In July, Bill Gates, Barack Obama, Joe Biden, Jeff Bezos, and Uber all tweeted that they were “giving back” to their communities to help out during the COVID-19 pandemic. They would do so by sending Twitter users bitcoin—once those users sent them a smaller amount of bitcoin first. Fortunately, Twitter recognized the scam quickly, and after getting the problem under control, admitted that a hacker had taken advantage of the company’s remote work environment during the pandemic. The culprit had tricked an employee and successfully pretended to be part of Twitter’s IT team.
That same month, McKinsey wrote about a global bank that thought it was impervious to data theft. When the bank performed a test on its data controls, it revealed more than 70 security vulnerabilities, many of which were “directly related to the remote work environment.” Issues were connected to things like employees’ weak two-factor authentication systems, which used passwords rather than more secure alternatives, like fingerprints.
This bank and Twitter are not the only companies identifying increased cybersecurity concerns tied to remote working during the pandemic. While working remotely has opened new doors for technological flexibility, it’s also caused many employees to become “their own IT person,” according to global research from Lenovo. One in three worry that work-from-home technology can make companies more susceptible to data breaches, and, in a report from Malwarebytes, 20% of employees said they encountered security breaches while working remotely. In April, Google witnessed 18 million daily COVID-related malware and phishing emails.
This flood of phishing attempts is a serious concern. According to Nima Baiati, global director of cybersecurity solutions at Lenovo, “clicking on things they shouldn’t” is one of the biggest mistakes employees make that compromise their companies’ online security. Working from home presents even more potential for slip-ups. Employees may share the devices they use for work with other family members, including kids, who are apt to download games that Baiati says are often “wrappers for malicious software that threaten to steal credentials.”
Without IT colleagues to remind them, many remote workers likely forget to perform basic computer precautions, like installing updates. Luckily, a lot of at-home device protection comes down to what Baiati calls “fundamental hygiene.” Securing a home computer starts with regularly updating software and operating systems—not to mention changing the default passwords that come with Wi-Fi routers. Using default passwords “is probably one of the most common mistakes typical home users make,” Baiati says. Companies can encourage employees to change their passwords every 60 to 90 days and implement passwords policies, whereby all passwords have to include a certain number of unique characters.
Insecure websites encountered during personal browsing sessions, which happen outside of work hours but on the same devices, may cause breaches that affect work-related materials. “Browser sandboxing,” however, can prevent this by “taking a web browsing session and putting it in a ‘sandbox,’ so if anything nefarious takes place, it’s contained entirely within that session,” Baiati says. Companies can also whitelist certain sites and blacklist others for added security.
Artificial intelligence, meanwhile, can help track more hidden vulnerabilities by connecting disparate data points that may look innocuous to human users. For instance, AI technology might note a spike in memory usage on an employee’s device at two in the morning, when the employee isn’t using it.
Of course, this kind of monitoring brings up privacy concerns. Baiati explains why employees shouldn’t be worried. “Good AI models don’t care about what you as the individual user are doing, per se,” he says. The data they process, rather, is “anonymized and aggregated.”
Most of us have already exchanged some of our privacy for device security. Unlocking smartphones with fingerprints and facial recognition has become commonplace. Baiati predicts an even greater use of biometrics, thanks to “contactless” alternatives made popular during the pandemic.
Biometrics also offer more secure components for two-factor authentication measures. If employees need to access a sensitive file, it’s safer for the company to require they use something physical, like their actual device, (e.g., laptop, phone) combined with biometrics, as opposed to passwords that a hacker could extract.
Overall, companies benefit from minimizing the number of access points bad actors can use to enter into their systems. They can do this by limiting the number of people with access. For each worker, employers should ask what information is essential to their job function, and grant entry accordingly. This is known as a “zero trust” environment.
“Zero trust is really the assumption that—from a security standpoint—I’m going to give the user the least amount of privileges … until you can give me a reason why you need [more],” Baiati says.
But won’t employees feel alienated and, well, not trusted in a “zero trust” work environment? Baiati doesn’t think so. “The vast majority of users want to do the right thing,” he says. If companies educate their employees about cybersecurity risks, those employees will understand why it’s important to take preventative measures. “They recognize that it’s not from a place of not trusting, but from a place of securing.”