With attacks on the rise, HR and IT should work together to protect valuable corporate networks
With millions of office workers relocated to home offices during the COVID-19 crisis, IT workers have been scrambling to adjust to a new world of cybersecurity.
Under the pandemic, there’s been “an exponential, almost overnight, acceleration toward a remote work environment at a scale that most IT organizations were not ready for, especially from a security standpoint,” says Nima Baiati, general manager of cybersecurity solutions at Lenovo in San Francisco. “The level of attacks that we’re starting to see, especially over the past couple of weeks, [represents an] uptick of attacks, especially when it comes to things like phishing.”
Rising attacks amid crisis
Almost three-quarters (71 per cent) of security professionals reported an increase in security threats or attacks since the beginning of the coronavirus outbreak. The leading threats? Phishing attempts (cited by 55 per cent of respondents), malicious websites claiming to offer information or advice about the pandemic (32 per cent) and increases in malware (28 per cent) and ransomware (19 per cent).
And when it comes to all the people working from home, the three leading challenges for IT are the provision of secure remote access (56 per cent), the need for remote access scalable solutions (55 per cent) and employees using shadow IT solutions, meaning untested software, tools and services (47 per cent), found a survey of 411 global IT experts by Check Point Software Technologies.
The speed of change has caught many companies unprepared to protect corporate data, says Baiati, “because now you’re dealing with cloud-based data, you’re dealing with a different set of telemetry; you also have to take into consideration different working environments and, in a lot of cases, you have a lot of employees that are on varying levels of that maturity model in terms of IT knowledge, IT savviness.”
It presents a lot of complexity all at once to the employee and to the security team, he says.
“I don’t think anybody was ready for the practically overnight movement of tens of millions of people to that model. Normally, these things take years to happen. You have onboarding processes and you’ve got plans and you’ve got the right tools rolled out and you’ve got training and the back-end support and the process behind it.”
The crisis has been a boon to hackers since the work-at-home exodus began, according to Daniel Markuson, a digital privacy expert at NordVPN, a virtual private network provider.
“The number of coronavirus-related scams and security incidents has been steadily increasing over the last couple of months. Hackers are preying on people’s fears, spreading disinformation and monetizing panic. They know that scared people tend to make irrational decisions, so they end up giving private information and downloading malware without a second thought.”
Employees the weakest link
With the coronavirus threatening the world, this time of heightened stress is perfect for bad actors to strike unsuspecting and shocked remote workers, according to Lise Lapointe, CEO of Laval, Que.-based security awareness firm Terranova Security.
“There’s a lot of scams about COVID-19, about treatments, vaccines. We saw there’s 4,000 current affair-related web domains that have been registered since January. That’s about five per cent [that] may be malicious. So people want to buy masks, those kinds of things and they get hacked. Instead of being more protected, they get a virus and all kinds of different things that are malicious, so that’s the problem,” she says.
“The hackers, they know that right now. Everybody’s working from home and they’re not always concentrating because they have their kids at home or their parents; there’s always something going on. It’s not the same thing as being in an office. By being distracted, they could click on links that they shouldn’t be doing,” she says.
As is usually the case, even in a corporate in-office situation, the employee is usually the weakest link in the company firewall.
“Ninety per cent of corporate data breaches in the cloud happen due to hacker attacks that target employees. When working from home, people tend to be more relaxed and browse personal sites, which might not be secure,” says Markuson.
A recent survey by his company found that 62 per cent of people are now using personal computers or other devices to work from home. More than two in five (42 per cent) claimed to use personal devices exclusively, while 20 per cent switched between personal and company laptops depending on convenience.This is concerning as most private laptops are not equipped with proper security software, says Markuson.
“Hackers can trick an employee into clicking on a phishing email. That would give them access to the employee’s computer and all accounts and systems it is connected to. One careless click or connection to unsecured WiFi can cause troubles no organization wants to face. Online security has never been more important.”
HR, IT must partner to get workers up to speed
For HR departments, now is the time to work hand in hand with the IT security team, says Lapointe, to secure company PCs for remote workers and communicate with employees.
“Of course, the security departments are the experts in that field, but HR brings all the information to the different employees. All security departments are pretty busy because there’s a very significant rise in the scams — probably around 40 per cent — so HR should send all the information to all the employees on how to stay secure,” she says.
That communication from HR to employees must be ongoing to be most effective, says Markuson.
“There must be frequent updates on the most significant risks and newly occurring security vulnerabilities. Every employee working from home needs to be well informed about what kind of tools to use and how to safely access an organization’s systems and cloud-based databases.”
Awareness and security training must be done through “easy-to-understand, easy-to-consume, lightweight training,” says Baiati, and it should include new policies that take into consideration remote work.
For employees working at home, the best advice is not to trust any content without first verifying it’s authentic, according to Lapointe.
“I would tell them to be a lot more suspicious than they are usually. Beware of curiosity: Stop opening emails that you don’t know, don’t click on links or messages that, a lot of time… will try to make you give the information quickly. If it seems that it’s too good to be true or there is an urgency in the email, verify who’s sending it. If it’s a scam using somebody else’s name, verify with that person. Never send confidential information in an email or any other means, because the government, the Red Cross, the World Health Organization, they never ask that from you.”
Home networks should also have increased security, says Markuson.
“The bare minimum is to password-protect your router if you haven’t already. Moreover, setting up a guest network and installing a VPN on your router are genuinely recommended.”
And IT professionals should “make sure that you have the latest endpoint protection on your devices from leveraging both signature-based and non-signature-based malware because now it’s about hardening the device more so but also making sure that there’s a balance between usability and security, which is the common insight,” says Baiati.
CYBER-THREATS RISE IN PANDEMIC
number of security professionals reporting an increase in security threats or attacks since the beginning of the coronavirus outbreak
top challenge for IT with remote workers: providing secure remote access
second biggest challenge: the need for remote access scalable solutions
third biggest challenge: employees using shadow IT solutions (untested software, tools and services)
Sources: Check Point Software