People are also more likely to use their work devices for non-work tasks: this includes checking personal email, online shopping or gaming. Any of these could lead to the device being infected with malware and the exposure of company information.
And if organisations don’t give their employees all the user-friendly tools they want, people will find their own workarounds. 7% of employees admit to having used a personal cloud app to store sensitive corporate information.5
But it’s not just data that you should be concerned about. Finance teams have access to many key systems, including those related to banking and payments. A malware infection could lead to credentials being stolen and attackers getting access to these systems.
There are many technical solutions to help mitigate these risks, including mobile device management (MDM) and cloud access service brokers (CASBs). But education of employees is vital. Many people will be working remotely for the first time, but even seasoned remote workers would benefit from a reminder of the risks and how to report suspicious activity.
2. Attackers exploiting the situation
Attackers will seize on anything to see if it can help further their attacks. And the pandemic was no exception. Back in March 2020, Europol reported how quickly criminals had adapted their methods to exploit the crisis.1 Malicious actors were quick to take advantage of the increased use of video conferencing to create new phishing campaigns; they even exploited the shortage of certain goods like hand sanitiser.
Business email compromise (BEC) attacks, also known as CEO fraud, also offered a way to take advantage of the situation. BEC attacks are a form of fraud where the attacker impersonates somebody within the company—or sometimes a business partner. These are typically carried out via email, but there have been examples of attackers using “deep fake” technology to impersonate people on the phone. With employees working from home it may not be as easy for them to check the validity of a request or instruction, as it would be in the office, leaving companies more vulnerable to attacks.
According to the FBI, which has been studying them since 2013, the worldwide losses from BEC attacks have been rising year-on-year.3 In 2020, the total reported losses reached $2.1 billion across 177 countries–and that’s almost certainly just a fraction of the total problem.
Some high-profile cases have hit the headlines, like the €6 million personal protective equipment (PPE) scam.4 But the FBI notes that the organisations that are most vulnerable to BEC scams are small and medium-sized ones—possibly because they have less rigorous processes in place.3
Companies have been warned to watch out for the urgent call from the CEO about to take a flight, so many attackers are shifting to trying to manipulate more mundane payments, like salary.