As businesses increasingly—and in rapid fashion—urge their employees to stay at home to work amid the coronavirus pandemic, another risk to companies is emerging.
Cybersecurity experts warn that cybercriminals are moving in to target people not used to working from home and companies without work-at-home policies or cyber-safety nets.
“When you have a situation like we’re in now, creating a lot of questions and confusion—and in this case triggering changes in work habits and the way we use technology, hackers are going to find a way to try to exploit the situation, and that’s what’s happening,” said Aaron Pritz, co-founder and CEO of RevealRisk, a Carmel-based firm specializing in cybersecurity. “We’re not saying you should keep coming to the office because of cybersecurity risks. We’re just saying if you make a transition, you have to do your diligence.”
Tech companies including Facebook, Amazon, LinkedIn, Microsoft, and Google have asked at least some of their employees to work from home amid the outbreak. San Francisco-based Salesforce, which has a major presence in Indianapolis, has asked its California employees to work remotely through March.
Eli Lilly and Co. this week asked all those employees who could do so to work from home for an indefinite period. And many schools too are moving to a remote educational system.
The trend is likely to become more pronounced locally and nationally in the coming weeks.
Although we’re still in the first quarter of 2020, major corporate data breaches have already occurred that have affected millions, including one involving Microsoft. According to the Identify Theft Resource Center, one of the top three reasons for major data breaches is employee error or negligence. With so many workers using remote communications technology—some for the first time—that problem could explode, tech experts said.
The European Central Bank has warned banks to prepare for an increase in the number of cyberattacks as cybercriminals seek to take advantage of the chaos caused by the virus. The financially focused watchdog group has urged banks in a letter this week to test the capacity of their technology systems “in light of a potential increase of cyber-attacks and potential higher reliance on remote banking services.”
Small and mid-sized companies may be most at risk.
Only half of small business owners have updated their companies’ remote-work security guidelines in the past year, a recent Nationwide Insurance survey of 400 small-business owners concluded. Of those surveyed, only 4% had employed all of the cybersecurity best practices and recommendations from the U.S. Small Business Administration.
“Companies that have done a lot of virtual or mobile office work have the systems in place to safeguard themselves, but a number of companies don’t have those capabilities in place,” Pritz told IBJ.
Cybercriminals are seeing an opportunity with the coronavirus spread and are moving in to either try to steal workers’ personal information to use for things like identity theft or credit fraud or to get into a corporate system to either steal proprietary data or take control of the system and hold it for ransom.
“Cyber attackers preying on sensationalized current events is not new, but the intensity with this event is on the high end because of its global impact,” Pritz said. “People right now will click on anything to learn more about the coronavirus.”
Pritz and RevealRisk co-founder Tim Sewel have already seen professional-looking phishing email scams offering free coronavirus tests if users will simply click a link.
“These emails can look very convincing and they play on the urgency of the situation,” Sewell said. “Sometimes they’re designed to look like official correspondence from the company these employees work for.”
And it’s not just email that is at risk. Reveal Risk officials said they’ve also recently seen fraudulent text messages that clients have received that urge people to take action, usually by clicking on an embedded link, to either get more information about or to protect themselves from coronavirus. One such text scam—known as smishing—even included a reference to the school the phone owner attended.
Last year, the FBI reported $1.7 billion in losses from phishing attacks, which are online schemes in which hackers drop links or attachments into emails or other communications sent fraudulently as company or official information. By clicking on the links, users often give hackers an entry to steal personal or corporate information and potentially give access to corporate computer networks. FBI officials said the fear of the spread of coronavirus could dramatically increase the financial loss from phishing this year.
Phishing scams are not the only concern.
The drive to remain productive while working at home also can open opportunities for hackers. And sharing work information through certain social platforms and other personal channels can be problematic.
“Users in a telecommuting situation often cut corners in order to stay productive, such as using public cloud file-sharing and other services. All of these behaviors increase corporate cybersecurity risks,” said Craig LaCava, an executive with Optiv Security, a Denver-based company that helps large global companies integrate cybersecurity tools.
“It’s easy to get nice and comfortable—and careless—when you are at home working in your pajamas,” Sewell said. “You have to continue to be diligent and think and act like you are at work.”
Remote work and collaboration tools are not new, but the remote work mitigation actions taken by some companies and schools are pushing the pace, scale, learning curve and adoption for sanctioned collaboration tools.
That means employees may resort to unapproved personal tools that are not sanctioned by the company and could compromise confidential data, Pritz said.
“The biggest risk we see right now is companies that don’t have strong work-from-home cultures,” Sewell said. “It can be difficult to simply try to flip a switch on going mobile. And if workers are using tools that have not been vetted, that can introduce vulnerabilities into a system. And with this working from home trend growing right now, cybercriminals are out there looking to exploit any vulnerability.”
All this is putting increased pressure on corporate IT departments, which are struggling to keep up with all the data flowing in from remote locations.
“When a transition is happening as quickly as this one, it’s difficult for [an IT department] to monitor what social tools are being used,” Pritz said. “The rate and number of locations data is coming from is really unprecedented.”
And it’s also putting pressure on companies’ technology platforms, with two companies telling IBJ that the capacity of their virtual private network has been maxed out this week and that they have had issues with capacity for video conferencing.
The sudden chaos that has descended on businesses can also create communications issues.
Indianapolis-based communications firm Borshoff has had a division focusing on technology and cybersecurity issues for nearly a decade.
Stacy Sarault, Borshoff’s senior director of accounts, said the firm is advising clients to arm managers with information workers need; deliver information in short, consumable chunks; have an easily accessible repository of information for commonly asked questions; and proactively share information on emerging cyber scams.
“It’s a good idea to incorporate messages for personal safety along with work issues,” Sarault said. “This is a time when employees are dealing with so much information, it can be overwhelming. If you make it personal, people will pay much closer attention. If you give people information to safeguard themselves [from cyber criminals] at home, they’ll often bring that to their work.”
The Department of Homeland Security’s cybersecurity agency on Friday issued new remote-working cybersecurity guidelines including:
● Ensure virtual private network and other remote access systems are fully updated with the latest security measures.
● Enhance system monitoring to receive early detection and alerts on abnormal activity.
● Implement multi-factor authentication.
● Ensure all machines have properly configured firewalls as well as anti-malware and intrusion prevention installed.
● Test remote access solutions capacity or increase capacity.
● Ensure continuity of operations plans or business continuity plans are up-to-date.
● Increase awareness of information technology support mechanisms for employees who work remotely.
● Update incident response plans to consider workforce changes in a distributed environment.