One of the great ironies of this pandemic is that working from home could be our physical saviour and our digital downfall at the same time, thanks to cybersecurity threats.
People fortunate enough to have the option of working from home (WFH) have retreated to computers in their bedrooms, basements and kitchen tables to avoid being physically infected with COVID-19.
Yet working from home puts our digital selves—plus the workplace networks and data we connect to remotely—at far greater risk of being infected by virtual threats like malware, spyware, ransomware and other hack attacks.
WFH cybersecurity threats
Enterprises are already bracing for WFH threats that are way more dangerous than any inappropriate image popping onto the screen during a team videoconference meeting.
Although a recent Threatpost poll of more than 200 IT pros is an admittedly small survey sample, it does pinpoint some of the biggest cybersecurity concerns U.S. businesses have about WFH during the coronavirus outbreak:
- 40 per cent report seeing more cyber attacks since enabling remote working by staff
- 23 per cent report more phishing or other social engineering attacks
- 10 per cent have noticed more coronavirus-related scams
- less than three per cent are receiving more business email compromise (BEC) attacks than usual
Here are the top WFH security challenges cited in the poll:
- only 30 per cent feel prepared to move to “all-remote working” for their employees
- 43 per cent say their top WFH concern is making workers aware of the importance of remote endpoint security
- 20 per cent say their top WFH priority is “housing sensitive data off-premise and transmitting it via the open Internet”
We asked Gregory Garrett, who oversees more than 2,000 IT and infosec professionals as head of U.S. and international cybersecurity at BDO Digital, how enterprises can protect their enterprise networks while enabling WFH during the pandemic.
Garrett, an author and IT veteran whose career spans more than 30 years in government, military and private industry, spoke to us by phone from McLean, Virginia.
Every WFH employee has a different home Wi-Fi setup, and that itself is a cybersecurity risk.
“(Workers) can double check their personal wireless router that they’re using. Hopefully they’ve purchased a router that’s properly configured and loaded with anti-virus, anti-malware and anti-spam (software),” Garrett says.
He says remote workers should also update their home Wi-Fi password “to about 20 characters” to make it “that much tougher for hackers.”
If staff are working from a condo or apartment complex, they shouldn’t use the free communal Wi-Fi network provided by the building management company. Garrett warns such a network might be configured or secured improperly—possibly by “a hacker looking to plant malware or spyware” on residents’ devices.
Virtual Private Networks
Don’t have a false sense of security because your staff are using VPNs.
“Enable all the security functions around authentication,” Garrett says. That includes remote workers using MFA, if it’s an option, or a random password generator key fob when they log in over a VPN.
“Those (steps) dramatically increase the security,” he adds. “You can also limit your time on the VPN. One way is to use the timeout function so it shuts down if you’re not on the computer for a certain amount of time. The longer you stay on the VPN, the greater the likelihood of penetration.”
As for IT managers, he advises making sure “the strongest possible levels of encryption” are in place on workplace servers connecting to remote workers through VPNs. Ensuring workplace servers are switched over to L2TP (layer two tunneling protocol) settings is important, he says.
Video- and teleconferencing
Choose virtual conferencing apps and platforms wisely for WFH staff.
“There’s a lot out there and they’re not all of equal quality. Not all of them have end-to-end security. The larger players like Microsoft Meetings, Cisco Webex and Zoom all have end-to-end security and encryption,” Garrett says.
“But I will caution people that if you call into Zoom, for instance, and you dial into a conferencing number using a conventional mobile or land line, that is not secure,” he explains.
“It’s better to use VoIP or voice-over-the-computer because that goes over a secure encrypted line. So I caution people to not call in (over a phone line) but to use VoIP instead.”
Bring your own device
Although BYOD can provide cost savings for companies, “the bad news is it just opens up all kinds of additional vulnerabilities,” Garrett says.
If a remote worker opens their own Gmail or other personal online account from their BYOD device, “now it can spread over to the connection between your business network and all your business transactions that you do over the Internet,” he warns.
From the remote workers’ side of the fence (or firewall), Garrett urges employees to use MFA on their BYOD devices, if possible. To IT managers, his message is clear: “Fully encrypt everything (connecting) to the network.”
Garrett tells us he’s a big fan of Signal. Run by a non-profit org, Signal is an ad-free, open source app that adds end-to-end encryption to voice, video and SMS communications. You can even do group voice and video meetings on the app, which is available for Mac, Windows and Linux desktops as well as Android, iPhone and iPad devices.
Garrett also recommends the deployment of MDM (mobile device management) solutions to monitor the use of employees’ BYOD devices and remotely scan them for cybersecurity threats.
After constant reminders from health officials about social distancing and hand washing, millions of people around the world have radically adjusted their behaviour in ways they never imagined a month ago.
For the sake of IT managers, let’s hope the same constant messaging to employees—about cybersecurity practices and hygiene habits—will help keep enterprise assets safe and sound as well.