Remote work and cybersecurity: Coronavirus impact
Since late last year, the coronavirus has killed thousands of people on several continents and infected hundreds of thousands more. In response to the pandemic, the EU is “locking down its borders, imposing a 30-day entry ban on nonessential travel for non-EU citizens to slow the spread of the coronavirus,” NPR reports.
In the US, CNBC has reported, courtesy of a Marist poll, that almost 20% of households have had hours cut or a job lost because of this pandemic -- with “[m]illions more job losses … expected by summer.”
If you are fortunate enough to still have your job -- with full hours and pay -- you might be telecommuting now. You might even be telecommuting while at home with your school-age children, more than 80% of whom UNESCO reports are home because officials have closed their schools.
What are the latest trends in cybersecurity for remote workers?
Everyone needs to know about these trends, from the businesses Threatpost reported on that weren’t prepared for telecommuting (and thus weren’t prepared for remote-working vulnerabilities) to the organizations surveyed by Forbes that had ruled out working from home but have since decided to plunge head-first into what is often a data breach waiting to happen without good cyberhygiene.
And while it’s comforting to see (per Forbes) a team of cyber experts forming to protect health care workers (from attacks such as the one documented by Healthcare IT News), the online workforce is still being targeted like never before -- and particularly with many more federal employees now working from home (and agencies being encouraged to shift even more workers to telecommute arrangements), as Government Executive reports.
So this issue is clearly relevant to most sectors of the economy. Here’s what you should know:
- Zero trust is a big trend, and BlackBerry executive Alex Willis talks about it in this Forbes interview.
Besides corporate IT security policies requiring strong passwords and multifactor authentication to prevent unauthorized access to sensitive information, artificial intelligence is constantly monitoring “each action the user takes,” so if something abnormal or risky does happen, your company IT system knows about it and can start counteracting the potential damage. In zero trust, AI and machine learning build a behavioral profile, so you know what an employee is supposed to be doing, and when.
But as Vladimir Jirasek writes at Help Net Security, zero trust works only “when organizations know exactly” which employee is using what applications on what devices and “how [those devices] are configured, interrelated and secured.” Unless an organization has that level of certainty, Jirasek warns of “potentially costly and doomed-to-fail zero trust re-architecture programs.”
And furthermore, as Security Boulevard reports via a Pulse Secure and Cybersecurity Insiders study, half of organizations aren’t confident enough to use zero trust. FierceTelecom reports that only 8% of wide-area network managers say they’re using it.
- Listen to the experts at the National Institute of Standards and Technology, who recommend that business leaders figure out which employees can access which networks and how all the data/sensitive information are handled. Those are the basics of the 32-page document -- if you can understand it and how to integrate it with other requirements, which, according to Nextgov’s Mariam Baksh, many organizations can’t. In many cases, the NIST’s eight-point plan might look more like eight-point pain:
- Integrate enterprise and cybersecurity risk management.
- Manage cybersecurity requirements.
- Integrate and align cybersecurity and acquisition processes.
- Evaluate organizational cybersecurity.
- Manage the cybersecurity program.
- Maintain a comprehensive understanding of cybersecurity risk.
- Report cybersecurity risks.
- Inform the tailoring process.
- Use good old common sense.
It might seem obvious, but too many employees fail at it. How do we know? TechRadar’s report on employees’ lack of good cyberhygiene as the continued menace to business security -- “90 percent of corporate data breaches in the cloud happen due to social engineering attacks which target customers' employees” -- is nothing new.
CNBC found the same in 2018, TechRepublic reported on the same problem in 2017, IBM said it in 2016, and The Wall Street Journal reported on the matter in 2015.
SmartBrief’s Lilla Ross covered internet of things security problems here. Overall, good cyberhygiene best practices for working at home include patching your devices, using a strong password and multifactor authentication, staying away from phishing emails, using a virtual private network and locking devices if you’re not using them. This EU checklist is another good IT security resource for remote workers.
Why the coronavirus might make data breaches worse
Employees who aren’t well-versed in cyberhygiene practices, such as not selecting suspicious links in emails, are now more likely to be working from home, CNBC reports. Some of those employees may be staying with children or elderly relatives, which is likely going to extend working hours, increase aggravation and generally breed an environment in which cybersecurity training goes out the window.
To make matters worse, most cyberattacks take place outside of working hours. So even if an unsophisticated spear-phishing email using social engineering arrives in your inbox at 7 p.m., you might see it before you’re done with your work for the day. At that point, you’re tired, hungry, perhaps annoyed with at least one relative (“Haven’t I asked you SEVEN TIMES not to interrupt me while I’m working?”), and in comes an email from the payroll manager, asking for your computer password because the office’s data didn’t migrate.
Those emails are likely to be more frequent, not only because of the hour, but also because of the pandemic and the increase in remote working. SentryBay CEO Dave Waterson in an interview with Raconteur predicted up to 40% more cyberattacks during the crisis, and other experts predict even greater increases. And those attacks are getting personal, as SmartBrief on Cybersecurity covered recently. Tech Times reported recently that they’re also using the appearance of credibility. And they’re targeting the desire to stay informed about cases worldwide.
Another possibility is that hackers will target employee fatigue and a company’s VPN. The Hill reported recently on renewed threats in that arena, and this Hill article, by cybersecurity attorney Brian Finch, raises further alarms because of Iran’s cache of stolen passwords and the chances that Iranian hackers have set up “backdoors in the ‘Virtual Private Network’ servers that countless American businesses rely upon to allow secured out-of-office access to their systems.’”
All of this is tremendously troubling from a cybersecurity perspective. But it’s also a threat in terms of identity theft and credit monitoring. That corporate data breach an employee can cause by allowing cyberhygiene to lapse can easily turn into a personal data breach of personally identifiable information.
Billions of dollars in cybersecurity training can go out the window unless you constantly practice good cyberhygiene and avoid these potential remote working vulnerabilities when telecommuting.
If you’ve enjoyed this take on the newest security implications of remote work, subscribe to ISACA SmartBrief on Cybersecurity for more cybersecurity news five days a week. You can also subscribe to our new pop-up newsletter covering the coronavirus for a business perspective on the global pandemic. For even more informative news coverage, subscribe to any of SmartBrief’s 275+ free newsletters.
Patrick Hopkins writes about transportation and public technology and copy edits technology news. He has been copy editing professionally for more than a decade and reading technology news for longer.