Remote Control: Cyber Threats to Working From Home During COVID-19
More people than ever are currently working remotely because of COVID-19. While such arrangements have been on the rise the past few years, the pandemic has spurred a mass migration home in a short amount of time. And unfortunately, the abruptness of the situation has created major cybersecurity concerns.
Despite available technologies, many businesses aren’t prepared to accommodate staff working remotely. Telecommuting requires remote access to sensitive information. With so many digital interactions involved, each needs to be secure to prevent unauthorized access of information.
Cyber criminals are aware of the situation, and they’re going to take advantage of it. Why not? It’s their job model! The more scared we are, the easier they can trick us into giving them sensitive data like passwords, access credentials, even personal identifying information.
Recognize Three Common Cyber Threats
Hacking, malware, spyware… these things aren’t new to us. We face numerous cyber threats both in the workplace and at home. With the two now blended, however, it makes for a more vulnerable situation. New telecommuters face three significant (and closely related) cyber threats.
- Phishing You’ve heard of this—a random email from someone who claims to be your bank, the IRS, a friend or coworker. They try to get you to click a link or send them sensitive information. Today, the most common phishing emails we see are related to COVID-19 updates. People want information about the pandemic, so they’re prone to clicking links that promise insight.
- Vishing is the same as phishing but done via voice call. Scammers actually call up your phone and impersonate someone of authority: “Hey, this is Dr. Johnson from the CDC. Let me help you identify if you’re at risk for COVID-19.” They might also impersonate your insurance agent, a repair person, any number of things. The goal is to make you divulge information or go to a website that will gather it from you.
- Smishing is yet again the same thing, just via text. You’ve probably gotten at least one random text saying, “Hey, check your bank account information,” or “Verify your account,” or some other request. It’s becoming more common because we are all engrossed in text messages. Smishing can happen in standard text messages on your cell phone, Facebook Messenger and other text-based communication forms.
If that isn’t enough, we still need to worry about the standard viruses and worms out there. And now that people are working from home, the likelihood and risk go up even higher.
Ransomware is also a big player in today’s workforce. The fastest-growing method of cyber attacking, it’s still very effective. Ransomware often comes in through phishing and smishing attacks. These information-grabbing attempts often carry viruses and worms to scrape data that someone might not readily make public.
With all these malicious efforts at play, security has to accompany any workforce—in the office or remote. But there is good news; a lot of prevention measures are simple common sense!
Office vs. Home Office Security
Offices almost always have a corporate firewall in place. This firewall has virus protection software and uses advanced filters to look for malicious software and suspect code. It might even have geo location filters that block content coming from China, Russia and other foreign locations known for supporting cyberterrorist activity. Firewalls also have advanced heuristics. They can identify threats that look like a virus or carry some of the same markers, even if they aren’t confirmed viruses yet.
Corporate workstations are also typically better maintained than personal computers. They’re patched and updated routinely, and the security is generally better. Finally, physical security is better in an office environment. Walls, doors, locks, etc. control access into the workplace, which helps prevent other types of attack.
Now, contrast this with your home—where you typically do not have a firewall. Even if your internet provider says you have one, it’s likely not as robust as a corporate one. The firewall you get with most internet service providers, or included with your modem or router, at best has very rudimentary firewall capabilities.
Also, who configures the firewall? More often than not, it’s you. Generally speaking, we pull these devices out of the box and plug them in while we’re talking to technical support on the telephone. They say, “put the blue cable in the first port, turn it on and once you have internet, you’re good to go.” So the firewall in those devices may not even be enabled properly.
If you’re using your own computer, it may be older and not updated or properly maintained. It may not be cleaned or have solid antivirus protection. Or it has antivirus but isn’t monitored. It’s just doing its own thing in the background and you trust it’s working… but nobody’s checking to make sure.
Additionally, in the home environment your computer may be the same one your spouse or kids use. They might play games, browse social media, any number of things—all of which can expose it to attack.
The point is that, in the home environment, you’re easier to attack. You’re more relaxed and don’t have all the safety measures and controls you do at work.
Attackers know this. And they’re targeting people working from home right now.
What NASA Can Teach Us About Cybersecurity
Cyberattacks can happen to anyone. Take NASA as an example. These are the people who put a man on the moon, so you’d think they’d have amazing cybersecurity measures. And they do. Yet there are still ways to breach their systems.
In 1999, a 15-year-old kid hacked NASA with a dial-up modem. He found a remote network with a connection back to NASA in Duluth, Virginia. He broke into the network through this location, jumped across one of the routers, installed some back doors on their systems, and was able to siphon off information from NASA before being discovered!
NASA was hacked again in 2018 due to a network setup mistake. NASA, like a lot of companies, has a separate network for vendors to access data. Somebody put a $25 mini-computer called a Raspberry Pi on that network and failed to properly document it; therefore, it was not properly secured. Someone found that that device, and attackers started throwing commands against it. They were able to break into NASA’s closed network, even reaching the deep space network and radio telescopes.
These examples show that this can happen to anybody. If you’re not thinking about security and data protection—and you can bet NASA is—it can turn around and bite you.
The important thing to note about both scenarios is that NASA was hacked from a remote location. The criminals didn’t pound on NASA’s front door; they went in through back doors and side windows.
It’s much like what a lot of us are doing now. We weren’t ready for this pandemic, but we needed a mobile workforce. So we hastily set up VPNs and made connections into central networks from anywhere. Each of these makeshift connections is a side window that can let attackers in.
Easy Steps to Thwart Attackers
Even with more employees working from home, we can do much to protect ourselves against increased hacker threats. And most of it involves little more than common sense.
Use the computer for work only. Don’t shop eBay or Amazon. Avoid streaming sites like Spotify, Pandora and Netflix. Even if you’re comfortable using these services on a personal computer, remember that they’re easily exploited. And don’t let others in your household—not even your spouse—use your work computer. All it takes is one bad link that redirects you to a cloned site. In an instant, there’s malware on your computer and hackers have access to critical business data. They can even reach the corporate network depending how the infected computer is connected.
Practice responsible cyber security habits. Don’t click on random popup windows or installation messages. And if an email contains a link or attachment, don’t click on it unless you’re expecting that email (even if you know the name of the sender). These are common methods hackers use to trick you into downloading malware.
Do not stay connected to your corporate network. A virtual private network (VPN) builds a direct path between your remote computer and the corporate network. If your computer gets compromised, the hacker can use the VPN connection to attack your corporate resources. If you’re done working for the day, going to lunch or will be away from your computer for more than a few minutes, disconnect from that VPN and sever the remote connection. Don’t leave that computer unattended!
Be smart with your password. Gone are the days of using the same, easy-to-remember password for everything. From longer words and phrases to multi-factor authentication, there are many ways to secure your accounts and help avoid an attack. Brush up on the latest secure password guidelines and make sure you follow them.
Here’s the positive part; there’s no magic recipe to fight cyber threats. Just be aware of the higher risk working from home poses and use common sense. Follow best practices. Talk with coworkers over video whenever possible. Take a long, deep breath of fresh air a couple times a day. And remember that we’ll get through this together.