Throughout the entire month of January, The Fintech Times will be exploring every dimension of one of the industry’s most pressing topics: cybersecurity.
Kicking off the month, we will be looking at challenges for the remote team, specifically the vulnerabilities employers and employees must consider when choosing whether to work from home (WFH) or going into the office. Read on to hear from experts in the field, like Simon Eyre, CISO at Drawbridge; Stuart Davey and Rebecca Townsend, partners at Pinset Masons, on how cybercriminals have been able to exploit vulnerabilities using traditional attack methods like phishing.
A new working scene
Working from home has created a dynamic in which many people are now using confidential data in a place of comfort, which naturally results in being less alert and prone to mistakes. James Bore, Director of Bores Consultancy said, “Companies enabling WFH need to consider threats against their employees as individual people in addition to as employees, since the two environments are now so fundamentally intertwined that threats which impact one can and will impact the other.”
Findings from Kaspersky showed that despite new types of malware attacks being used by criminals, traditional means like phishing were still incredibly common. As a result, the cybersecurity company listed advice for employees to avoid falling victim to these attacks, which included using multiple email addresses – one for personal use and one for business use. However, as pointed out by Bore, the two worlds are merging closer together, making it increasingly easier to make a mistake or get complacent, and potentially giving hackers an in route to access personal data.
Andrew Hindle, Chair, IDPro, pointed out that “By and large, the basic risks [of WFH] are no different; it’s just the volume, frequency and likelihood of those risks which may increase. Malware (including Ransomware) risks increase, particularly if hardware is not under the control of corporate IT and/or is not equipped with proper endpoint protection. Risks from out-of-date software versions can increase as well.”
“A subtle aspect which is often overlooked is the risk that arises from colleagues simply being less aware because they are ‘at home’ and not ‘at work’. Increased awareness reminders or training may be helpful.”
Phishing and other attacks on the rise
The pandemic’s digitisation has demanded many companies learn to collaborate with one another in order to stop the rising threat of criminals and the new and improved methods of attack being implemented. Atlas VPN found that many SMEs who enabled employees to WFH suffered phishing attacks (41 per cent), web-based attacks (40 per cent), general malware attacks, (39 per cent), and denial of services attacks (12 per cent) with malicious insiders using legitimate data for personal benefit impacting companies too (19 per cent).
Commenting on this, Jason Dowzell, CEO and co-founder of Natural HR, said, “The rise in phishing scams throughout the pandemic has been alarming. Research estimates that phishing incidents rose by as much as 220 per cent during the height of the global pandemic. A companywide email, seemingly from your IT team, saying as part of ongoing security measures everyone needs to reset their passwords and should click a link to do so is a classic example of a phishing attack. But cybercriminals are increasingly intelligent in designing their ruses, modifying their communication in line with the time of year perhaps regarding Christmas bonuses or the end of the financial year.”
Stuart Davey and Rebecca Townsend from Pinset Masons spoke to The Fintech Times echoing Dowzell’s views, “We have seen a number of serious incidents arising because of issues concerned with working outside of the normal office environment. Vulnerabilities in VPNs or remote desktop protocols can be more readily exploited when employees are working remotely. Our experience is consistent with the 2021 ENISA report. It found that brute-forcing on Remote Desktop Services (RDP) was one of the most common ransomware infection vectors.
“The threat of email related attacks remains. Whilst phishing has long been a risk in the workplace, remote or otherwise, this risk is increased when employees are working from home due to the human element of phishing attacks. Emails are now a primary form of communication which has led to a reduction in email formality. More allowance is therefore given to a typo, informal language or syntax error which may previously have flagged a potential spam email. All of these factors are compounded by the lack of physical presence of colleagues to sense check with.
“In addition, the multiple IT changes that companies have rapidly gone through in response to remote working means that user interfaces have changed. This makes it harder to identify unusual email formatting or styles. An increase in email traffic from IT also leads to a “tuning out” of IT updates. These changes mean that a sophisticated phishing email purporting to be from the IT team with a link to access another security update may be perceived as completely normal by the recipient.”
Despite this, not all hope should be lost for businesses noted Dowzell, “One of the simplest tactics for employers to mitigate the risk of these vulnerabilities when working from home is by delivering regular cybersecurity awareness training. This is key to keeping your employees abreast of any new threats, updates to data protection legislation and your company policies and procedures. Training should begin as early as an employee’s onboarding and continue at regular intervals throughout their tenure.”
How does going into the office make a difference?
Training is a necessity to ensure employees working in a comfortable space with the guard down are not more susceptible to costly attacks. However, one of the biggest drawbacks in the WFH is the lack of peer-to-peer learning that takes place. As such, despite being stereotypically more digitally savvy, more than one-fifth (23 per cent) of people from Gen Z and the Millennial generation have fallen victim to phishing emails in the past – more than their older counterparts who have experienced peer-to-peer learning.
In addition to phishing scams, Gen Z and Millennials were also found to be the most vulnerable to other types of cybersecurity threats. Just over half (52 per cent) of people from these generations have had a password stolen or at least know someone to whom this has happened, while 48 per cent have also had a social media account hacked or hijacked.
“While younger generations are more tech-savvy, they are also very accustomed to doing everything online — from communicating with friends to shopping or conducting financial transactions,” says Ruth Cizynski, Cybersecurity Researcher and author at Atlas VPN. “This daily use of the Internet from a young age makes them less cautious about engaging online or giving out their personal information.”
Simon Eyre, CISO at Drawbridge supported these findings saying, “People breaking protocol and doing everything over email (and suffering from impersonation attacks) was very real.
“Lack of proper employee training resulted in an increase in impersonation attacks while remotely working. We saw clear examples of broken protocols and procedures happening as a result of completing business over email, lacking the personal verification that would come from being in an office. We also saw examples of spoofed websites (portals into cloud services) used to steal credentials and perform relay attacks into the legitimate websites.
“The shift to work from home demonstrated the technical controls that worked well in the office environment did not always translate to successful controls in a remote working environment. Security that was on the network layer had to be implemented at the endpoint instead. Availability is a pillar of cybersecurity as well and many BCP plans had not accommodated for non-essential staff to work for the long term, which resulted in quite a rapid deployment of new tech.”
Poor training for cybersecurity threats stems not only from bad management, but also from new employees’ inability to learn from more experienced workers. Following research conducted by Elephants Don’t Forget, Adrian Harvey, CEO of the company, said “Peer-to-peer learning accounts for between 50-80 per cent of an employee’s in-role competency. So, if you are recruiting a new employee virtually, how long – if ever, will it take for them to achieve competency in the role? Tenured employees are not immune either, change is constant, and, in the past, peer-to-peer learning played a massive role in the up-skilling of the workforce with new practices, processes and knowledge.”
Whilst WFH definitely does have its perks, cybersecurity must be a top priority to ensure the employees are not more vulnerable using data outside of the office, and this can only be achieved through diligent and continuous training.