With everybody transitioning to working from home, taking care of kids, and reinventing schedules, it’s unfortunate that we should have to worry about our online security and privacy, too. But security pros say a whole new set of threats await those moving to remote work.
In the shadowy world of cybercrime, the coronavirus emergency is seen as a big opportunity. Periods of change and transition create new vectors of attack, new exposure surfaces to exploit, and new ways to steal the personal data of employees or the trade secrets of companies.
Experts say that cybercrooks are at this very moment devising ways of taking advantage of millions of employees transitioning to work-from-home situations. They know that employees will be connecting to their companies’ servers and other resources in a very different way. They are also aware that many employees will be doing their work on computers normally used for personal affairs, and that other workers will rely more on their mobile devices in the absence of a work computer.
We’ve already seen several coronavirus-related exploits, like the classy folks who created a fake Johns Hopkins virus-tracking map. If you mistakenly go to the false site to look for information about the virus’s spread, you’ll be exposed to malware that steals your credit card numbers. Hackers have even begun sending emails posing as the CDC, saying, “[W]e noticed that the outbreak has intensified in your area; please go to this address for further information and instructions.” When the recipient clicks the link, a virus is installed on their computer.
“We’ve seen the CDC emails, the WHO emails, we’ve seen the phone calls asking employees to transfer money into this account to support the company’s ‘coronavirus fund,'” says Ann Johnson, corporate VP of the Cybersecurity Solutions Group at Microsoft.
The coronavirus might be the thing that finally pushes some companies to insist on, and employees to accept, important security measures like two-factor identification.
“[A] lot of the threats are going to come from phishing attacks and from man-in-the-middle attacks,” Johnson says. “So a fundamental first step is implementing multi-factor identification across the organization. It’s not as heavy a lift as it might seem, and it’ll prevent those phishing kinds of attacks.”
For IT professionals, the migration home of large parts of the workforce will create a whole new set of security risks, not to mention a big increase in support requests. Some in IT are used to supporting a certain number of employees whose work is primarily outside the office, while most other employees do their work at an office on a company-owned computer. But when that ratio suddenly flips and the majority of employees is now working remotely, the company may not have the security infrastructure set up to handle it, says New York-based cybersecurity attorney Stephen Breidenbach. IT pros can find themselves playing catch-up to cover the new security exposure, he says.
Usually, IT staff can easily access work computers to make sure the latest security and monitoring software as well as the latest security patches are installed. This gets harder when everybody is working at home. “Unless all those protections are installed, an attacker has less barriers to breaking in,” says Breidenbach, who co-chairs the cybersecurity, privacy and technology practice at the law firm of Moritt Hock & Hamroff LLP. “Sophisticated hackers could likely manipulate this crisis to trick a company’s IT staff to thinking they are employees and allow access to the company system.”
For instance, hackers could send emails to remote employees that look as if they’re coming from the company’s IT team. “They say something like ‘you should go to this website because we want to reauthenticate you (on the network),” Breidenbach says. When the employee follows the link and enters their credentials, the hacker could immediately capture that data. Then they would be able to use those credentials to impersonate the employee, enabling them to gain direct access to any company resources connected to that network.
A time of high anxiety
This security threat is rising as employees feel more isolated and anxious.
“They hear the word coronavirus and their anxiety level goes up,” Microsoft’s Johnson says. “And the attackers know this—they use the social engineering that plays on people’s fears.”
During periods of uncertainty, a person working from home might be looking for authorities to provide information and guidance. That might make them less skeptical of an email from the CDC or an IT manager at the company.
In addition, there may be no one around to safely ask for a second opinion. “In the normal day-to-day, a person can just walk over to an office colleague to ask if an email looks suspect,” says Peter Fu, a cybersecurity expert and attorney at Cooper Levenson, in an email to Fast Company.
“In an environment where everyone is working from home—especially for offices where WFH has been instituted on an emergency or novel basis—people don’t always know the proper cyber sanitation when it comes to phishing due diligence,” Fu says. If the employee seeks a second opinion by forwarding the email to a colleague, they’ve just unintentionally increased the surface area of risk, he adds.
In a general sense, employees who are now routinely working from home may be more apt to mix their business and personal lives. They may begin using a computer for work that’s normally used only for personal things. Not only is that computer more likely to lack the security resources of a work computer, but it can be used to switch back and forth between work and social tasks throughout the workday. That might allow a hacker to gain access to the computer via a personal website or personal email, then access the work resources stored on the computer.
Adam Gould, a senior VP at Inseego, says connecting to work using a Wi-Fi network can present security problems. (Inseego, which rebranded from Novatel, owns the Mifi line of mobile hotspots.)
“My company has no idea what I’m doing with my home network,” Gould says. In other words, the company has no control over what content the devices on that network access or what security they use. To fix this problem, he says that you want to make sure you’re using WPA or WPA 2 security on your home Wi-Fi network and ensure that it’s not broadcasting your SSID (or service set identifier) to the world. “You want to make sure your Wi-Fi is a secret,” Gould says.
Other ways of connecting to the workplace are less vulnerable, Gould says. The VPN pipe to the work network is encrypted. 4G or 5G cellular connections are encrypted. For people using Microsoft Office at home, there is a special built-in security in the connection between the client device and the server.
Looking toward long-term effects
Gould thinks there may be a silver lining to how the coronavirus is forcing many of us to work at home. In the same way that 9/11 permanently changed so many things about travel, he says, the coronavirus may bring about permanent changes to our willingness and readiness to work remotely.
“There was already a movement afoot toward working from home more, and this is just going to accelerate that,” Gould says. “It’s going to be kind of painful for a while, but we’ll get more comfortable with it after we start to figure it out.”
The coronavirus might also push companies to think more about their ability to maintain business continuity and productivity during times of crisis.
“It’s going to be an interesting experiment,” Microsoft’s Johnson says. “It’s going to make companies think about how much business can really be done at home.”
They also want to avoid the costs of being caught off-guard in future crises.
“Let’s hope that this will be the last time we see something like this in our lifetimes, but global events are going to be what they are,” she says. “What many of our customers are thinking about right now is how do we make this [security work] repeatable, so that the next time something happens it’s a lower lift.”