The rise in mobile devices and an ‘always on’ culture have led to more employees checking their emails while on the beach or by the pool. This might seem harmless, but research from Palo Alto Networks has found that connecting to unsecured Wi-Fi networks to check emails when on holiday is leading to an increasing number of cyberattacks, as individual devices often have less stringent security measures than office-based devices. Here, eleven industry experts give their thoughts on how businesses and their employees can stay safe this summer.
Jeff Bishop, CPO at ConnectWise, tells the story of tech scamming that many businesses will be familiar with.
"If you work in the technology industry, it’s likely you’ve gotten a call from an upset customer who’s fallen prey to a tech scammer. They received a scary email informing them that their computer was infected and all their files were at risk. Disturbed by the notion that they might lose all their data, they complied with the instructions and allowed the stranger on the other side to remotely access their machine. It’s possible that they’ve received legitimate remote support in the past, so they knew what to expect. After all, even the caller ID looked legitimate. Unfortunately, you know all too well how the story ends. The scammer gains access to the device, and then requests payment for fixing a non-existent issue, and possibly installs malware or spyware for easy access later. Your customer is left feeling violated and confused. Now, they’re knocking on your door for help.
“Proactive and continuous customer outreach and education will go a long way in showing that you care about their cyber safety. And if you pair those efforts with remote support and access software that offers transparency and security, you’ll be well on your way to establishing your business as a trusted technology advisor."
As Bishop highlights, emails can be an easy way in. Derek Lin, Chief Data Scientist at Exabeam, explains how these attacks can happen.
“Many network attack vectors start with a link to a phishing URL. A carefully crafted email containing the malicious link is sent to an unsuspecting employee. As soon as it’s clicked, the cycle of information loss and damage begins. Any company that houses sensitive data – especially electronic healthcare records – should aim to nip this problem early on by identifying and alerting on these malicious links.
“There are many public and commercial data providers that offer blacklisting services or databases for potential phishing domain/URL lookup. However, like any signature-based approaches, newly crafted phishing URLs cannot be identified this way. New machine learning approaches can actually flag a suspicious phishing URL previously unknown to blacklist data providers and should be considered by frequently targeted industries.”
Protect data in advance
As these hacks become an ever-increasing problem, Avi Raichel, CIO at Zerto, argues why having disaster recovery in place is crucial, in case a cybercriminal gets through your defences.
“Ransomware is a huge threat to businesses and even just a single vacationing employee clicking a malicious link in their emails will mean a ransom must be paid for all business data encrypted. Cyber-criminals often exploit vulnerabilities in employee emails, so it is crucial to have the right cyber-defences in place to avoid a disaster where customer data, and a lot of money, could be at risk.
“Having appropriate role-based access control and an extensive tiered security model will help minimise risk. But, the attack itself is only half of the problem because, without sufficient recovery tools, the resulting outage will cause loss of data and money, as well as reputational harm.
“In the event of any disaster, businesses should utilise tools that allow them to roll back and recover all of their systems to a point in time just before an attack. This level of disaster recovery is paramount, as emails continue to exist at the core of most businesses, they remain a standing target for ever-sophisticated cybercriminals.”
"Far too many companies still believe that a cyberattack will never happen to them, instead of accepting the inevitability and putting mitigation technology in place,” says Steve Nice, Chief Technologist at Node4. “When employees are abroad or working remotely, it is vital for businesses to recognise how to strengthen their security to help prevent potentially devastating attacks from affecting them. The first step is to find and understand what are their security flaws with a Vulnerability Testing programme - understand where the weaknesses are and support these areas rather than spending money on unnecessary security infrastructures before knowing where the holes in the defence really lie. It is a vital sanity check against the layered security already in place.”
But it’s not just the technology, it’s your people too, as Graham Marcroft, Operations and Compliance Director at Hyve Managed Hosting, reveals.
“When it comes to online security and data protection, human errors are often considered to be the biggest threat and ‘weakest link’. So, without appropriate training and education, individual employees and the businesses they work for can fall victim to cyberattacks. Whilst many attacks are designed to take advantage of human errors, business owners should avoid solely putting the blame on employees and focus on improving their cybersecurity training and in-house security practices.
“Be more creative and incentivise security awareness with competitions, ethical hacking and focussing on the individual’s vital and ongoing role in cybersecurity. Just by understanding things like phishing attacks, promoting safe password management and protecting sensitive information, employees can make more informed decisions about potential security risks both at work and on the beach, which will go a long way to keeping your business robust and resilient.”
“Social engineering attacks are a go-to method for hackers,” warns Steve Wainwright, Managing Director EMEA at Skillsoft. “They rely on unwitting, unsuspecting and, at times, careless employees. A recent PositiveTechnologies study found that more than one in ten employees fall for this type of attack. Social engineering attacks work by using psychological manipulation. Hackers use information gained on social media or the dark web to build a profile of a person, and then pose as someone they might know via email. They might then encourage their victim to click on a link or download a file that contains malware. The key to defending against this type of threat is education. By training employees to question and look out for suspicious emails – for example, checking if the sender email address looks odd and scanning the email for poor grammar and spelling – organisations can reduce the likelihood of successful attacks. Giving employees the skills and knowledge they need to identify potential attacks is the best way of mitigating the insider threat risk.”
Tips for the road
So, there are practices business leaders can implement to protect against cyberattacks on a regular basis. But what can employees do specifically when they are on holiday? Paul Rose, Chief Information Security Officer at Six Degrees, shares his top tips.
“All unencrypted Wi-Fi – where you do not need to enter a password to connect – is susceptible to cyberattack. Cybercriminals can use unencrypted Wi-Fi to harvest data, and they are often able to intercept anything that is sent to and from a device. This can include emails, images, usernames, passwords, attachments, images and cookies; potentially incredibly damaging in the wrong hands.
“There is even sophisticated software that will be able to scan your device to exploit any hardware vulnerability. It’s scary stuff, but providing your organisation has appropriate controls in place, you can take the following steps to help mitigate security threats:
- Connected to a Virtual Private Network (VPN);
- Assume that all Wi-Fi hotspots are unsecure;
- Do not use the same password for online apps/sites and Wi-Fi hotspots;
- Change the settings on your mobile devices so that they do not automatically connect to nearby Wi-Fi;
- Ensure that you only enter details into websites that are HTTPS.”
Similarly, Bryan Becker, DAST Product Manager at WhiteHat Security, discusses the measures that can be introduced.
"Connecting to a public Wi-Fi network whether outside or on vacation always carries a certain degree of risk. I would advise not accessing anything of value while on a public network, including email or accounts that need to be logged into.
“However, organisations can provide their employees access to a virtual private network, or VPN, which forces all traffic to travel through an encrypted channel. In this case, using external Wi-Fi networks is generally safe. For organisations that want to take things to the next level, they can even set up employees’ computers or accounts to only be accessible when on the company VPN, preventing a situation where a user might forget to secure themselves before checking their email.”
Roderick Bauer, Marketing Director at Backblaze, comments: “The temptation to connect to the quickest and easiest Wi-Fi network when travelling is dangerous when considering the bad actors seeking opportunities to steal your personal information from these weak or public Wi-Fi networks. If you do need to access public Wi-Fi networks, remember to use strong passwords and change them often, look for the HTTPS prefix in a URL to signify it has a Secure Socket Layer (SSL), turn off sharing abilities on your devices, reject requests to share data, and set up a virtual private network (VPN) to protect your connection by routing your traffic through a secure network while still enjoying the freedom of public Wi-Fi.”
Anurag Kahol, CTO at Bitglass, highlights how the popularity of BYOD – though practical in an office – can be the cause of issues when travelling abroad.
“Bring-your-own-device (BYOD), where employees use their personal devices to access corporate data, is a growing trend for organisations to offer employees more flexible working, whatever their location: in an airport, at the office, or on the beach. In fact, a recent Bitglass report found that more than 85 per cent of organisations are embracing BYOD.
“However, when an employee leaves the corporate network behind and accesses business email, data and files directly from their unsecured device, their organisation loses its traditional ability to protect its data and exposes the business to a great deal of risk.
“The best approach here is for IT teams to switch their focus from securing the device to securing data. Rather than focusing on whether or not a device is ‘trusted’, IT teams should ensure that company data is safe, no matter where it travels – even if that is to the beach.”
As important as email security is, one of the most valuable measures to take is arguably to just switch off, as Tim Bandos, Vice President of Cybersecurity at Digital Guardian, concludes.
“Palo Alto's research found that over a third of UK workers would be likely to use their work device on an open Wi-Fi network when they go on holiday. This study not only suggests we have a difficult time in disconnecting from the work world during a much deserved and needed vacation, but also individuals are on the ready to overlook traditional company policy in avoiding these types of practices. Connecting to open Wi-Fi networks can leave your PC at risk for attackers to discover and target your device; along with the possibility of capturing your web traffic data. If you must connect, you should always use a secure VPN over an open connection or seek out secured Wi-Fi services in order to encrypt your communications properly and safeguard your computer. Otherwise, take a break!”