How Hackers Utilize Remote Work and Human Error to Steal Corporate Data

img blog How Hackers Utilize Remote Work Human Error to Steal Corporate Data r1

At an international level, United Nations officials warn that cybercrime is on the rise, with a 600% increase in malicious emails during the current crisis.

According to an article by Forbes, “This vulnerability comes down to many remote workers working without the necessary security in place. In the office, computers are patched together, and antivirus software is on hand to [prevent] any potential data breaches or phishing emails; acting as a safety net for employees.

But, with computers used for remote working likely having been shared with family members, possibly visiting insecure websites, or installing insecure software, confidential company data isn’t safe. When there’s no guarantee that these computers have been maintained over the recent months – [we have to wonder] whether we can trust these external devices [when connecting] back to the corporate network.”

In an article by USD, they write, “A host of new and evolving cybersecurity threats has the information security industry on high alert. Ever-more sophisticated cyberattacks involving malware, phishing, machine learning/artificial intelligence, and cryptocurrency have placed the data and assets of corporations, governments, and individuals at constant risk.

The industry continues to suffer from a severe shortage of cybersecurity professionals and experts warn that the stakes are higher than ever. ‘Honestly, we’re all at risk,” Heather Ricciuto of IBM Security told cnbc.com. ‘Whether you’re talking about a large enterprise or an individual.’

With damage related to cybercrime projected to hit $6 trillion annually in 2021 – according to Cybersecurity Ventures – here is a closer look at the most significant cybersecurity threats for 2021.

Cybersecurity Threats and Trends for 2021

Phishing Gets More Sophisticated — Phishing attacks, in which carefully targeted digital messages are transmitted to fool people into clicking on a link that can then install malware or expose sensitive data, are becoming more sophisticated.

Now that employees at most organizations are more aware of the dangers of email phishing, or of clicking on suspicious-looking links, hackers are upping the ante. For example, using machine learning to quickly craft and distribute convincing fake messages in the hopes that recipients will unwittingly compromise their organization’s networks and systems. Such attacks enable hackers to steal user logins, credit card credentials, and other types of personal financial information; as well as gain access to private databases.

Ransomware Strategies Evolve — Ransomware attacks are believed to cost victims billions of dollars every year, as hackers deploy technologies that enable them to kidnap an individual or an organization’s databases and hold all of the information for ransom. The rise of cryptocurrencies like Bitcoin are credited with helping to fuel ransomware attacks by allowing ransom demands to be paid anonymously.

As companies continue to focus on building stronger defenses to guard against ransomware breaches, some experts believe hackers will increasingly target other potentially profitable ransomware victims such as high-net-worth individuals.

Cryptojacking — The cryptocurrency movement also affects cybersecurity in other ways. For example, cryptojacking is a trend that involves cyber criminals hijacking third-party home or work computers to “mine” for cryptocurrency. Because mining for cryptocurrency requires immense amounts of computer processing power, hackers can make money by secretly piggybacking on someone else’s systems. For businesses, cryptojacked systems can cause serious performance issues and costly downtime as IT works to track down and resolve the issue.

Cyber-Physical Attacks — The same technology that has enabled us to modernize and computerize critical infrastructure also brings risk. The ongoing threat of hacks targeting electrical grids, transportation systems, water treatment facilities, etc., represent a major vulnerability going forward. 

State-Sponsored Attacks — Beyond hackers looking to make a profit through stealing individual and corporate data, entire nation states are now using their cyber skills to infiltrate other governments and perform attacks on critical infrastructure. 

Cybercrime today is a major threat not just for the private sector and for individuals but for the government as a whole. State-sponsored attacks are expected to increase, with attacks on critical infrastructure of particular concern.

Many such attacks target government-run systems and infrastructure, but private sector organizations are also at risk. According to a report from Thomson Reuters Labs: “State-sponsored cyberattacks are an emerging and significant risk to private enterprise that will increasingly challenge those sectors of the business world that provide convenient targets for settling geopolitical grievances.”

IoT Attacks — The Internet of Things is becoming more ubiquitous by the day (according to Statista.com, the number of devices connected to the IoT is expected to reach 75 billion by 2025). It includes laptops and tablets, of course, but also routers, webcams, household appliances, smart watches, medical devices, manufacturing equipment, automobiles and even home security systems.

Connected devices are handy for consumers and many companies now use them to save money by gathering immense amounts of insightful data and streamlining business processes. However, more connected devices means greater risk, making IoT networks more vulnerable to cyber invasions and infections. Once controlled by hackers, IoT devices can be used to create havoc, overload networks or lock down essential equipment for financial gain. 

Smart Medical Devices and Electronic Medical Records (EMRs) — The healthcare industry is still going through a major evolution as most patient medical records have now moved online, and medical professionals realize the benefits of advancements in smart medical devices. However, as the healthcare industry adapts to the digital age, there are a number of concerns around privacy, safety and cybersecurity threats.

According to the Software Engineering Institute of Carnegie Mellon University, “As more devices are connected to hospital and clinic networks, patient data and information will be increasingly vulnerable. Even more concerning is the risk of remote compromise of a device directly connected to a patient. An attacker could theoretically increase or decrease dosages, send electrical signals to a patient, or disable vital sign monitoring.”

Third Parties (Vendors, Contractors, Partners) — Third parties, such as vendors and contractors, pose a huge risk to corporations, the majority of which have no secure system or dedicated team in place to manage these third-party employees.

As cyber criminals become increasingly sophisticated and cybersecurity threats continue to rise, organizations are becoming more and more aware of the potential threat posed by third parties. However, the risk is still high.

A report on “Security Risks of Third-Party Vendor Relationships” published by RiskManagementMonitor.com includes an infographic estimating that 60% of data breaches involve a third party and that only 52% of companies have security standards in place regarding third-party vendors and contractors.

Connected Cars and Semi-Autonomous Vehicles — A connected car utilizes onboard sensors to optimize its own operation and the comfort of passengers. This is typically done through embedded, tethered, or smartphone integration. As technology evolves, the connected car is becoming more and more prevalent; by 2020, an estimated 90 percent of new cars were connected to the internet, according to a report titled, “7 Connected Car Trends Fueling the Future.”

For hackers, this evolution in automobile manufacturing and design means yet another opportunity to exploit vulnerabilities in insecure systems and steal sensitive data and/or harm drivers. In addition to safety concerns, connected cars pose serious privacy concerns.

As manufacturers rush to market with high-tech automobiles, we will likely see an increase in not only the number of connected cars but in the number and severity of system vulnerabilities detected.

Social Engineering  Hackers are continually becoming more and more sophisticated not only in their use of technology, but also psychology. Tripwire describes social engineers as “hackers who exploit the one weakness that is found in each and every organization: human psychology. Using a variety of media, including phone calls and social media, these attackers trick people into offering them access to sensitive information.” The article includes a video demonstrating an example of social engineering.

A Severe Shortage of Cybersecurity Professionals — The cybercrime epidemic has escalated rapidly in recent years, while companies and governments have struggled to hire enough qualified professionals to safeguard against the growing threat. This trend is expected to continue into 2022 and beyond, with some estimates indicating that there are some 1 million unfilled positions worldwide (potentially rising to 3.5 million by the end of 2021).

The severe shortage of skilled cybersecurity professionals continues to be cause for alarm since a strong, smart digital workforce is essential to combat the more frequent, more sophisticated cybersecurity threats emanating from around the globe.”

 In an article by Networks That Work, they added, “Hackers have many tactics they can use to infiltrate your network, and small to medium-sized companies are often the easiest to hack. 

The Guessing Game: Passwords and PINs

Passwords and PINs are meant to protect you, but could they actually be putting you at risk? We all know that we need to change our passwords frequently, and avoid using common or obvious phrases and keywords. Today, features like Touch ID and facial recognition are useful because the user does not have to remember a complex password, and the hacker has greater difficulty stealing that complex data. 

Many of our passwords are simply too easy to guess. Some of the contents of our most common passwords, like a maiden name or birthday, are easily exposed during data breaches. Other hints can be found on our public social media profiles. For example, does your employee’s Instagram account have a picture of his or her dog with the name mentioned in the caption? Now the hacker knows to try different variations of the pet’s name. Complex passwords and two-factor authentication are good defenses against these guessing games, but are no guarantee.                     

Personal Problems: Human Error

The overarching theme of each hacking tactic outlined here is a strong reliance on human error. Even with well-trained and well-meaning staff, mistakes are inevitable. These days, as your employees get smarter, unfortunately so do the hackers. The hacking arsenal continues to grow more sophisticated, and it can be challenging to keep up with the latest tricks.”

How to Reduce The Risk Of Human Error Cyber Attacks Remotely

In a terrific article by usecure, they write, “When thinking about the threats facing a remote workforce, many will think of the lack of IT infrastructure, use of own devices and other IT infrastructure issues that may occur. However, there is also a much larger risk of human error leading to an organisational threat such as malware or cybercrime. 

When employees are working remotely, they will be more easily targeted for phishing campaigns. They will be more susceptible to social engineering attacks, or even simply physical risks such as leaving important documents in unsafe locations. 

As many businesses have found, there are plenty of advantages that can come from remote working. However, managing this human error remotely can seem like an impossible task, but there are tools and tricks that can help you monitor and empower your workforce, to reduce the risk of human error to your business.

How to Prevent Email Vulnerabilities and Phishing Attacks

As employee’s are isolated, and working on personal devices, hackers have assumed they are more susceptible to phishing attacks. This is perhaps true, as they may be swapping from personal and private accounts on devices, be communicating more through channels such as text and email, and therefore more likely to fall for a phishing attempt. 

Increase in spear-phishing. Some have even reported up to a 30,000% increase in phishing attacks during the Covid-19 Pandemic.

Always ensure end users are aware of the potential risks of clicking links on emails, even if they seem legitimate as the one above. There are a few recommended steps to take to be able to spot a phishing emails

  • Look at the email address. Often they will be dissimilar or a faked version of the real company’s email
  • Look for spelling errors. Spelling errors are common in phishing emails. It’s even been suggested this is done intentionally, to weed out the more discerning users. 
  • Think if you’ve requested this information. If you haven’t actively asked for a link, get in contact with the company to see if it is legitimate. 
  • Stop if the email has a sense of urgency. Often phrases such as ‘CLICK NOW’ try and encourage an immediate response, suggestive of a phishing email.

Risks and solutions for Bring Your Own Device (BYOD)

Using personal devices is becoming increasingly common in the workplace, as people gain access to much more integrated, internet-connected devices. This can include anything from smartphones, tablets, laptops and more. In a more flexible and remote working environment, BYOD policies will become increasingly common. Therefore, it’s important to make sure that these devices have been properly secured. 

Risks of using personal devices: 

  • Devices being lost or stolen. This can cause an issue because of the sensitive information that might be lost or leaked from these devices.
  • Man-in-the-Middle Attacks. If BYOD policies are poorly managed, attackers may exploit them in order to intercept sensitive information. This could be done by eavesdropping at public Wi-Fi networks used by remote workers, or by attackers placing themselves within range of the company Wi-Fi network. [Always use a VPN on every device.]
  • Insider attacks. These could be either deliberate attempts to access data (sabotage), or accidental (negligent data-handling) incidents, such as employees printing off sensitive company information at home or accessing confidential data via an unsecured network.
  • Shoulder surfing. Unauthorised users may also attempt to view sensitive company information shown on the screen of your personal devices.
  • Malware infection. This could come about through employees opening malicious emails on BYOD devices, using these devices on unsecured public networks or by visiting bogus/harmful websites in their own time. [Make sure you have malware protection on every device… yes, including cell phones.]

How to Protect against them:

  • Patching and malware protection. These become the responsibility of the user, as the company does not manage the device. 
  • Avoid storing data on your personal devices. Try to avoid storing data on your personal devices when possible, even if you need to access it sometimes. This protects confidentiality if a device is lost, stolen or accessed by a cyber criminal. Instead, try accessing data from the cloud instead. 
  • Protecting all devices with strong passwords or biometric data such as fingerprints. This includes using a different password for each device and account. You should also make sure your passwords are complex and known only to yourself!
  • Enable multi-factor authentication. This includes a combination of something you know (eg. your password), you have (eg. a finger-print scan) and/or a security code/token. These additional layers make it more difficult for unauthorised users to access sensitive information. If one factor is overcome, attackers still have to bypass at least one more barrier to obtain anything valuable.
  • Software to remotely erase your device if lost or stolen. If the worst case scenario were to happen and you lost your device, you should have already installed software that means you can remotely erase your data. This can be a last resort if you feel your device is now in unsafe hands.  

Social Engineering

Employees are working different hours, which may mean [working outside] the standard 9-5 operating hours. This puts them outside the help of the security team. It is also especially easy to launch a social engineering attack when employees are working remotely due to the different nature of communication, imitating and manipulation can be much easier online.

Hacker’s may try to imitate: 

  • Your CEO or another member of management. The social engineer could send you an email or text message that claims to be from someone with authority, and ask you to hand over information or make a payment.
  • A member of IT support staff. An attacker could call into your office and claim to be from your IT support team. They could then ask you for your passwords or for other confidential information.
  • Any colleague. A classic social engineering tactic involves simply hanging out in communal areas and getting involved in confidential conversations or following staff members through locked doors into secure areas.

What To Do To Prevent A Social Engineering Attack

  • Whenever a new person from your clients’ or partners’ organisations contact you for the first time, always verify their identity first or check with someone who has worked with them before.
  • If a plumber, repairman, IT support team member or anyone else requests to be let inside the company’s premises, always ask to see their ID first. If they are who they say they are, they will always be carrying ID on them.
  • Never share or give your passwords to anyone. A legitimate member of IT staff would never ask for your password.
  • Never plug in devices to your computer unless you are completely certain of their owner and their contents.
  • Contest people attempting to tailgate, or people walking in the premises without an ID. 
  • If you’re not certain of who you are speaking to over the phone or over email, call back the person or organisation who you believe you should be speaking to directly.

Data security best practices when working from home

In an article by Scale, they write, “Your workplace probably has a network firewall that prevents third parties from accessing information from the outside. The same happens with your work computer. It has firewalls that prevent hackers from accessing company data.

For data security, however, working from home is a bit different. With the speed at which businesses like yours have had to start working remotely, there wasn’t time to conduct risk assessments. There also wasn’t time to install measures to reduce identified risks.

Just remember that for hackers, stealing data off of home or public computers is a low-risk, high-reward operation. Fewer challenges for them means easy work.

Use these data security best practices to avoid or reduce the risk of data theft when working from home…

Encryption

Data encryption is how you convert information into other forms to prevent unauthorized access. For example, with two-factor authentication, a second security key has to match yours in order to access the information. Encryption is one of the most important data security and best practices measures that you should adopt for all work-related information.

You can also encrypt your devices’ hard drive. This way, if you lose your personal or work computer through theft, no one will be able to access confidential information. To prevent firewall breaches that can happen while using home Wi-Fi, you can encrypt your router before using it for work-related purposes. This way, even when sensitive information lands in the wrong hands, they will not be able to gather any meaning from it without the security key.

Using work devices

Using your work computer only for work-related activities reduces the risk of third party access to sensitive information. The work device may already have firewalls to improve data protection. Also since most work devices only contain necessary applications, you are less likely to be exposed to malware and other cybersecurity threats.

Following your company’s security protocols

This is the best way to protect data when working remotely. If your company has a security checklist, always ensure that you’re following it. Some common company essentials for a secure setup include two-factor authentication, intrusion prevention through Cyber Security services, and company-designated virtual private network (VPN) licenses.

You should also secure your home router, install the latest security patches on your software, and use strong passwords. Together, these will better ensure data safety now and in the long run.”

Categories
Archives