We are pleased to share this latest guest blog from ICMIF Supporting Member organisation CyberScout. The blog was originally published on the organisation’s website and the article is reproduced here for the benefit of ICMIF members with their kind permission. For more information please contact: Tom Spier, Commercial Director – Global Markets @ CyberScout
The Covid-19 pandemic has now caused many cities and municipalities to enact shelter in place or stay at home orders. With the spread of novel coronavirus, daily life has been affected in unprecedented ways. Working at home and home-schooling measures mean that millions of people around the world are using video conferencing for the first time. With this surge in new users, there will be many cybersecurity challenges.
When it comes to flattening the curve of Covid-19, we know it’s important to be mindful about what you touch. The same goes for the online environment.
And while the thought of riding out a global pandemic from home has a certain appeal, it’s not the easiest thing to pull off safely. Here are some tips to help keep your remote workforce secure.
What can you do?
Pick a secure video conferencing service:
Now that more businesses, schools, and organizations are relying on video conferencing software for day-to-day communications, the question of their security--always an issue--is mission critical. Software companies have begun offering free, enhanced versions of their teleconferencing apps to facilitate the sudden shift in remote workers.
When selecting a platform, ask the following questions:
- Free is never free: When services are free, they are often collecting information that they can monetize. Make sure you go to settings on whatever platform you’re using and set your privacy as tight as possible.
- Does the service allow you to take screenshots or record a session? If so, does it provide notification? Sensitive information can be gleaned from the images generated during a video conference. A post-it with a password on the wall behind your desk, an image from your private life or an account statement from your bank can be accidentally shared with attendees.
- Does it allow you to record the session? All of the above should be remembered because many conferencing services allow users to record sessions for future reference. Any recordings, yours or that of a colleague, can represent a major data risk.
- Does it allow a virtual background? Virtual backgrounds do more than just hide a messy home office--they allow users to conceal potentially compromising personal details, including usable information, that can be leveraged against them by bad actors. Unless you’re speaking with trusted associates or friends, the less attendees are able to see, the better.
- Does it allow you to select a participant and view their video? The worst that can happen is not a creepshot getting posted online. The images saved by a bad actor can be used to figure out where you live, and other compromising details.
- Is there known malware and/or poor security associated with the service? Most companies will scramble to patch a vulnerability in their software before they become public knowledge. Unfortunately, a single attendee that hasn’t updated to the most recent or secure version can potentially compromise an entire meeting. Look for a platform that can provide detailed information about their commitment to security, and that requires attendees to upgrade their software.
- Does it provide end-to-end encryption? Public and shared wi-fi access can leave user data vulnerable to man-in-the-middle attacks. End-to-end encryption provides an extra layer of security by making conferences and communication significantly harder to intercept. (This does little to prevent anyone within your physical proximity from eavesdropping, so exercise caution and common sense.)
- Does it allow you to change your display name, create a burner number or otherwise conceal your identity? One of the most effective tricks a hacker has in compromising a business is spoofing (i.e., pretending to be a co-worker, colleague, or associate). Make sure you’re using a platform that makes it difficult to conceal or change your identity and be sure to confirm that the person with whom you’re communicating is who they say they are before sharing any information. It’s good practice to ask every attendee to announce themself at the start of a meeting.
- Can meetings be restricted to attendees with PINs? Access to meetings can and should be restricted to invite-only. A secure platform will also provide a means of authentication. If you’re using one that doesn’t, consider changing to one that does.
- In large meetings, do participants get displayed on multiple pages when attending a large meeting? This matters because often uninvited guests who log in late can lurk there, displaying only a phone number, which is easy to ignore in a meeting with 50+ attendees.
Secure your webcam
While observing social distancing practices may help “flatten the curve” and slow the rate of new infections, many of the webcams used to host playdates, work sessions, and everything else that has migrated to a little screen create new opportunities for hackers.
Internet of Things (IoT) devices have earned a well-deserved reputation for lax cybersecurity, and internet-connected cameras are no exception.
Not worried? You should be. Unsecured webcams make up the top three out of the five most popular searches on Shodan, an IoT-centric search engine that specializes in identifying unsecure devices online.
Here are a few things you can do to protect your privacy while working and schooling from home:
- Update default passwords: Many webcams come with a default login and password, typically something like admin / admin. Not changing this the moment you take the device out of its box is the digital equivalent of leaving your front door unlocked and open. Change these default settings to something difficult for others to guess, and don’t reuse passwords from other accounts.
- Check to see if there are any updates or patches: If a manufacturer has discovered a vulnerability in their product, they’ll often release a software patch. Make sure you’re running the most current version of the software that comes with your camera. If you’re using a built-in camera on your laptop or computer, keep your operating system and security software up to date as well.
- Turn it off/cover it when not in use: If you’re using an external webcam, the easiest way to make sure you’re not being ogled by hackers is to disconnect it when you’re not using it. If you’re using a laptop, consider getting a reusable sticker to cover up your camera and microphone when you’re not using them.
Consider setting up a firewall: One of the main ways that hackers find and access non-secure web cameras is by probing networks for points of entry. It’s simpler than it sounds: as seen in the example above, it’s not much more complicated than performing a search on Google. Setting up a firewall or configuring your internet router to block unwanted incoming internet traffic can add another level of protection between your home devices and hackers.
There’s a level of cyber-risk involved with any device that’s connected to the internet, but webcams, especially when not secured, offer an intimate and deeply personal level of access to would-be hackers. A few simple precautions can help to protect your privacy and keep prying eyes out of your home.
Beware phishing links
The Covid-19 outbreak has meant more people relying on email as a primary source of communication and hackers have taken notice. Be extremely cautious when opening any attachments or clicking on links sent via email or text.
The risks are not new. Ransomware has the potential to effectively sever your communication to your workers, and there will be fewer resources for getting back online.
Additionally, hackers will be looking for opportunities to hack into companies with the mass change of behavior. Other vectors of attack may include phishing via text message (smishing) and vishing, where someone calls and poses as an employee.
If employees are accessing company data assets on a work network, consider requiring a virtual private network (VPN) for them to connect.
Using a VPN provides two important cybersecurity benefits. 1.) VPNs route traffic through your network, and thus provide transmitted data with the same firewalls and network-level protections available on site. 2.) VPNs limit the number of people able to access your network, making usage anomalies easier to spot.
Even if you don’t have the time (or perceived need) for a corporate VPN, you might want to at least consider providing a commercial VPN to employees who are connecting to your network via public Wi-Fi. Many people who don’t typically work from home rely on cafes, libraries and publicly accessible internet connections to work remotely, and a good VPN provider can help add an extra level of encryption and security to their devices.
Confirm email communications
A major tactic used in phishing scams is Business Email Compromise (BEC), where seemingly innocuous emails are sent from a known co-worker or colleague to get sensitive information such as network access, payment information or even money transfers.
“BEC is a very damaging form of phishing–one that riffs off the whaling method, where the hacker’s goal is to trick a c-suite employee into clicking a link or opening an attachment,” says CyberScout founder Adam Levin. “BEC turns the whaling method around, spoofing the email of a higher-up and sending an urgent communication to someone in a position to wire money.”
Google and Facebook were both hit with this tactic to the tune of $100 million in 2019 - if anyone in your office gets an email asking for anything potentially sensitive, follow up with a phone call, Slack, text message, etc. Never trust an email, even if it looks legitimate.
Require 2-factor authentication
Having a workforce suddenly connecting remotely means that it’s harder to distinguish between legitimate activity and potentially compromising activity. Add 2-factor authentication to require a text or another means of verifying the identity of whomever is checking an email account or connecting to a shared network drive.
Consider providing hardware to employees
Providing equipment for remote employees can be expensive, but it can also save money in lost time and resources due to poor cybersecurity (data breaches are expensive, often catastrophically so). If you are going to have a remote workforce, providing the hardware that they’ll be working from means you can ensure a fully up-to-date and patched device and even put restrictions on their ability to install sketchy or non-secure software.
If necessary, send employees home with computers to work on if they don’t have home equipment that’s up to the task. Be sure to check with your IT support regarding licenses and other possible configurations that may need to be updated in order for the system to properly function elsewhere.
Much like the thought of a global pandemic, the prospect of a cyber-attack on a workplace can be frightening, but it shouldn’t be met with panic. By following a few basic best practices, it’s easier to maintain a relatively secure workplace, even when employees are connecting remotely.
Why is this necessary?
Hackers and scammers never let a crisis go by without exploiting it, and Covid-19 will be no exception. As soon as the outbreak began making headlines, phishing emails showed up in inboxes around the world, some posing as medical or health organizations, others as trusted news sources. While phishing emails are nothing new, these campaigns have been widespread and, to date, successful enough that the Secret Service and FTC have issued warnings urging extreme caution when reading emails or opening attachments related to the novel coronavirus pandemic.
How do remote workers figure into It?
It goes without saying that everything was not secure or cyber-safe before Covid-19. Any business with at least one computer, mobile phone, or internet-connected device was and continues to be threatened on a regular basis by a wide array of malware, phishing scams, data leaks, ransomware, and more.
“This new situation has drastically increased our collective attackable surface,” Levin warns. “A spike in new cyber-attacks is inevitable when an entire workforce is connecting remotely.
An entire office can operate on a single network with the bulk of its internet traffic channeled through that single internet connection. This makes it easier to implement a firewall and security software specifically designed to block suspicious traffic and known threats.
In an office setting, IT and tech support staff usually have access to all devices connected to a company’s network, and for that reason can ensure software and firmware is patched and up to date. While that doesn’t protect fully against cyberthreats, it provides greater oversight and protection than workers have from their homes.
Flatten the cyber threat curve
When workers access your company’s network from outside of the workplace, the number of different access points that are potentially vulnerable increases exponentially. It increases an organization’s attackable surface.
An email that may have been stopped at your office firewall can be transmitted freely to a laptop on a residential connection, a USB key or removable drive with malware might be used to transmit files, or an employee working from a cafe (there are still many open) might have their laptop stolen or their data intercepted through a public wi-fi connection.
There’s an added level of stress trying to factor cybersecurity into the adjustment around the Covid-19 work-at-home situation, and that’s precisely what hackers are counting on. While the current work situation is temporary, the damage caused by a malware infection or data breach is permanent. Plan accordingly, and encourage everyone in your office to do the same. Data hygiene is like public hygiene--it only works during a time of mass vulnerability if everyone practices it.