COVID-19 has led to an unprecedented amount of organizations shifting to telecommuting or working remotely. This sudden surge of remote workers has left many companies scrambling to set up systems that can accommodate the influx of employees that now need to work from home. While working remotely is not a new concept, it certainly was not the norm before this pandemic emerged.
There are many different security concerns that are introduced with a telecommuting workforce. Information-technology departments must ensure that workers have access to the resources they need without compromising the security of the organizations they support. The considerations that immediately come to mind include multifactor authentication, virtual private networks and centrally controlled antivirus protection, all of which should be implemented. But once all those items are implemented, there is still a gaping security vulnerability that needs to be addressed. That vulnerability is people.
Most data and security breaches are the result of an initial instance of human error and not a technical exploit. Look at it from an attacker’s perspective: it requires far less effort to send out a bunch of fraudulent emails hoping somebody clicks the link than it does spending a lifetime searching for a vulnerability in a firewall. Technical exploits can be patched, but you can never patch human error.
Many attackers are crafting phishing emails specific to COVID-19.
The single greatest human IT security vulnerability facing all industries is phishing. Phishing involves a malicious actor sending you an email that looks like it is from a trusted or known source. The email attempts to trick you into clicking a link, opening an attachment, or giving up some type of confidential information, which will lead to some sort of unwanted security breach or data exposure. A successful phishing breach could bring with it a snowball effect, first exposing the credentials of a business email account, which allows the attacker to then send out further phishing emails to all the user’s contacts from a valid business email address. This is what is known as a “business email compromise” attack.
How does this relate to the current telecommuting situation?
Many remote workers want to show that they are in fact being as productive as possible, often feeling the need to open and respond to emails faster than normal. Many attackers are crafting phishing emails specific to COVID-19 and other urgent topics targeting remote workers.
Because of the sophistication of these emails, the apparent trusted email sender and the pressures of working remotely, the employee may quickly comply with the email’s directions. They may also fear that if they mistakenly mark a legitimate email as phishing, they will be viewed as incompetent and have wasted the time of the IT security department. Unfortunately, these fears often lead to staff ignoring organizational email security policies. Most organizations have (or should have) a formal process for handling suspicious emails, and following these policies is always the recommended method for dealing with suspected phishing attacks.
Users in most organizations have not had the proper training when it comes to spotting and responding to phishing. Organizations should make it very clear with staff what type of information and actions they will never ask for via email, including wire transfers and account credentials. Furthermore, organizations should immediately establish some sort of security awareness training and phishing simulation program. There are many organizations across the country that offer such services. You can give a dozen presentations on phishing and hand out a 20-page phishing policy booklet, but until employees receive hands-on training, they will not be prepared to identify a real attack when it arises.
Jesse Roberts is vice president of IT security at Compass IT Compliance LLC in North Providence.
