars in damages,” as Reichenberg put it — never make the news, they remain a threat to SMBs.
“It’s like somebody breaking into your car in real life — that doesn’t make the news,” he warned. “But there are tons of these smallish cybercrimes that topple small businesses every day.”