The coronavirus pandemic has changed the workplace forever as remote working, once reserved for a small but growing portion of employees globally, has become the norm.
But moving from a well-furnished office to setting up a workstation at home — potentially for the long run — poses new cyber security risks for businesses at a time when hackers are already attempting to capitalise on Covid-19-related panic.
It is not only computers, tablets and mobile phones that hackers can tap in attempts to steal valuable information. The increasing number of everyday objects connected to the web — the so-called internet of things (IoT) — also present tantalising opportunities for cyber thieves.
“When everybody has to move to homeworking, everyone has to become their own cyber security expert and make their personal network as robust as they can,” says Roderick Jones, founder of cyber security protection group Concentric Advisors. “Otherwise they risk exposing their corporate information.”
Already, cyber attackers have attempted to exploit the chaos caused by the pandemic. According to an Interpol report, 907,000 spam messages, more than 700 malware attacks and 48,000 malicious domains were discovered in the first four months of 2020 — all mentioning coronavirus. Companies such as Twitter have fallen victim to “phone spear phishing” hacks, in which employees are tricked over the phone into handing over access to sensitive data.
There is much at stake: according to a 2020 report by IBM, the average cost of a single breach for a business is $3.86m. Some 70 per cent of the 500 companies surveyed said that they expected remote working during the pandemic to increase the cost of a breach; four-fifths expected it to take longer to notice and contain a breach. In many cases attacks are made for financial gain, but there is also a rise in perpetrators, sometimes state-backed, hunting for research and intellectual property — something both US and UK authorities have warned about in recent months.
An AT&T survey of 800 cyber security professionals in August found that 70 per cent of those employed by big businesses believe remote working leaves them more vulnerable to cyber attacks.
It comes amid a shift from secure corporate networks to home WiFi, which may have weak passwords or outdated equipment. The home network is likely to be used for professional as well as personal devices — including any number of smart gadgets — all of which could be targeted by malware attackers.
“For a lot of families, it’s not as though every person in the family has their own laptop. You’re swapping the laptops around,” says Suzanne Spaulding, security expert at the Center for Strategic and International Studies. “There’s a lot of mingling — all of it is only as secure as the person with the weakest cyber hygiene.”
Workers may also be tempted to use corporate devices for personal reasons, bringing added risks. “If you are checking football scores and get infected, then go back into a corporate network, you’re bringing that with you,” says Roderick Jones of Concentric Advisors.
In addition, Craig Jones, Interpol’s director of cyber crime, notes that the rise of new online working tools presents new weak spots for cyberattackers. “We all went to teleconferencing virtually . . . Criminals identified opportunities and tried to exploit the vulnerabilities within a system or network, effectively,” he says.
The new normal of remote working has also pushed many businesses to move their work applications, as well as data, to the cloud so that it is easily accessible. “Now the company’s data, source code, plans, budgets, its HR information is all shared [and] available in the cloud,” says Joe Payne, chief executive of data security group Code42.
The AT&T report found that one in four employees were sharing or storing sensitive information in “unsanctioned” cloud applications, according to their cyber security bosses.
Security specialists agree that robust password protection is vital. Home workers should ensure their WiFi routers are patched — or up to date — and that passwords are changed from the default. According to the 2020 Verizon Data Breach Investigations Report, more than 80 per cent of hacking breaches involved the use of brute force — such as guessing different combinations of characters in order to crack a password — or lost or stolen credentials, rather than the exploitation of a particular vulnerability.
Meanwhile, appropriate antivirus or intrusion detection software should also be loaded on to devices. Many workplaces have either set up or expanded the use of a secure corporate VPN — or virtual private network — that allows employees to safely connect to the company network from any device anywhere. There are other less obvious vulnerabilities. The internet of things — from home security cameras to door bells and smart fridges — can serve as an entry point for hackers to gain access to other devices on a network. Cyber security experts say a proliferation of such devices in many homes means the “attack surface” is greater, while they often run on legacy systems that are easier to hack. IoT malware attacks rose 50 per cent in the year to date, to 20.2m, according to new data from SonicWall.
Big tech is taking notice. In August, Google announced that it was investing $450m for a stake of about 6 per cent in ADT, which specialises in home security. “The home is the new battleground,” says Chris Pierson, founder and chief executive at Blackcloak, which provides personal cyber security to wealthy individuals. During the onboarding of new clients, his firm found that 20 per cent of households are compromised.
“When we talk about the vulnerabilities [of] your networked refrigerators, it’s not about the danger you’ll buy too much milk, but it’s a way into your network that has your home computer attacked,” says Spaulding.
Bill Conner, chief executive of SonicWall, recommends that home workers scan and then “segment out IoT devices on the wireless network and . . . put in an enterprise-grade firewall”.
Pierson says that for deep-pocketed executives, one option is paying a third party to carry out a penetration test — a simulated cyber attack to check that systems are robust. “It’s like going and getting a physical at the doctor’s — it’s a check-up,” he says.