This post was written by Erich Kron, Security Awareness Advocate, KnowBe4.
The world has certainly changed in a hurry. With the introduction and spread of COVID-19, the way organizations do business has had to change very rapidly and prompting the phrase “new normal.” The quick movement from doing business in a controlled office to the sudden change to doing business from home is a huge change and many organizations have policies and procedures that are simply not adequate for home environments.
There are also threats that individuals have not had to deal with in the past. I want to shed light on a few things to consider when moving your workforce remote, especially for extended periods of time or where working from home has now become a permanent option and for some, a “new normal.”
People are doing work in high-density areas on Wi-Fi
Some of the hardest-hit places in the U.S. are in very densely populated areas such as New York City. As of May 25, New York City had seen over 199,000 confirmed cases of COVID-19, and people have been on lockdown in their apartments and homes. This means a lot of people using Wi-Fi to perform their jobs from home.
This also means it is a prime place for attackers to use devices such as a Wi-Fi Pineapple or other rogue access points to intercept Wi-Fi. For this reason, it is important that people are trained on how to deal with the same threats you would face when performing work on public Wi-Fi, such as in a coffee shop or airport. While many organizations already prepare their traveling staff and executives for this, it is probably a good time to extend the training to work-at-home staff as well.
Recording devices in the home
Devices such as Amazon Alexa and Google Home are already at the frontline of privacy debates; however, this becomes a bigger issue when it comes to working from home. Very few organizations would allow you to have one of these devices on your desk at the office, yet here we are working from home with Alexa on our desk. We know that these devices are always listening and are often recording. For that reason, it becomes a risk that proprietary or private business information could be overheard or recorded. If this is an issue for your organization, be sure to update the relevant policies and communicate them to the workforce.
Another thing that people may not think about is a baby monitor. These devices are notoriously insecure and transmit sound and/or video wirelessly. People should be cautious about what they say around these devices when working from home and should unplug them when not in use.
The lack of corporate security
As the dynamics of working have been shaped by the pandemic, to include organizations realizing that having employees work from home on a permanent basis could be beneficial, the idea of the corporate network perimeter may be reshaped as never before. While employees working from home can have some great benefits, there are some potential perils as well. One of the most significant ones is related to the lack of corporate security controls that apply when working from outside of the corporate network. Examples of this include malicious website filtering that can help protect organizational assets from accidentally going to malicious websites and processes and tools that allow the administrators to keep assets up to date with the latest security patches.
To counter these issues, organizations should issue computer equipment, containing remote management tools, to employees wherever possible and should also implement persistent Virtual Private Networks (VPNs) for this equipment, directing all network and internet traffic through the normal corporate security controls such as web filtering, intrusion detection/prevention, and Data Loss Prevention (DLP) tools. In addition, training and education focused on the dangers of working remotely should be required so employees understand the need for these measures and can compensate for any security controls that cannot be applied remotely.
Email and text message phishing is exploding
Throughout the last couple of months, there has been an explosion in COVID-19 themed email and text message attacks the likes of which we have never seen. In the first months of the pandemic here at KnowBe4, we tracked the weekly number of new email phishing templates. These are brand new and not based on previous phishing emails that have been repurposed a little for the coronavirus, and the numbers have been staggering.
- Between March 8th and March 14th, there were 16 new phishing templates
- Between March 15th and March 21st, there were 36 new phishing templates
- Between March 22nd and March 28th, there were 94 new phishing templates
These numbers represent an unprecedented amount of work being done by attackers so they can launch attacks during these chaotic times. They are preying on the heightened emotions and fear that is impacting people during this crisis.
This behavior is not expected as cybercriminals are very opportunistic, using both natural and man-made disasters as fodder for their attacks. Email phishing and text message-based smishing attacks are, at their root, attacks designed to cause an emotional response, thereby impacting our ability to apply critical thinking skills. This is why they typically include a sense of urgency alongside a sense of fear if something is not done quickly, or a sense of great reward if something is done quickly. For this reason, training users on how to spot phishing attacks has never been more important than it is now during this already emotionally charged pandemic.
Preparing people to work from home
When organizations are preparing people to work from home, as part of the process of issuing equipment, organizations should also provide updated policies and step their users through some new-school security awareness training, including courses on spotting phishing and working from public Wi-Fi. This will better prepare the users to defend themselves against the inevitable as they adjust to the new environment and challenges of working from home.
For organizations that already have people working from home, make sure they are getting trained and prepared as soon as possible.
The upcoming threat
Organizations need to be prepared not only for the current threats but for those in the future as well. This is a good time to start thinking about how the move back to places of business will be handled and to be prepared for the upcoming attacks. These, like the attacks that happened when people were moved to working from home, will likely focus on areas of uncertainty and communication gaps. This psychological ploy leverages our human hunger for information as a vulnerability. Like when preparing people to work from home, organizations should provide training to employees related to potential or known attacks and work to provide the clearest information possible, as quickly as possible.