There’s no arguing that 2020 was a challenging year for an overwhelming number of industries across the United States. The COVID-19 pandemic forced many companies to explore new business models, both in product and service offering and in the internal structure of operations.
As a result, a number of corporations have turned to remote operations, allowing their employees to work from home for elevated health and safety. In fact, major corporations like Facebook are now allowing employees to work from home permanently as a result of the pandemic. Others are making the remote switch out of need to remain open, while restrictions prevent full operation.
The hacking community is eating this up. While corporate environments offer multiple layers of security, employees home networks often do not. Believe us, bad actors are all-too-aware of these fresh vulnerabilities to exploit, targeting remote users as a way into your corporate databases.
As a CISO, it’s crucial to understand that there’s a whole new threat landscape out there— endangering your company’s private data and integrity. Let’s explore some of the top hacking techniques hackers are using right now to exploit your remote employees, so that you can make some important changes and better empower your at-home staff. Luckily, there are only two major threat buckets we recommend considering when working from home.
Your staff members are without-a-doubt your company’s biggest vulnerability when operating remotely. Even with all the right technology safeguards, all it takes is for one employee to be fooled by a bad actor posing as a trusted source and a hacker has found a way in.
Let’s learn more about the most common social engineering tactics:
One of the most common forms of social engineering is phishing, whereas a hacker attempts to get your employee to click or download a malware-injected attachment to infect a company device (or personal device that is connected to your tools or servers) by posing as a trusted source. It could be a spoofed email address that looks awfully close to a management head’s email asking a lower-tiered staff member to take an action. Or it could be a look-a-like URL that prompts you to download a seemingly normal looking PDF.
Management like yourself are not excluded, in fact, many hackers will target high-permission leaders or senior employees in an act known as “whaling,” knowing if they take out the big fish, they gain even deeper access to the goods.
No matter the method, the means are usually the same. By clicking on the infected link or downloading the malicious file, malware allows the hacker to make their way through the staff member’s device to eventually crack your corporate drives. Learn more about the latest phishing email scams here.
Not only are bad actors attacking your email, they’re also targeting your voicemail and text message inbox. Bad actors can leave convincing, high-urgency voice memos asking your staff to take action. While working from home, this is even scarier, as your staff may be more inclined to find a virtual message like this normal while out of office.
Oftentimes, the bad actor will weave a false story or situation (called pretexting) to convince your remote staff to share confidential information. Check out this other article and included video for some prime examples of phone and text message phishing ploys from cybersecurity expert Kevin Mitnick.
When you want to catch a fish, what do you do? You string some bait on a hook and cast a line. Malicious actors can trick your employees by offering them a tempting bait— for instance, a free video download that infects their device with malware. Warn your employees to think before clicking on too-good-to-be-true offers, because chances are, they are.
A quid pro quo attack is similar to a bait attack, except the bad actor typically offers a service versus a product. This may be an email that’s offering a free trial to a new product, despite the fact that your employee never requested this information. A recent example of this is impersonators of the U.S. Social Security Administration (SSA), asking users to reconfirm their social security number to steal their identity.
Another big way bad actors get in is through your remote employee’s unprotected routers and wireless access devices. Every time an employee logs onto their company devices from home, they are using personal routers to connect to the internet. That’s even if they use a company-vetted device and don’t log in using their own private smartphone or technology.
But what do you do? CISOs are responsible for ensuring that all corporate devices are updated regularly, applying the latest security patches. From there, be sure to provide and enforce the use of corporate, secure storage solutions, which you can learn more about on our remote users blog.
We also recommend having your staff use a virtual private network (VPN) when working remotely, which sets up an encrypted connection to a trusted network. That means they’re always working on a secured web connection, even if they login at a cafe or anywhere on-the-go.
Looking for some key takeaways? Here are a few quick yet impactful things to keep in mind when informing your employees of the current remote threat landscape:
Curious to learn more about endpoint security when working from home? Check out our article on remote work considerations.
If you think your company could benefit from cybersecurity training or testing, explore our social engineering strength testing services, today.