The coronavirus pandemic has catalysed a global home-working experiment. With social distancing measures in place worldwide, the traditional office nine to five has for many been replaced by emails, video conferencing, and remote access to shared computer servers. While there are some positive aspects to the new status quo – does anyone really miss the morning commute? – moving out of the office has placed organisations at greater cyber risk.
In the dim, distant past of water coolers and office banter, some members of staff may have viewed cyber security as the remit of their colleagues in IT, but working in quarantine demands more individual awareness. “Extra vigilance is required, especially regarding what you are clicking,” says Adenike Cosgrove, international strategist at Proofpoint, a cyber security services firm. “Remote working often means you aren’t protected by the same safeguards your office has in place… and the risk of email fraud naturally becomes greater. For example, it becomes more difficult to verify whether the person behind the email is actually who they say they are; you can’t just head over to their desk to check.”
The technological expertise of hackers should be seen as secondary to human error. “The person at the screen or keyboard is always the weakest point in a system,” Aaron Mauro, assistant professor of digital media at Brock University in Ontario, Canada, wrote in The Conversation last month. “Attackers will use a set of techniques…to trick us into divulging sensitive information.”
Indeed, Proofpoint’s most recent annual Human Factor report, published last September, found that 99 per cent of cyber attacks require some level of human interaction, such as following a hyperlink, entering password credentials, or downloading an email attachment. Hackers tend not to target executive or management-level employees, but rather those in more junior positions, the report said.
The threat of phishing – fraudulent emails that involve some kind of impersonation or misdirection to convince the recipient to do something – has increased alongside the spread of Covid-19. Chaminda Thushara Hewage of Cardiff Metropolitan University’s computer science department, explains that while the “format of phishing is largely the same”, the context of coronavirus and people’s more susceptible emotional states because of it, are being exploited.
“There is a lot of panic due to Covid-19… and people are anxious about what is happening. The World Health Organisation has referred to this [situation] as an ‘infodemic’. This means people are searching for health information online. Many attackers, therefore, are creating phishing campaigns to pretend that they are providing health guidelines or services relating to the virus,” he explains. Action Fraud, the UK’s reporting centre for fraud and cyber crime, found that over £2m had been lost to scams using coronavirus as a pretext in this country since the first quarter of 2020. And in a recent survey of UK businesses by Gauntlet Risk Management, more than a third of respondents admitted to not knowing what phishing was.
What lessons can companies learn from the sudden shift to home working? How will the world of work adapt to cope with similar situations in the future? Business strategies need to strike a balance between technical provision and human resources. Norton, which produces a popular anti-virus software, has published guidelines urging good cyber hygiene. These include strong and regularly changed passwords, timely software updates, a clear distinction between personal and work-related devices, and secure virtual private network (VPN) arrangements.
A VPN is a piece of software that creates a secure link between a person’s internet access, whether using a public or private connection, and that of their organisation. In other words, it is like a passageway, protected by encryption, that only someone with specifically granted access can use. Access is usually granted by a two-step verification process. This could involve a password and a code texted to someone’s mobile phone.
But while VPNs are widely recommended in the cyber security industry, they still come with caveats. For one thing, as Phil Chapman, a cyber security instructor at Firebrand Training told Computer Weekly in a recent interview, they rely on the security of the originating network. If that is questionable, then there is cause for concern. Chapman advised companies to urge staff against using their home Wi-Fi, but to connect their computer to the router with an ethernet cable instead for added security.
Johannes Ulrich, fellow and dean of research at the Sans Institute, says that using devices exclusively for work is a good habit to get into when not in the office. In their haste to get people working from home during the pandemic, Ulrich says, many companies have taken costly “shortcuts”, with some allowing employees to use shared home computers, rather than supplying them with company kit. “Using the same computer for confidential company data that the kids use for online gaming can expose that data to malicious content introduced by other users,” he explains.
Home assistant devices such as Alexa or Siri are a risk factor that many companies are currently overlooking, Ulrich adds. “They may pick up phone calls or video conference discussions and exfiltrate them,” he says, so people should be mindful about having them in the room that they are working in.
The video calling platform Zoom saw its user base grow by 67 per cent in the first quarter of 2020. At the time of writing, it had been downloaded more than 50 million times on Google Play Store. The software, which allows anyone to join a call by clicking a link, has helped to substitute for office meetings. As convenient as this is, the platform does present vulnerabilities. Its open nature has given rise to the trend of “Zoom-bombing” – where people who are not meant to be on a call somehow manage to access the link.
The firm’s CEO Eric Yuan has confirmed Zoom is working on a newer version of its software with stronger encryption technology built in. This is due to be launched in May. In the meantime, users can take steps to guard against breaches, including using the right settings and following good cyber hygiene. According to guidelines published by PC Mag, users should avoid sharing their link or meeting ID on other platforms, such as social media or public forums. As well as setting a meeting password, users should set screen sharing to “host only” where possible.
As for the human side of cyber security, communication is key. Without being able to wander over to someone’s desk to check something, in instances of doubt, a simple query can go a long way. Did you send that? Can you confirm X or Y? Norton’s guidelines suggest that a phone call to clarify something in an email is a low-tech solution to what could potentially be a huge problem.
The coronavirus crisis, Adenike Cosgrove hopes, will be the impetus that companies need to start viewing cyber security as an “ongoing” risk, affected by “new realities that are reshaping the workforce”. Occasional phishing tests and training “once or twice a year” are “simply not enough”. Awareness “throughout” organisations will dictate whether or not they are equipped to cope. If working from home is to be the new normal, Cosgrove says, then employees should be guided on how to do so safely. The basic principles of cyber security – user vigilance, timely updates of hardware and software, and regularly changing passwords – have not changed. But Covid-19 has certainly underscored their importance.
This article is from Spotlight’s May supplement on cyber security. For the full edition click here.