Thousands of Americans suddenly working from home has brought uncertainty into how companies operate. It's also tested network capacity and opened up organizations to security risks.
"If you suddenly put 500 employees at home, you now have 500 brand new attack surfaces that are visible to the internet that you didn't have before," Tom Arnold, co-founder and principal of Payment Software Company, part of NCC Group, told CIO Dive in an interview.
Home networks are not necessarily as secure as an office, so, hackers have a better chance of business email compromise, credential phishing, malware and spam email campaigns working and doing great harm.
But whose responsibility is to secure the home network – the employee or their employer? Both.
COVID-19 presents opportunity to hackers
As the pandemic has grown, so have cyberattacks. Starting in late January, Proofpoint saw an increase in business compromise emails – phishing – that prey on virus concerns.
"Threat actors are actively using COVID-19 social engineering themes to try to take advantage of remote workers, health concerns, stimulus payments, trusted brands, and more," Sherrod DeGrippo, senior director of threat research and detection at Proofpoint, told CIO Dive in an email. "As the pandemic has occurred over a number of weeks, and remains an area of concern worldwide, the overall collective volume of lures only continues to increase."
And phishing attacks continue to be successful. Even before the pandemic, PwC ran a simulated phishing attack on mid- to large-sized financial institutions and found 70% of phishing emails made it to their targets, and 7% of recipients clicked on malicious links.
Work with employees, on their level
Responsibility for stopping attacks is "ultimately with the person at home, but it's going to be the organization's information security people who have to provide those individuals the help they need" to be successful, Jeffrey Goldberg, chief defender against the dark arts of 1Password, told CIO Dive in an interview.
Companies should not expect all of their employees to be IT people; nor should companies overwhelm those suddenly working from home with a long list of things they must do right now, said Goldberg.
Instead, help them do things "incrementally. If you tell them to make sure you update absolutely everything all at once, it's just too big of a burden," he said, especially given the extra stress and anxiety in the world right now.
Start with "low hanging fruit," said Goldberg. That includes making sure the computer, their web browser and the tools they most often use go through regular security updates. "A huge majority of compromises on people's desktop and home computers is through exploiting vulnerabilities that have already been patched by the vendor," he said.
IT can guide employees on how to update their router, and make sure they're not using the default password.
This can be a tricky process for those who aren't necessarily IT savvy, so those guiding employees must be patient and compassionate.
"For some organizations, you suddenly have a bunch of people working remote and many of them aren't software developers. It's a very hard thing to ask, so before you start asking, make sure that you have the support system set up to help people," Goldberg said.
Protect company devices, or deploy new ones
For organizations that send employees home with devices, Arnold suggests protecting those devices with whitelisting software, which stops any attempt to reconfigure the hardware, whether by employee or a hacker who breaks in.
"Think of an alarm system that works inside the computer but also locks the configuration of a computer," he said. "The employee can't accidentally install something."
If an employee does click on something that then tries to install malicious software, the whitelisting software stops the process.
Companies should consider sending employees home with devices, or deploying new devices, said Arnold, especially because in some homes, one computer may serve the entire family. Not everyone sets up separate accounts for each user on a home machine.
"While it would be easy to say 'don't do that,' trying to get those changes are going to be really hard," said Goldberg. "A cheap computer for doing work may turn out to be the appropriate solution."
And be prepared for mistakes, on behalf of both employees working from home and IT teams trying to make sure they can do so, and safely, said Arnold.
"I worry about the IT departments of these companies, and I don't care how big they are," said Arnold. "When you suddenly have to deploy that many laptops in that short of an amount of time, humans make mistakes. Just because we're human beings, those mistakes will be exploited, and that's what [hackers] are scanning for."
Correction: This article has been updated to correct 1Password attribution to the proper speaker.