When the UK government announced all staff could return to offices on the 27th of January 2022, it became clear that remote and hybrid models of working had proved effective for many organisations - improved work-life balance, less time wasted commuting, higher productivity, and the reduced need for office space were all cited as advantages. However, remote working also poses cybersecurity risks for businesses and charity organisations.
What are the biggest risks?
The cost of a successful exploit isn’t just financial - negative impacts can include reputational damage, data theft, and the loss of productivity. This blog explores the most common risks and consequences - as well as how to protect your organisation from breaches.
Malicious actors are increasingly relying on cyber attack methods that are more likely to go unnoticed outside the security protections of office environments. A recent report from the Department for Digital, Culture, Media and Sport revealed 39% of businesses and 26% of charities reported cyber attacks or breaches over the previous twelve months. Conversely, only 35% of businesses had used security monitoring tools, while just 32% monitored users. These statistics suggest that businesses may be unaware of hacking attempts.
To maintain the integrity of their systems and services, it’s essential organisations assess their cyber security readiness and introduce new policies for remote workers.
Hardware and Software Concerns
Home Router Security:
The average remote worker accesses proprietary systems and data via their home router, but it may not be secure. In November 2021, it was revealed that up to six million Sky routers had a software vulnerability that could have affected any users who hadn’t changed their router’s default admin password, as is the case in up to one in 16 households.
In the same month, the UK government announced the Product Security and Telecommunications Infrastructure Bill. It’s currently being discussed in the House of Commons, but if it’s passed, the bill will prevent manufacturers from setting the same default password across devices. Until then, this leaves organisations vulnerable to man-in-the-middle attacks, potentially resulting in the harvesting of user credentials, data exfiltration, and ransomware attacks.
To minimise these risks, there are several steps you can take, including:
• enacting a password policy specifying a minimum length of eight characters, as well as a combination of numbers, upper case, lower case, and special characters;
• installing and configuring a dedicated company VPN, which should be the only way for staff to access any systems belonging to an organisation;
• should departments need to be segregated, for instance due to processing sensitive data, separate VPNs can be utilised to restrict access to certain areas of the company network;
•only allowing users to log on during their working hours;
• introducing a Conditional Access Policy to ensure that the only users who can access certain information are those who require it. This can be an increased concern when companies may have many members of staff absent through illness, and need staff to cover roles - if privileged access is granted on this basis, it should be revoked as soon as it’s no longer required.
These steps will also protect organisations from privilege escalation attacks, in which an adversary gains unauthorised access to a network via a low level user, and from there, accesses systems that are only available to privileged users.
Company Laptop Policies and Personal Device Security:
Ideally, all staff should be provided with company laptops, with a policy of no personal use enforced via endpoint monitoring and regular automated data backup to a cloud service. The practice of working from a personal laptop is known as ‘bring your own device,’ and is estimated to be common practice for staff at 47% of businesses and 67% of charities. Specified minimum requirements before accessing company systems should be outlined in the remote working security policy, such as:
• an up-to date operating system (older ones are generally more vulnerable);
• installation of an anti-virus product to protect against malware; the use of a secure software platform such as Office 365;
• establishing a policy of storing documents on the cloud rather than on laptops;
• a requirement that the password used to access company systems complies with the company password policy, and is not cached on the laptop;
• deploying Multi-Factor Authentication (MFA) via a mobile app such as Google Authenticator, which generates a unique code approximately every 30 seconds.
Human and Environmental Factors
Many homes don’t have dedicated workspaces. Often, staff work in rooms with family members or housemates. For organisations involved in the collection, processing and/or storing of Personally Identifiable Information (PII) – any data that can identify an individual either directly or in conjunction with other data elements – this poses a risk. PII includes, but is not limited to, physical and email addresses, financial details, and dates of birth.
Card Payments and Data Theft:
As of December 2021, online retail sales in the UK remain 6.6% higher than they were pre-pandemic. Although transactions are usually completed online, many customer service and telephone order teams continue to work remotely.
Payment card industry (PCI) compliance requires cardholder data to be encrypted. A traditional call centre has protective measures against data theft, such as not allowing personal phones that could record customer details, not allowing card details to be typed or written apart from on relevant company systems, and monitoring via CCTV.
When employees process card payments during a call, or have access to customer order histories where the card details aren’t adequately encrypted, data could be stolen and sold. Research conducted by NordVPN found that each complete set of card data sold on the dark web yields, on average, £8. Whilst this may seem unlikely, a dissatisfied employee earning relatively low wages may see this type of data exfiltration as a calculated risk.
To prevent this from happening, we advise:
• requiring staff to work in a room alone;
• limiting access to PII to only those staff who need to view it;
• ensuring staff are adequately trained and aware of the consequences of data breaches for both themselves and the organisation. For breaches involving personal data, the Data Protection Act (2018) sets a fine of £17.5 million or 4% of annual global turnover - whichever is greater - with the average total cost of a data breach in the UK being around £2.7 million in 2021, according to IBM;
• installing software that allows customers to directly input card details via their keypad whilst on hold.
Around 74% of all adults in the UK regularly use voice-activated assistants such as Alexa, Google Home, or Siri. Such services are constantly listening out for a command, and can be vulnerable to hacking. Smart speakers and personal mobile devices should be removed from a workspace entirely, or at least switched off during working hours.
According to CISCO’s 2021 Cybersecurity Threat Trends report, phishing is used as an attack vector in 90% of data breaches. Phishing emails often seek to create a sense of urgency so the recipient clicks a link in the email, such as: ‘You’ve Missed Your Zoom Meeting, click this link to rearrange.’ Criminals can harvest login credentials or deploy malware, which can be used to access systems before enacting a ransomware attack.
Spear phishing occurs when an email appears to be from a trusted senior member of an organisation. Staff are more likely to open these, and in the era of remote working, it can be difficult to know for sure if such emails are real.
To mitigate against this risk, you should:
• create a dedicated email address to be used as a point of contact for the organisation - the format shouldn’t be the same as that used for staff emails;
• set an organisation-wide policy of not allowing email addresses to be used for personal matters of any sort; keep publicly available data around suppliers and customers to a minimum;
• maintain an environment that encourages staff to directly contact senior members via video call for the purposes of establishing whether an email is genuine;
• define an escalation policy to be followed on receipt of a phishing email;
• provide comprehensive training around phishing to staff at all levels, and ensure it’s refreshed regularly.
Cyber Security Associates offers training for staff of all abilities, from e-learning courses to face-to-face training sessions. We can also conduct webinars and expert-led exercises for your staff to face realistic cyber attacks and phishing attempts, so that their expertise can be assessed by our specialists. You can find out more about the services that we offer by heading to our website, or get in touch with us for advice.