Imagine a castle built with impregnable walls and a huge door so thick that not even an army could knock it down. Now imagine that all the people living or working inside this fortress have each installed themselves an entrance in a section of the wall which they use to get in and out whenever they feel like it. Oh – and they’ve told all their friends about its location so they can visit whenever they feel like it too, rendering all the protective measures totally useless.
This is the situation organizations are facing right now after the coronavirus pandemic forced them to hurriedly send employees home armed with – at best – a flimsy VPN and a password that’s about as secure as the unlocked, user-installed doors in our hypothetical citadel. Unfortunately, home-workers can easily open backdoors into their employer’s system by innocently sharing passwords with colleagues or making simple mistakes which would be impossible in a highly protected office environment.
Businesses are well-used to facing down the threats posed during business hours, when staff are safely cooped up in a tightly controlled network protected by firewalls, regularly changed passwords and the ever-watchful eyes of a top-class security team. Now, as Britain is hit with another lockdown, security staff are faced with the nightmare scenario of keeping their employers safe from the usual threats as well as the plethora of endpoints and attack vectors opened up when staff log on from personal devices using insecure routers.
That situation is scary enough, but there’s one legacy feature worth considering that could indelibly turn the home-working dream into a nightmare: human nature. F-Secure recently carried out research which suggested that 42 percent of British people share the login details to their favorite streaming services with between one and three people. This is an inherently risky activity, exposing user passwords to an increased cybersecurity risk and making it more likely that their passwords will be compromised. If this bad practice extends into business hours, the problem is made much worse. When left to their own devices, so to speak, employees can cause major security risks as their work and personal lives crossover.
To get a sense of what could go wrong, think of what could happen if one employee decided to share a password with a colleague over an insecure messaging app. It would be relatively straightforward for an attacker to snoop on these apps. Then, once they spot passwords, a hacker can gain access to a system and begin looking for ways to escalate privilege and access other parts of the corporate network. The risk of sending passwords over email or through an app is very high – and we know that many people do this in their personal lives. If businesses want to ensure they are secure in the era of remote working, they must hammer home the point that passwords must not be insecurely shared under any circumstances.
Password hygiene should not only be limited to work accounts or corporate systems. To gain the best possible protection from attack, employees must be encouraged to secure their Wi-Fi router. If it uses a default password, this needs to be changed immediately. Security can also be improved by encrypting the network. Unfortunately, many people don’t realize their router is an attack surface that’s vulnerable to attacks such as a DNS hijack, in which attackers modify its settings to monitor, control, or redirect internet traffic. This could prove personally ruinous, as criminals could redirect victims to fake bank websites and drain their real accounts. Yet it could do damage on a corporate level by allowing hackers to harvest passwords or credentials.
There are obvious technical ways to cut down the risk of home working. VPNs are a must, as well as education on how to use them properly. This advice is particularly relevant in the age of the web app, because exploitation of a single security flaw in an application can easily lead to a fully-fledged security breach. Staff should also use antivirus software on devices they use for work, whether they are BYOD machines or corporate computers.
Remote working is here to stay
However, as well as taking tech-based precautions, organizations should consider the concerns of their human employees, as some pre-emptive analysis can cut down on risk. For instance, we know that Covid phishing scams are now common. Security staff should be coaching home-workers and making sure they know phishers’ tactics. That way, tempting “Covid cure” emails can be avoided, and systems will remain secured. Employees should also be encouraged to report suspicious emails they receive at home, so businesses can keep abreast of the deception techniques attackers are using during their phishing campaigns.
Oversharing is another out-of-work habit that can pose a security threat. There’s the obvious risk posed by social media, which can be a treasure trove for hackers looking to gather open-source intelligence about an organization they are looking to target. If staff are working from home, they should avoid posting images of the workspace they’re using, because these images could contain information which is of value to attackers. Screen-sharing should also be performed with caution, so that sensitive data is not given away during video calls.
It seems that home working is not going away – even after the pandemic subsides. Human nature is not going to change either, meaning that security teams need to urgently consider how risk between work and play can merge. To stay safe, organizations need to protect from outsiders and insiders. After all, there’s no point building a gigantic portcullis on a castle if it’s weakened with hundreds of user-generated backdoors which let enemies come and go as they please.
Tom Gaffney, Principal Consultant, F-Secure