Cyber and Physical Risk Mitigation for Remote Workers
During the pandemic we have all seen the funny videos: Someone is being interviewed from their home about a serious topic when their toddler/teenager/pet suddenly appears and creates a moment of levity. For companies who had to send their workers home last March — many for the first time — these have become common occurrences. While these may be harmless events, however, there are other work-from-home scenarios that are much more menacing.
Consider the unfortunate situation a high level executive at a top financial institution found herself in recently. “Someone had taken over her router and overwrote the operating system,” says Jeff Stutzman, CEO of Trusted Internet and a cybersecurity consultant for G4S. “Every time she logged on, her username and password were stolen.” This allowed the cyber criminals to eventually steal $82,000 from her bank accounts and cost her another $30K in incident response fees.
The unfortunate reality is if you have something worth stealing, the criminals will follow you to wherever you are — including your home.
“When you work at home, the risks are just as big, with a lot less security,” Stutzman says.
These days, many employees are working from home, and that trend shows no sign of going away.
It’s not like there was time to prepare for this, either. The way the pandemic hit last March, many found themselves scrambling, sending people home with ad hoc systems at best. “In the rush to keep things going, they were all using new processes and adhering — or not — to security policies that are essentially spotty,” Dodge says. “At the same time, the boundaries between work and private lives are breaking down. Business is being done over home ISPs, and in the background, you can hear spouses or children who might be listening. People are sharing machines and personal and corporate computers are all getting intertwined.”
While emergency measures were understandable in the beginning, as the pandemic has continued, many organizations are finding that having employees work from home actually benefits both the company and the employee; and many experts believe that the work-from-home trend may be here to stay.
That means it is critical to understand the risks and potential solutions to keeping them as secure at home as they are in the office.
What Do I have to Protect?
The first step to mitigating risk is to understand it, says Denise Stemen, deputy special agent in charge for the Federal Bureau of Investigations in the Miami area. “The first thing to look at is, What are my crown jewels? What are they going to go after and why would they be interested in me?”
There are various reasons hackers go after a company, she says, from hacktivism to money. But the No. 1 thing they are frequently after is PII (personally identifiable information) they can sell or use to get to what they are ultimately after, Stemen says.
“If you are in the medical industry, that is your patient information, their Medicare or Medicaid numbers that can be converted into cash,” she cites as an example. Another one this year was around the stimulus checks. “Any time the government puts a stimulus package together we see an uptick in PII activity, because it is easy to set up these accounts,” she says.
What Do I have to Protect it From?
Keeping with our healthcare example, the number one way hackers attempt to get at this information is by phishing attacks — emails designed to get the recipient to click on a link, which gives the hacker a back door to that information, or lets them hold it hostage for money in a ransomware attack. “That is the No. 1 way into your company, by far,” Stemen says.
What’s more, she adds, while the sophistication of the attacks has gone up, the knowledge required to launch such attacks has decreased. “You can buy anything on the internet. You don’t have to be able to write the script; you just have to be able to execute it.”
There are “tools” commonly available that run unmanned 24/7/365 looking for ways in,” Stutzman says. “Many of these are looking for physical security systems and the computers that are built into them.” They also can be used to look for vulnerabilities in your — or your kids’ — online gaming systems, he says.
Dodge says the increased number of ways in for these attackers — both digitally and physically — is a big challenge with employees working from home.
While they don’t typically have the same level of physical security their workplace does (commonly with professionally installed and monitored access control and cameras), they often do have some type of smart home device that is tied to their smartphone — a garage door opener, internet-enabled camera, doorbell, thermostat or even door lock. All of these are potential vulnerabilities. And once cyber-criminals are in, it can be difficult to get them out.
Stutzman compares a cybersecurity attack to a bedbug infestation. “If you have ever dealt with bedbugs, you know that once you get them, they are very hard to get rid of; cyber is no different.”
The typical home router setup is not secure, he adds. Combine that with the growing number of devices designed to connect through it, and you have a recipe for trouble.
“Video surveillance is routinely targeted by bad guys, he says. “Often in the home, these don’t have any protection. I had one client tell me someone was talking to her through her video system, telling her not to forget her purse on the kitchen counter.”
Every home automation system is designed to connect through the router to a smartphone, via the internet. “If you can see these things on your phone and it isn’t protected, others can see them, too,” Stutzman says. “They can potentially do things, such as unlock the front door (if it is an unprotected smart lock), or open the garage. And if you have a camera they can see when you are not home.”
How Can I Most Effectively Protect it?
Once you understand the risks and type of information you are protecting, the next step is to help fortify your (or your employee’s) home. Just like in the workplace, this requires a combination of technology, education and, most importantly, buy-in.
Some of the simplest things can help mitigate potential attacks, starting with being aware of them.
“The number one way in is phishing,” Stemen says. “Your employees have to be educated on this threat. They need to buy in to this security need.”
You as the employer also need to be aware of how their home email is set up. “Once [the cybercriminal] is in your email, what do they have access to?” she asks.
While ideally a company will report any breaches, Stemen says many don’t. Still, at the very least you should be getting notifications from somewhere (the FBI or other official sources) with the latest information on new variants of ransomware and other trends they are seeing in malware signatures.
The landscape hasn’t changed; COVID-19 has just increased the number of people and locations that need protecting, Stemen says. “They are home, probably using their own personal devices. Do they have the most recent software? Have they upgraded all their apps?”
Dodge says it is critical to expand your security awareness training for employees to cover both the physical and cyber risks of working from home, including how to recognize spear phishing, as well how to protect their documents and materials, both physically and digitally. Make sure they have a shredder, he suggests.
“To have a secure home office, you have to lock your door and keep things secure,” he says. “Have a timer on your computer and separate your personal devices from your work devices. A lot of this is common sense, but not a lot of it is happening out there.”
Beyond the basics, there are other tools that can be used to protect home works on a cyber-front, Stutzman adds. He recommends a good managed antivirus program [such as Fortinet], combined with a good signature-based firewall. Then, he says, use a VPN for any connections outside the home. “I create one that goes back to my firewall at home. Anytime I am travelling I will be on a VPN back to a place I trust.”
Enforcement of these types of policies is harder with at-home workers, Dodge acknowledges. Some companies send fake phishing emails to see who opens them so they can be trained further. “I have even seen companies do random spot checks to help people understand how to better secure their homes,” he says. “Most of these folks are not security people. They don’t understand these things so you need to help them.”
In the end, the point is to make the employee’s home a true extension of work, Stutzman concludes. “You need to have the kind of security protection in the home that you have in the office.”
Executive Vice-President, G4S Corporate Risk Services at G4S. Throughout his career, Mr. Dodge has managed and operated on security and investigative projects in more than 60 countries around the world. He also has specialized expertise in corporate investigations as well as risk, vulnerability and threat assessments.