When the UK government announced all staff could return to offices on the 27th of January 2022, it became clear that remote and hybrid models of working had proved effective for many organisations - improved work-life balance, less time wasted commuting, higher productivity, and the reduced need for office space were all cited as advantages. However, remote working also poses cybersecurity risks for businesses and charity organisations.
The cost of a successful exploit isn’t just financial - negative impacts can include reputational damage, data theft, and the loss of productivity. This blog explores the most common risks and consequences - as well as how to protect your organisation from breaches.
Malicious actors are increasingly relying on cyber attack methods that are more likely to go unnoticed outside the security protections of office environments. A recent report from the Department for Digital, Culture, Media and Sport revealed 39% of businesses and 26% of charities reported cyber attacks or breaches over the previous twelve months. Conversely, only 35% of businesses had used security monitoring tools, while just 32% monitored users. These statistics suggest that businesses may be unaware of hacking attempts.
To maintain the integrity of their systems and services, it’s essential organisations assess their cyber security readiness and introduce new policies for remote workers.
Home Router Security:
The average remote worker accesses proprietary systems and data via their home router, but it may not be secure. In November 2021, it was revealed that up to six million Sky routers had a software vulnerability that could have affected any users who hadn’t changed their router’s default admin password, as is the case in up to one in 16 households.
In the same month, the UK government announced the Product Security and Telecommunications Infrastructure Bill. It’s currently being discussed in the House of Commons, but if it’s passed, the bill will prevent manufacturers from setting the same default password across devices. Until then, this leaves organisations vulnerable to man-in-the-middle attacks, potentially resulting in the harvesting of user credentials, data exfiltration, and ransomware attacks.
To minimise these risks, there are several steps you can take, including:
These steps will also protect organisations from privilege escalation attacks, in which an adversary gains unauthorised access to a network via a low level user, and from there, accesses systems that are only available to privileged users.
Company Laptop Policies and Personal Device Security:
Ideally, all staff should be provided with company laptops, with a policy of no personal use enforced via endpoint monitoring and regular automated data backup to a cloud service. The practice of working from a personal laptop is known as ‘bring your own device,’ and is estimated to be common practice for staff at 47% of businesses and 67% of charities. Specified minimum requirements before accessing company systems should be outlined in the remote working security policy, such as:
Communal Workspaces:
Many homes don’t have dedicated workspaces. Often, staff work in rooms with family members or housemates. For organisations involved in the collection, processing and/or storing of Personally Identifiable Information (PII) – any data that can identify an individual either directly or in conjunction with other data elements – this poses a risk. PII includes, but is not limited to, physical and email addresses, financial details, and dates of birth.
Card Payments and Data Theft:
As of December 2021, online retail sales in the UK remain 6.6% higher than they were pre-pandemic. Although transactions are usually completed online, many customer service and telephone order teams continue to work remotely.
Payment card industry (PCI) compliance requires cardholder data to be encrypted. A traditional call centre has protective measures against data theft, such as not allowing personal phones that could record customer details, not allowing card details to be typed or written apart from on relevant company systems, and monitoring via CCTV.
When employees process card payments during a call, or have access to customer order histories where the card details aren’t adequately encrypted, data could be stolen and sold. Research conducted by NordVPN found that each complete set of card data sold on the dark web yields, on average, £8. Whilst this may seem unlikely, a dissatisfied employee earning relatively low wages may see this type of data exfiltration as a calculated risk.
To prevent this from happening, we advise:
Voice-Activated Technology:
Around 74% of all adults in the UK regularly use voice-activated assistants such as Alexa, Google Home, or Siri. Such services are constantly listening out for a command, and can be vulnerable to hacking. Smart speakers and personal mobile devices should be removed from a workspace entirely, or at least switched off during working hours.
Phishing Attacks:
According to CISCO’s 2021 Cybersecurity Threat Trends report, phishing is used as an attack vector in 90% of data breaches. Phishing emails often seek to create a sense of urgency so the recipient clicks a link in the email, such as: ‘You’ve Missed Your Zoom Meeting, click this link to rearrange.’ Criminals can harvest login credentials or deploy malware, which can be used to access systems before enacting a ransomware attack.
Spear phishing occurs when an email appears to be from a trusted senior member of an organisation. Staff are more likely to open these, and in the era of remote working, it can be difficult to know for sure if such emails are real.
To mitigate against this risk, you should:
Cyber Security Associates offers training for staff of all abilities, from e-learning courses to face-to-face training sessions. We can also conduct webinars and expert-led exercises for your staff to face realistic cyber attacks and phishing attempts, so that their expertise can be assessed by our specialists. You can find out more about the services that we offer by heading to our website, or get in touch with us for advice.