Cybersecurity and What’s Not Working from Home
Though 2021 signals positivity, including vaccines for COVID-19, some changes in the workforce due to coronavirus are likely to stick around. Many things are possible from the relative comfort of our own homes, from university lectures to financial consultancy. In the next year, even as we return to some form of immunized normalcy, remote work will likely remain popular.
However, not every company has adapted to the working from home (WFH) standard with the same finesse. Many at-home setups are still unsecured, with no company products, VPNs, or additional software in sight. This lack of security can have many detrimental effects. In fact, 2020 saw a huge uptick in ransomware attacks compared to the prior year.
The Scramble to Adapt
In an interview with CyberNews, Mike Wilson pointed out that people left their offices in a hurry. This led to some of the security gaps created by remote working. In March 2020, when many industries descended briefly into chaos, few of them had any security policies in place for such a change. Numerous employees had to alter their work environment, workflow, and approach to staying safe, with almost no guidance.
Many businesses had never needed to think about providing cybersecurity for their remote employees, as working from home hadn’t been an option.
Wilson had previously predicted that ransomware attacks would increase when the shift to remote work occurred. Particularly because security concerns get missed; and of course, ‘there’s a huge monetary incentive for the people performing these attacks.’ Some reports indicate that the average ransom is a million dollars.
Vulnerability Isn’t New!
There are plenty of companies out there that were vulnerable to ransomware attacks even before employees began working remotely. Companies don’t know they’re vulnerable, aren’t aware of the increased danger with WFH, or haven’t been exploited yet.
Additionally, companies that have some cybersecurity processes in place still might be compromised in ways they’re not aware of. In order to open up their internal networks to remote employees at home, many companies set up VPNs for employees. Once employees are on the VPN, they have access to resources that are locked down in a secondary manner.
Along with VPNs, employee devices – most often laptops and phones – can serve as useful security measures. But providing a device is not the cure-all, because employees can circumvent those measures. For example, an employee might receive a company-issued laptop, but decide to use their desktop at home because it has a nicer monitor or a keyboard. Their personal device might not have the same company management and security software as the issued device.
Not the Only One
When employees are working from home, they probably have other things open. Mike Wilson commented that the average home network environment is akin to a coffee shop. Meaning that in most cases, the network is pretty ‘dirty’. There are lots of IoT devices that are connected to a home network that isn’t secured. In fact, if they are kid’s computers and phones, they are probably very low security.
The category of devices that kids and younger people use is notoriously unsecured and dangerous. Simply put, kids click on a lot of things they shouldn’t.
Similarly, having multiple IoT devices linked to one another is a threat. There has been some indication of smart devices being used as vehicles to infiltrate business networks. Wilson states that it’s not typically the massive companies like Amazon Echo or Google’s home devices that are the problem, but more often less well-known (usually super low cost) brands with poor security on the internal software. Occasionally, such devices require only a simple password or sometimes no credentials at all.
Even More Clouded
If there is a cloud service involved with any number of at-home devices, those connections are even more vulnerable. Data showed that malware targeting of IoT devices was up 50% from last year. The bulk of these attacks were against consumer devices. With people working remotely for the foreseeable future, it’s likely that hackers will increasingly target consumers’ home devices in an attempt to infiltrate their connected corporate networks.
With so many attack vectors, there can be chain reactions of being compromised. If an employee is connected to an unsecured network at home, it’s a chance for bad actors to obtain corporate network information, credentials, and other company-specific data.
These patterns indicate that ransomware attacks and account takeover will be on the rise in 2021.
As remote working becomes completely normal, Mike Wilson concludes that people working in cybersecurity for non-tech companies realize that these security issues are pressing and probably won’t be going away overnight. Increased cybersecurity for all remote workers is just one of the many hopes for the new year.