The COVID-19 upended “business as usual” for many organizations. Businesses in many cases were not prepared for having to shift to a paradigm where employees were not at their desks and working on company devices on internal networks. As we become used to the new normal of Work from Home and the stress of getting employees set up technologically to telecommute lowers, there are new concerns about how to avoid phishing during COVID-19.
Global Learning Systems has provided a remote work environment for our employees for a decade, so we understand your pain. We know the hard truth: Scammers are watching. They are aware of the chaos that is occurring and are ready to take advantage, especially targeting industries on which people are reliant. They are looking for moments of weakness when the employees’ guards are down to launch social engineering attacks. Just as hyenas will seek out the weakest member of a herd as their target, so will scammers with your employees.
Based on our experience and expertise, we can share that there are three main issues which can lead to points of cybersecurity weakness in your organization’s Work from Home culture.
1. Lack of knowledge about technology – As we noted in our previous blog post The Psychological Manipulation of Phishing: Why Do People Keep Falling Victim, “If you are not highly technical, all of the ins and outs of securing a workplace can be overwhelming. Many people believe that their company’s IT department has it all under control. They rely on the perceived safety of the systems to catch and not land phishing threats into their work zones.”
The same holds true in telecommuting situations. Employees who were already fearful or unsure of technology will be even more so working from home without the usual support safety nets in place. It is vital that your employees are comfortable with using technology and understand its use and limits.
2. Lack of proper protocols and processes, or ones that cannot be enforced easily – Many organizations are finding that the Work from Home provisions of their Information Security Policy lack enough detail, or simply do not exist. This can lead to employees inadvertently exposing themselves to risks, such as downloading free tools for productivity or efficiency, not using a VPN, not using strong passwords on home devices, or being unaware of the protocol for reporting issues.
People do not know they are doing wrong if they have not been told it is wrong. Lack of proper knowledge of security processes and protocols related to telecommuting is a weakness of the organization, not the individual. You cannot hold people accountable to something that is not documented.
3. Lack of cybersecurity awareness training – Some of your employees may be used to working on the technologies and devices they are using while working from home. In some cases, employees may be working in technologies that are completely new to them, such as cloud-based versions of software or virtual meeting platforms. A lack of security awareness training can lead to misuse of technology, which in turn leads to a security weak spot for your organization. This includes training employees working in known technologies how telecommuting changes the security game, as well as introducing best practices for using new technologies.
Working from Home also introduces additional points of security risk for your employees. These risks need to be documented, understood, and mitigated. Here are some examples of common risks and suggested mitigation strategies.
- COVID-19 pandemic is a perfect environment for phishing
- Risk: Phishing scams have a common components. The COVID-19 pandemic aligns perfectly with these, including urgency (find out where new cases are around you!) or Fear of Missing Out (FOMO) (new vaccine available, get it now).
- Suggested Mitigation: Train employees to be on heightened guard for COVID-19-related email communications. Provide examples to employees so they can see the pattern. Share information consistently on how to report these incidents to your Security team. Provide employees with information on how your organization will communicate with them in relation to the pandemic.
- Phone scams increasing
- Risk: With more people at home, there is an increase in the number of COVID-19-related phone scams targeting both landlines and cell phones. These scams run the gamut from offering to disinfect your home to pretending to be a client needing information to being tech support from your organization.
- Suggested Mitigation: Train employees to be on heightened guard for COVID-19-related phone communications. Advise them to either not answer calls from unknown sources or to hang up immediately. Share information consistently on how to report these incidents to your Security team. Provide employees with information on how your organization will communicate with them in relation to the pandemic.
- Increase in texting as a communication means for work
- Risk: Some organizations are providing cell phones for employees to use during the pandemic. Others may have a Bring Your Own Device (BYOD) policy that allows an employee to use a personal cell phone for work activity. Employees are using texting as a means of communicating with colleagues and clients. There are SMS-based scams which look to take advantage of this and ask the user to click on a link to go to a website for more information or to download a document. Instead, malware is installed on the phone.
- Suggested Mitigation: Require the use of encrypted messaging apps that provide end-to-end encryption for work-related communication. Have very specific protocols in place for the use of SMS-based communication for work. Train employees not to click on links or move files via text. Share information consistently on how to report these incidents to your Security team.
- Boredom lowers your guard
- Risk: Many people are extroverts – they thrive on personal interactions with others. Working from Home removes a social aspect from their lives. Other employees may find that their workload is decreasing during the pandemic, so they are not as busy as they would be in the office. For these and other reasons, employees may be fighting boredom while telecommuting. This can lead to more risky behaviors, such as increased use of social media. Accessing social media accounts on work devices can put your organization’s data at risk, as this is a popular vector for social engineering attacks. Many have plugins or extensions that access data on the machine. That harmless Facebook quiz can expose information that can be used to crack passwords. That fun Instagram photo of your Work from Home space may expose information about your company through the device screen in the background or the papers on the desk.
- Suggested Mitigation: Do not allow employees to access personal social media platforms on company-provided devices. Require employees to use a personal device for personal activities. Use an endpoint management system to monitor employee device use. Train users that the sharing of company information on social media platforms is not acceptable.
- Risk: Despite the fact that it can lower productivity and attention to detail, we multitask at work. Working from Home offers even more distractions and opportunities for multitasking. Many times these opportunities are home-based, such as taking care of children or housework, and mean that we are walking away from our devices. Employees may also have smart devices in their homes which are used to save time or make tasks easier.
- Suggested Mitigation: Your Information Security protocols should address the proper steps to secure devices and data if an employee leaves their work space. These same rules hold true in telecommuting. Train users to lock their device screens and follow a “Clean Desk” policy. Require that employees have lockable storage in their home office. Require that employees turn off or mute smart devices such as Amazon Alexa or Google Home to avoid inadvertently leaking company information.
- Downloading or accessing non-approved applications
- Risk: If your employee has a company-provided device on which they have been given Administrator access, they can download and install applications. In a Work from Home situation where an employee may be facing a new task or lack of access to applications they use in the office, they may be tempted to search for and download new software, browser plugins, or extensions to help make their work easier. In other instances, the employee may want to access an application they use on their personal computer or device.
- Suggested Mitigation: Harden company equipment and do not allow employees to have Administrator access to devices. Train employees on the process for requesting new software. Provide employees with a listing of approved applications that may be used. Provide access to secured Software as a Service (Saas) options for employees. Do not allow employees to link their work device to a peripheral, such as a printer or removable media. Use an endpoint management system to monitor employee device use.
This list of possible security risks in a Work from Home environment is not exhaustive. Your organization should review your setup for remote employees and determine what risks are introduced. Do not fall victim to a lack of imagination. An idea or opportunity for a scammer may seem far-fetched or ridiculous, but with the increasing sophistication of phishing attacks, it is probably feasible. Mitigate or eliminate the risks to protect your employees and your organization. One suggestion is to provide your employees with comprehensive security awareness training that includes a Remote Work component. This training can be provided online and can help to prevent common incidents that can lead to data breaches.
From now until April 30th, GLS is proud to offer a variety of free resources to help organizations get up to speed on cybersecurity in this new age. It includes a free online course, blog posts, and handouts for employees. We are adding to these assets, so please take a look and let us know what we can do to help.