The coronavirus outbreak has had an unprecedented impact on daily life, worldwide. One major change as a result of measures to contain COVID-19 has been a sudden shift to increased remote working. Society had already been moving towards Work 4.0 – with changes including a move towards more flexible working conditions and both businesses and employees needing to adapt to the associated changes in cyber security responsibilities. But COVID-19 has accelerated this requirement, and businesses are, almost overnight, having to manage a larger remote workforce than ever.
Dr Duncan Hodges, Senior Lecturer in Cyberspace Operations at Cranfield Defence and Security warns that with this change, comes risk. Malware and malicious links masquerading as coronavirus-related applications and advice play on people’s uncertainty and need for the latest information. Meanwhile, there has already been an increase in phishing attacks aiming to capitalise on the shift to remote-working, which combined with the increased use of less-secure home networks and potentially out-of-date software could leave us more vulnerable than usual to cyber-attacks.
So what are the risks that we need to be aware of? And how can businesses – and their employees – practice good “cyber hygiene” to mitigate this risk?
Exploiting change and uncertainty: knowing the risks.
Already, data published in an article by Raconteur suggests there has been an upward trend in the number of attempted cyber-attacks as the coronavirus crisis has unfolded. Malicious actors are making use of people’s uncertainty and desire for the latest information, with a rise in coronavirus-related phishing scams. Data gathered by artificial intelligence security platform SentinelOne, showed that the attempted attacks between 23 February and 16 March 2020 rose, with peaks at 145 threats per 1,000 endpoints, compared to 30 or 37 at the start of that period.
According to Luke Vile, a cybersecurity expert at PA Consulting, these phishing attacks play on people’s emotions and concerns, which coupled with our desire for information around coronavirus makes falling for malicious links more likely. Senior Director of Proofpoint, Sherrod DeGrippo describes these so-called COVID-19 lures being utilised by cyber criminals as “social engineering at scale”, monopolising on the fact that people are far more likely to click on potentially malicious links or download attachments because they are looking for safety information.
Alongside phishing scams that play on people’s fears of and desire for knowledge about the virus itself, there has also been a rise in phishing scams that take advantage of the shift to remote working – and people wanting to protect themselves against cyber threats. Dr Duncan Hodges warns of an increase “in phishing related to the coronavirus, for example malware masquerading as fake antivirus, and VPN solutions all aimed at capitalising on the change to remote working.” As the way we work changes, we need to consider the cyber risks associated with working from home.
Risks to consider when you’re working from home
Dr Hodges has outlined the following risks that the changes associated with working remotely, rather than in the office, may bring:
- Outdated software and solutions
We can expect to see an increase in attacks targeting remote desktop solutions and video conferencing software. This is particularly likely to be a problem where products have laid dormant without being updated or only used within a corporate network for a period of time and are now being made available outside the traditional corporate network.
- Vulnerabilities posed by a less secure home network
Traditionally a home network has been considered a less secure part of a corporate network, as well as your corporate laptop on the network there will also be your family’s personal computers, tablets and phones as well as a host of smart home devices. Your network will only be as secure as the most vulnerable of these devices.” The potential for vulnerable devices being used to launch a wider-scale attack is demonstrated in our recent article on zombie machines. Internet of Things devices such as video doorbells, speakers and smart fridges, which are connected to your home network, can be used to execute Distributed Denial of Service (DDoS) cyber-attacks due to their lack of antivirus software and our tendency as consumers to overlook the necessary updates and security measures.
- Cloud hosting solutions and the risks of data breaches as a result of personal solutions being used in place of corporate solutions.
We can also expect more of the corporate data to be moved to cloud hosting solutions to allow for remote working – whilst some of this will be within corporate solutions it would be naïve to think that there won’t be an increase in data being moved to shadow IT infrastructure. This is where data is moved to other personal solutions outside a corporate network because an employee ‘needs to get a job done’ and the corporate solutions don’t work – using personal email accounts or accounts on Dropbox, for example. This move of data to external cloud providers could increase the risk of a data breach.
How to mitigate these risks
There are a number of fairly simple actions we can take to practice good cyber hygiene and reduce the risk of cyber-attacks.
- Make sure you’re running up-to-date antivirus software
Security isn’t really a ‘product’ that can be bought but certainly running an antivirus and firewall application represent what we would call good cyber hygiene. There are really great free home versions from most vendors that offer pretty good protection against a whole host of threats.
- Use a firewall
Look at using a firewall on your machines, these attempt to create a buffer between your computer and the network.
- Keep apps up-to-date
Make sure your operating system and the applications (such as Microsoft Office / Word, your PDF readers and your web browsers) are up-to-date.
- Consult National Cyber Security Centre guidance
For businesses, Dr Hodges suggests considering the National Cyber Security Centre (NCSC) Cyber Essentials programme: “this outlines a number of simple steps to improve your cybersecurity – you don’t need to go through the certification process but there is some really easy to follow advice.”
The NCSC has also published a home-working guidance document, outlining steps for organisations to take when implementing working from home and providing tips on spotting coronavirus scam emails.
While there may seem to be plenty of cyber security risks associated with working away from the typical office environment, Dr Hodges reassures that “doing these relatively simple things will make a big difference to what we call your ‘security posture’.”
Lessons to take forward as the way we work shifts in the future
It could be argued that the COVID-19 outbreak has simply accelerated a longer-term shift to an increased number of people working remotely. This sudden shift provides us with an opportunity to use the lessons that we learn during this period to assess how businesses – and security professionals – can support a wide variety of staff working from home for extended periods of time.