Working from home may make sense to reduce your employee’s risk of contracting COVID-19. It does, however, make life more difficult for your security team. At the office, you have complete control over the network’s cybersecurity. At home, employees might inadvertently make mistakes that compromise that security.
The article was contributed by legaljobsite.net
In this post, we will look at the less obvious threats that lurk in the shadows and how to defend against them.
Charging Cables
Most employees understand the dangers of plugging in an unknown USB flash drive. Are they aware that fake lightning charging cables might also pose risks? The O.MG cable, released toward the end of last year, looks and works exactly like your standard iPhone charger.
It has got a lot of processing power, memory, a radio, and a web server built into it. In other words, it has everything that a hacker needs to hack any phone or computer it is plugged into.
It’s a concept that has been around for a while. Up until now, though, having the cables mass-produced was problematic. The original costs around $120, but we can expect to see cheap knock-offs on the market pretty soon.
The only real way to ensure that the lightning cable your employees use is legitimate is to open the cable. Hackers can enable or disable the software to avoid detection. It is safer for employees to stick to original cables bought from the manufacturers of their phones.
Supply Chain Attacks
At our office, we are frequently reminded not to upload any software from an unknown vendor. We are also told to check for updates for the software that we use regularly. Supply chain attacks are devious in their simplicity.
It is important to warn employees about malware being delivered through seemingly innocuous updates created by a trusted vendor. The Asus attack in 2018 saw hackers using a legitimate security certificate to sign the updates.
Again, these attacks are nothing new, but it is worth briefing employees during security awareness training. There was an uptake of these attacks in 2019. Most seemed to be highly targeted — while many computers were infected, hackers launched a second stage attack on selected computers.
Watch Out for Geotagging
Employees will inevitably use their work devices to post on social media. Blocking social media sites on company devices is helpful, but you must raise this in security awareness training, too. Geotagging is dangerous from a physical security perspective.
Your employee’s home security might not be as strict as yours. By posting geotagged photos of them working from home, for example, they are giving away their location. An enterprising hacker might opt to steal the computer from their home.
Naturally, you will have encrypted the data, but no encryption software is perfect.
Insecure Home Networks
You have taken steps to ensure that the office network connections are secure. Can you say the same for your employees? Where possible, employees should use a dedicated connection while working. This connection should not be used for anything else.
If that’s not practical, and employees must use their home networks, your department should:
- Use software to scan each employee’s home network for weaknesses.
- Assist employees in securing their routers and connection devices better.
- Ensure that the software on all devices is up to date.
- Help employees set up a private connection through their devices for when they need to work. You know the drill here. Use secure passwords, do not connect any other devices unless essential to work, turn off network discovery for the devices.
Phishing and Smishing
Six out of ten businesses experienced these kinds of attacks last year. The indications are that these attacks will increase in intensity going forward.
Employees know better than to click on a link in an email from an unknown source. You have taught them to verify known links in emails by navigating to the site address that they have on record.
All that training might go out the window, thanks to the panic the crisis creates. Will employees be as circumspect about emails and SMS purportedly coming from human resources detailing payment procedures?
Phishers and smishers are taking full advantage of the current panic. To better protect your company, it may be wise to send out some phishing and smishing tests. Are employees distracted? These tests will highlight areas to improve upon.
It could also help to set up a clear email structure so that employees can whitelist key personnel responsible for sending out messages. Any messages coming from outside this list should be treated with extra caution.
Further to this, it might be advisable to set up an internal system to verify messages. This could be in the form of a codeword or specific format that internal emails must take. Finally, it might be wise to set up a system of checks and balances when it comes to verifying financial instructions.
Similar principles can be applied to and agreed upon with key clients.
Final Notes
The idea of sending employees home to work can rightly fill the cybersecurity team with dread. A few simple precautions and reinforcing security awareness training will go a long way toward easing the risk.
Disclaimer
CISO MAG did not evaluate/test the products mentioned in this article, nor does it endorse any of the claims made by the writer. The facts, opinions, and language in the article do not reflect the views of CISO MAG and CISO MAG does not assume any responsibility or liability for the same. CISO MAG does not guarantee the satisfactory performance of the products mentioned in this article.
