Why should an increase in home working—one of the most obvious trends accelerated by the COVID-19 pandemic—make a difference to cybersecurity? There are three key reasons why businesses, and especially finance teams, should take measures to be prepared for a sustained increase in vulnerability due to greater home working.
People feel more comfortable at home. Not exactly a revelation, but have you considered the security implications?
Working from home is not the same as remote working. Home feels safe in a way that a hotel or on a train doesn’t. This could lead to people letting their guard down and taking risks. This could be something as seemingly harmless as leaving devices unlocked when unattended. But it could also include more serious risks. In a post-lockdown study by Proofpoint, almost half of employees admitted to having let a friend or family member use their work-issued devices.2
In a post-lockdown study by Proofpoint, almost half of employees admitted to having let a friend or family member use their work-issued devices.
People are also more likely to use their work devices for non-work tasks: this includes checking personal email, online shopping or gaming. Any of these could lead to the device being infected with malware and the exposure of company information.
And if organisations don’t give their employees all the user-friendly tools they want, people will find their own workarounds. 7% of employees admit to having used a personal cloud app to store sensitive corporate information.5
But it’s not just data that you should be concerned about. Finance teams have access to many key systems, including those related to banking and payments. A malware infection could lead to credentials being stolen and attackers getting access to these systems.
There are many technical solutions to help mitigate these risks, including mobile device management (MDM) and cloud access service brokers (CASBs). But education of employees is vital. Many people will be working remotely for the first time, but even seasoned remote workers would benefit from a reminder of the risks and how to report suspicious activity.
2. Attackers exploiting the situation
Attackers will seize on anything to see if it can help further their attacks. And the pandemic was no exception. Back in March 2020, Europol reported how quickly criminals had adapted their methods to exploit the crisis.1 Malicious actors were quick to take advantage of the increased use of video conferencing to create new phishing campaigns; they even exploited the shortage of certain goods like hand sanitiser.
Business email compromise (BEC) attacks, also known as CEO fraud, also offered a way to take advantage of the situation. BEC attacks are a form of fraud where the attacker impersonates somebody within the company—or sometimes a business partner. These are typically carried out via email, but there have been examples of attackers using “deep fake” technology to impersonate people on the phone. With employees working from home it may not be as easy for them to check the validity of a request or instruction, as it would be in the office, leaving companies more vulnerable to attacks.
According to the FBI, which has been studying them since 2013, the worldwide losses from BEC attacks have been rising year-on-year.3 In 2020, the total reported losses reached $2.1 billion across 177 countries–and that’s almost certainly just a fraction of the total problem.
Some high-profile cases have hit the headlines, like the €6 million personal protective equipment (PPE) scam.4 But the FBI notes that the organisations that are most vulnerable to BEC scams are small and medium-sized ones—possibly because they have less rigorous processes in place.3
Companies have been warned to watch out for the urgent call from the CEO about to take a flight, so many attackers are shifting to trying to manipulate more mundane payments, like salary.
“Hi. I’ve just changed bank account. Would you please make sure that future salary payments go to the following account. Thanks”
Again, education plays a large role in combating these problems. Many rely on employees being complicit, so making sure that they are aware of threats like this is vital. There are also simple and inexpensive things you can do to make it easier for users. For example, many companies have changed their email setup to flag messages from outside the company’s domains—e.g. “[E] Urgent request”.
3. Technological weaknesses
Many organisations had systems, such as virtual private networks (VPNs) which encrypt data sent over the internet, in place prior to lockdown. But even many of those that had protections in place found them unable to cope with the dramatic increase in demand. There was also a global shortage of laptops as companies and students rushed to buy them. As a result, many companies opened up access to corporate systems to personal devices.
Less than half (47%) of those with a VPN on their work device use it all the time.
Home networks can also be a risk. Many people don’t set a secure password, check for updates or take other basic precautions. And it’s subject to types of threats that don’t crop up in the office—like being shared with kids playing games and devices, such as smart TVs and home automation devices, any of which could be compromised—in November 2020, Amazon removed many smart doorbells from its site after they were shown to been soft targets for hackers.7
According to Verizon, 44% of companies don’t have an acceptable use policy (AUP).6 This is an important tool for making sure that employees are aware of their responsibilities and what behaviour is and isn’t acceptable—checking your personal social media accounts on a work device may seem harmless, but could expose the company to greater risk. There are also tools to make sure that employees only use authorised web tools, and that they do so safely. A cloud access security broker (CASB) can monitor all cloud use and enforce security rules.
Securing the future
With restrictions due to the pandemic ongoing, organisations should make sure that they are taking adequate measures to secure those working from home. Especially as it seems likely that while working from home will fall from its pandemic peak, it will settle at a much higher level than before.
1. 1. Europol, How criminals profit from the COVID-19 pandemic, March 2020
2. 2. Proofpoint, 2020 State of the Phish, January 2020
3. 3. FBI Internet Crime Complaint Center, Alert Number I-040620-PSA, April 2020
4. 4. ZDnet, Europol arrests man for coronavirus business email scam peddling masks, sanitizer, April 2020
5. 5. Netskope, Cloud and Threat Report, August 2020
6. 6. Verizon, Mobile Security Index, February 2020
7. 7. BBC, Smart doorbells 'easy target for hackers' study finds, November 2020
Sign up for the Open Insights newsletterTAKE ME TO THE SIGN-UP PAGE
The information provided within this website is intended for background information only. The views and other information provided herein are the current views of Nordea Bank Abp as of the date of publication and are subject to change without notice. The information provided within this website is not an exhaustive description of the described product or the risks related to it, and it should not be relied on as such, nor is it a substitute for the judgement of the recipient.
The information provided within this website is not intended to constitute and does not constitute investment advice nor is the information intended as an offer or solicitation for the purchase or sale of any financial instrument. The information provided within this website has no regard to the specific investment objectives, the financial situation or particular needs of any particular recipient. Relevant and specific professional advice should always be obtained before making any investment or credit decision. It is important to note that past performance is not indicative of future results.
Nordea Bank Abp is not and does not purport to be an adviser as to legal, taxation, accounting or regulatory matters in any jurisdiction.
The information provided within this website may not be reproduced, distributed or published for any purpose without the prior written consent from Nordea Bank Abp.