During the pandemic, companies have employees working from home to achieve social distancing and meet legal requirements that prohibit too many people from grouping together in enclosed spaces. The approach allows businesses to run and keeps people employed while limiting the spread of the novel Coronavirus, COVID-19.
However, working from home is a breeding ground for another kind of contagion—computer infections. "Hackers are targeting remote workers because they are easy to infect via phishing and other means, and less protected than they would be in a more cyber-secure office environment," says Chuck Brooks, president of Brooks Consulting International, named by IFSEC Global as the #2 global cybersecurity influencer.
To stem the onslaught of cyberattacks against people working from home, organizational stakeholders first need to apprise themselves of the vulnerabilities that have cyberthugs so enthralled with these targets. The subject-matter of the day, then?
- The vast number of home workers.
- Vulnerabilities and home-working security policies and measures.
- What doesn't mix with work from home.
- Work from home as a doorway to enterprise networks.
Work-from-home population attracts hacks
The vast number of people working from home form an expansive, attractive target that's hard for criminal hackers to pass up.
The forecast for the number of remote workers could nearly double what it was before COVID-19 in the next five years: by 2025, 36.2 million Americans could work remotely, 16.8 million people more than before the pandemic, says the 2020 Future Workforce Pulse Report by freelancing platform Upwork.
Given that so many would continue to work from home after the pandemic, it behooves companies to settle the matter of work-from-home security quickly.
Vulnerabilities, security policies, and countermeasures
Security vulnerabilities surround first-time at-home workers, inviting cyberattacks. "Employees tend to comingle home and work devices and do not patch systems as often as they should. They do not have the risk management mindset necessary to monitor and detect cyberthreat modes that hackers are continually refining," says Brooks. The risk management mindset typically lies with IT security staff who, unfortunately, do not easily follow employees into their home-working environments.
Along with the meager mindset comes the security policy and tools shortfall. Employees who haven't worked from home before lack the cybersecurity home working policies and measures to keep them and your data safe. More than half of employees who are new to working from home due to COVID-19 have yet to receive any new security policies on how to securely work from home, according to the Morning Consult + IBM Security Work-From-Home study.
"These policies include making sure you have sensitive business data isolated and encrypted, strong passwords, secure routers and Wi-Fi, virtual private networks (VPNs), and anti-malware software installed," says Brooks.
According to Kevin Hyde, president of Layer 8 Security, a cybersecurity consulting, advisory, and technical services company, other lacking security policies can include keeping others from using their work devices at home, not reporting spam and phishing attacks, failure to update operating systems at IT's request, and failure to stay away from social media. Organizations have numerous security policies outlined for the office, and if they can't enforce them in the home office, any number of threats could penetrate the nearly nonexistent remote-working perimeter.
Enterprise-class cybersecurity is also missing with working from home. "Examples can include enterprise-class anomaly monitoring, correlating activities across multiple systems, restricted access to systems and databases, and enterprise-wide software updates and version control," says Eugene H. Spafford, a professor of computer science at Purdue University whose research focuses include issues of computer and network security, cybercrime and ethics, technology policy, and the social impact of computing.
Along with the missing, there is the potentially impossible. Organizations may never adapt specific cybersecurity measures that work in the office to the home-working lifestyle. "Enterprise-class tools and functions like data loss prevention and large-scale analysis functions built for a centralized, on-premise organization would not necessarily translate to remote workforces," says Jacob Ansari, chief information security officer (CISO) of Schellman & Company, LLC, a self-described "provider of attestation and compliance services."
What Doesn't Mix
Some technologies and applications don't mix with working from home; free apps and games are at the top of the list. According to Steve Tcherchian, CISO of XYPRO Technology Corp., a provider of security compliance services and solutions, children downloading free games and apps puts the shared personal computers that people use for work at risk for viruses, malware, and ransomware. "Nothing on the Internet is free. Either you're giving away your private information, or it's installing some other program behind the scenes," says Tcherchian.
Employees can also mismatch technologies in work-at-home settings. According to Morey Haber, chief technology officer (CTO) and CISO of BeyondTrust, which markets a family of privileged identity management, privileged remote access, and vulnerability management products, the inappropriate application of technologies made for work presents cybersecurity risks in work-from-home environments. Those technologies can include installing corporate-sanctioned virtual private networks (VPNs) on home computers or bring-your-own-device (BYOD) devices, and running your corporate-issued computing device as a local administrator.
From Working From Home to Cybercriminals Playing at Work
According to a recent Global Threat Report from VMware Carbon Black, "A staggering 91% of all global respondents stated that they had seen an increase in overall cyberattacks as a result of employees working from home." Home-office environments have become ground zero for attacks by criminal hackers that spread to company networks, datacenters, and the cloud on their way to intellectual property and customer databases.
Cybercriminals are always ready to trade the small-game individual consumer for the much larger intellectual property prize. According to Spafford, criminal groups and nation-states can launch targeted attacks to penetrate systems and access proprietary information by interfering with data routing on the inconsistent networks that remote workers use in their diffuse working environments. Cybercriminals are already using attacks like these to leapfrog their way into the organization.
Criminal hackers have all day to worm their way into work-from-home setups. According to Kyle Yencer, vice president of services and connected workplace for technology services and solutions provider MicroAge, "Devices sitting on an uncontrolled network all day become targets for access by criminal hackers. Once they gain access to the endpoint on the work-from-home network, their next steps are to make their way into the corporate coffers." If an organization hasn't implemented some form of enterprise-class endpoint detection and response or automated detection and response, that endpoint can serve as an open gate to the enterprise network.
From Anecdotes to Avalanches
Cyberattacks on work-from-home environments could elevate from minor anecdotes to cyber exploit avalanches once breaches use the work-from-home model as a doorway into the enterprise.
According to Spafford, there have been anecdotes circulating about minor cybersecurity incidents popping up in the work-from-home environment, but what is happening now are a lot of silent intrusions into enterprise networks that no one is spotting. "For the most damaging attacks on corporate networks, it's 'get in there to build and sustain access, and do surveillance, long dwell-time, and long exfiltration'," says Spafford.
Spafford adds, "These low, slow attacks are the ones that are going to take the longest to discover and mitigate."
David Geer is a journalist who focuses on issues related to cybersecurity. He writes from Cleveland, OH, USA.