Remote workers targeted

Attackers look to exploit any weakness. Now, as an added incentive, they have the vulnerabilities laid bare by home working

“We’re definitely seeing an uptick in phishing related to the coronavirus – for example, malware masquerading as fake antivirus, and VPN solutions all aimed at capitalising on the change to remote working.” So says Dr Duncan Hodges, senior lecturer in Cyberspace Operations, Cranfield University.

“We can expect to see an increase in attacks targeting remote desktop solutions and video conferencing software. This is particularly likely to be a problem where products have laid dormant without being updated or only used within a corporate network for a period of time and are now being made available outside the traditional corporate network – the recent BlueKeep attack vector is one we’re likely to see increasingly over the next week or so.

“Traditionally, a home network has been considered a less secure part of a corporate network. As well as your corporate laptop on the network, there will also be your family’s personal computers, tablets and phones, as well as a host of smart home devices. Your network will only be as secure as the most vulnerable of these devices.”

Also, more of the corporate data will be moved to cloud hosting solutions to allow for remote working, Hodges points out. “Whilst some of this will be within corporate solutions, it would be naïve to think that there won’t be an increase in data being moved to shadow IT infrastructure. This is where data is moved to other personal solutions outside a corporate network, because an employee ‘needs to get a job done’ and the corporate solutions don’t work – for example, using personal email accounts or accounts on Dropbox. This move of data to external cloud providers could increase the risk of a data breach.”

He also highlights the risk of increased working on unsecured wireless networks and advises that, whenever using these public infrastructures, it’s worth considering using a virtual private network (VPN). “These create an encrypted tunnel over an insecure network, your network traffic then flows down this tunnel and protects your data from others. Your employer may provide a VPN solution for you to use – alternatively, there are a number of free products, such as Proton VPN, which offer a good service.”

If you’re a business, consider the National Cyber Security Centre’s Cyber Essentials programme. “This outlines a number of simple steps to improve your cybersecurity – you don’t need to go through the certification process, but there is some really easy to follow advice.”

Finally, as we move to Work 4.0, where one change is the move to more flexible working conditions, Hodges states that it is likely businesses will need to adopt to these changing responsibilities (and indeed the changing responsibility of staff to their employers). “What we’re seeing in COVID-19 is an acceleration of that requirement. Lots of businesses will now have to manage home working on a larger scale than they have done in the past, but the lessons we learn over the next weeks and months will hopefully help us critically look at how businesses, and we as security professionals, are going to support a wide variety of staff who are working from home for extended periods of time.” [ENDS]