By Dimitri Shelest, Founder and CEO of OneRep
The increase in remote and hybrid work since the COVID-19 pandemic has revolutionized the way that companies operate. It has also introduced a new array of cybersecurity threats. Bad actors have more weak points to target companies than ever before.
They also have more ammunition. The internet is awash in personal data they can use to make their scams more credible to isolated employees working outside the perimeters of corporate security. Companies must adapt to this changing threat matrix by addressing securing the expanded perimeters, educating and empowering employees, and taking ammunition in the form of data out of the hands of criminals.
The main focus should be on people. People are the weakest link in any cybersecurity effort. They make mistakes, don’t always comply with security procedures, and can fall prey to carefully calculated scams. According to a 2021 data breach survey of 500 IT leaders and 3,000 employees, 84% of data breaches with a business impact resulted from an employee’s mistake. Almost three quarters of organizations said breaches were caused by employees breaking security rules.
And it’s people that attackers are targeting. Almost all cyberattacks today contain an element of social engineering–the theft and use of data to manipulate and trick people.
Inside the office, companies can mitigate risks with physical security in the form of firewalls, enterprise grade routers and modems, and threat-detection software. They can control what systems people use to work and communicate, and tightly control access to those systems. They can provide in person training, conduct tests and monitor compliance. Even so, the same study reports that 73% of organizations have suffered serious breaches from phishing attacks.
Data is the fuel for these attacks, and the volume of personal information available online nearly doubles every year. All this data is collected legally by companies, and often sold to data brokers who in turn sell it to people search sites. There are many legitimate uses for this data, but bad actors are also using it to make their attacks more personalized and effective.
The majority of workplace phishing attacks are BEC (business email compromise) schemes impersonating executives or vendors in order to get money. Cybercriminals can also phish for confidential information and credentials for company systems to plant ransomware. They may also seek to harass employees with spam and robocalls, interrupting their productivity and potentially causing them to miss an important call from a customer or prospect. In some cases, they may even threaten employees and their families.
These attacks are more effective in a remote setting, for a variety of reasons. Home networks are typically less secure than business networks. Employees may also be working from cafes or other locations outside the home.
The use of new collaboration and productivity tools geared towards remote work has created new vulnerabilities. These applications often have only minimal security settings which are sometimes reset when the vendor does a software update. Remote desktop tools used to access work computers from a home setting also make it easier for cybercriminals to access the company’s network.
Employees often engage in personal communications on work devices and work tasks on personal devices. This can expose the company to existing malware or viruses that they may not even realize are already on their personal devices.
Isolation also plays a critical role in aiding fraudsters. Employees don’t have coworkers in their immediate vicinity to do a gut check with if they think a communication looks suspicious. If a tech problem seems suspicious, they may have a harder time immediately getting in touch with security or IT personnel. They also may not be as aware of changes to security rules or engaged with security training–if they’re getting trained at all.
Companies can protect their employees and themselves by utilizing a combination of security measures. Implementing identity management solutions like Multi-factor Authentication (MFA) and Single Sign-on (SSO) tools add an additional layer of protection for company systems and resources. IT can also make sure they’re applying the latest updates and patches to the software applications that remote workers use on a regular basis. Setting them up with a VPN (virtual private network) at home is another way to bolster security.
All employees should also receive regular training on recognizing threats and security hygiene best practices. It’s also important to ensure employees know how to report threats or mistakes and feel comfortable doing so. Delays in reporting an attack or breach can allow contagion to spread quickly.
Companies can also help employees remove the fuel for phishing attacks by enrolling them in a data privacy service that removes personal data from people search sites. According to data from my company, OneRep, which provides such a service, the average individual has data profiles on 46 of these sites. In the era of big data, these profiles have become quite robust, with much more data than just name, address and phone number.
While people search sites are legally required to remove data records upon request, this can be a Sysyphean task. It is very time consuming to request removal from so many sites, and our internal data shows that much of this information ends up right back on these sites within just a few months.
One click on a bad link can cause a huge amount of damage to an organization. The core tenets of cybersecurity are to protect people, environment and technology. The changing nature of where and how we work has created a much larger attack surface across all three.
Companies must use all the tools at their disposal to secure their data, networks, systems and devices wherever employees use them. They must keep employees informed and engaged with the security effort and empower them to act. And they must deprive would-be attackers of one of their key weapons–personal data–by helping employees keep their data private.
Author Bio:
Dimitri Shelest is a tech entrepreneur and the CEO at OneRep, a privacy protection company that removes public records from the Internet. Dimitri is an avid proponent of privacy regulation framework and likes to explore cybersecurity and privacy issues as a writer and reader on various platforms. For more information, visit www.onerep.com.
