The millions of employees now working at home during the COVID-19 pandemic heighten the need for employers to remain vigilant and make sure they’re protecting their data from cyber threats.
A reminder of that need comes via a new report by the Traverse City-based Ponemon Institute and Minneapolis, Minn.-based nCipher Security LLC that again shows employee mistakes are the biggest vulnerability businesses have in cyber threats to sensitive or confidential data.
That vulnerability and risk grows with employees now working at home, especially “if you didn’t have a good setup in the first place, and if you had to very rapidly deploy a set of tools” to allow people to work remotely, said John Grimm, vice president of strategy and business development at nCipher Security.
“This creates another place for sensitive data to flow,” said Grimm, who cites as an example financial staff that are now working at home and accessing data remotely.
“What’s the strategy for that? There are a lot of potential exposures that can be created if you don’t have a good setup to apply the same level of security you had in the previous setup if you had to scramble to enable remote work,” he said. “The proliferation of sensitive data has really increased in the last few years with all of the mobile tools. This rapid enablement of remote work that a lot of people have had to go through recently is probably one of the things that’s causing a new set of potential exposures for sensitive data as it may be living now in additional places in order to enable remote work.”
The heightened need for employers to make sure they have the right cybersecurity tools in place for employees working from home comes as “everybody’s in a disrupted environment and a changed environment,” Grimm said, noting there’s a higher chance of phishing attacks succeeding as employees adjust to their new workstyle.
“I’ve heard a lot of people saying they think people’s guard can be down further than usual at a time like this because of the type of environment they’re working in,” he said. “Things are disrupted or hurried or rushed (which) can make you vulnerable.”
Identifying threats
In the global survey by the Ponemon Institute and nCipher Security, 54 percent of respondents rated “employee mistakes” at the top “most salient threat” to sensitive and confidential data as the use of encryption has more than doubled in seven years, according to the report.
The survey from nCipher Security and the Ponemon Institute primarily focuses on trends in the use of encryption to protect data. The organizations also include questions that ask respondents to rank their top two threats annually.
System or process malfunction was the second-most salient threat respondents identified, followed by hackers.
Employee mistakes can often occur when “well-intentioned” people get fooled by a well-crafted phishing email, or misconfigure an application for cloud computing thinking they have turned on encryption or “a proper level of data protection and just by mistake or by lack of familiarity not getting that level of encryption or security turned on,” Grimm said.
Network administrators today need to manage numerous tools. The Ponemon Institute and nCipher Security survey shows companies on average have eight or more products that perform encryption, “so having enough people around with the expertise to manage all that, to apply consistent policy when you’re dealing with so many different products, is a very challenging thing, especially when resources are scare,” Grimm said.
Grimm advises companies to use cybersecurity products that work both in the cloud and on their premises, creating less of a burden for I.T. teams. Companies also should identify their own data as well as clients’ data, “figuring out where it resides and applying your protections accordingly,” he said.
“A lot of it is about the fundamentals,” Grimm said.
Betting on distractions
Experts in cybersecurity have been warning about elevated threats as many employers affected by the state’s stay-home order have employees working remotely.
As employers and employees adjust to the COVID-19 pandemic and stay-at-home orders, scammers and sophisticated cyber thieves have been stepping up their assaults.
“Hackers are viewing this as an opportunity to get past I.T. departments that may be distracted by simply setting up teleworking capabilities and are less focused on defensive practices,” said Mark Maki, senior counsel at Miller, Canfield, Paddock & Stone PLC in Kalamazoo.
“The COVID pandemic has increased the number of cyberattacks worldwide, part of that being that these attackers have more time and part of that being the confusion and disruption created by tele-working. There are more opportunities to play upon the confusion and get through an employee’s natural defenses,” Maki said. “At work, they have a comfort level and a security level, and once you get home, everything’s disrupted. Now the best practices they use at work they might be slacking on when they’re at home.”
Those attacks that seek to exploit the crisis include phishing “clickbait” or social media posts that look like they were created by the U.S. Centers for Disease Control and Prevention or the World Health Organization “or other well-known organizations seeking donations or offering information,” according to Miller Canfield. Other attackers are using bogus websites that offer “free” coronavirus vaccines, treatments, or at-home test kits “for a modest shipping fee.”
Always verify
There also are so-called “social engineering attacks” that use personal information obtained from social media postings to get someone to click on an attachment or link in a phishing email. Maki has heard of instances in which people receive an email that claims someone they know has COVID-19 or is seriously ill to get them to click on a link.
Michigan Attorney General Dana Nessel also has warned about “Zoombombing,” in which cyber attackers hijack virtual meetings held on the Zoom video conferencing platform.
Maki, who’s been working at home, said the pandemic heightens the need for employers to reinforce cybersecurity best practices to employees working remotely and for workers to “be extremely careful.” Employees working remotely are generally using their own laptop or device that may not have the same level of security as they’re accustomed to at work, he said.
“You’re relying on your employees’ best practices and that in many cases is not the same as the higher level of security implemented by businesses,” Maki said. “It is so easy to get hooked by one of these phishing or these social-engineering attacks against your employees that you have to emphasize the importance of having zero trust with anything that you see and making sure you verify.”
