Due to the pandemic, opportunities opened up through remote work and digital collaboration tools look to be the future. It’s a transformation experts say was a decade ahead of its expected time, with digital solutions rolled out quickly – for better or worse.
“We’ve been forced to learn to use these features quickly,” says Blair Toblan, Director of Advanced Solutions at SysGen Solutions Group. “Even when people return to the office, we’ll continue to see them heavily leveraged. The Genie is not going back in the bottle as far as using these services, but we also learn there can be some pitfalls to this rapid adoption.”
Rapid is the key word. As businesses scrambled to remain operational, transitioning quickly to remote capabilities, security often fell to the wayside. “This accelerated remote work infrastructure setup that prioritized speed inadvertently led to a lot of breaches in 2020 and early 2021,” says Vivek Gupta, National Cybersecurity and Digital Forensics Partner with BDO Canada.
The use of home networks and remote-teleworking trends have made cyberthreats a current top-five business risk. Confidentiality, integrity and availability of key business data and information systems have become increasingly vulnerable. “We’ve seen an increasing threat environment with more people actively trying to take advantage of insecurities or poorly deployed services,” says Toblan.
How do organizations address the securing of devices and questions around data ownership today? Because, Gupta warns, “If you’re allowing employees to work from home using their personal machines without implementing appropriate security measures, you are waiting for a disaster to happen.”
Organizations pondering this dilemma likely lack appropriate protection. For instance, “What level of access is provided on the device? When people log into the work network and other resources on their personal device, are they able to save data on that local machine?” asks Gupta. “Because if they are, there’s an issue of data leakage. Your proprietary data, customer data and other personally identifiable information (PII) are all now potentially outside the bounds of what you can protect.”
The risk to the business is not typically caused intentionally by the employee. “The massive increase in people doing things online has led to an increase in potential targets and people taking advantage of that,” says Toblan. “When modern security mechanisms present a barrier to hackers, they target the user. It’s generally easier than hacking a firewall.”
With these common “fishing” tactics, hackers can imitate a legitimate representative – the CEO, HR or a payment processor – to gain access to information, compel an employee to click on a link or to share credentials. “In doing this, they effectively bypass all the technology controls and prey on the individual,” says Toblan.
Once a user’s account has been invaded, the hacker is connected to the company’s entire email system and recognized as a legitimate user. “Now, they can download the address book and all the historical mail of the user whose device has been compromised,” says Toblan. “They can then use that to build extremely sophisticated targeted email attacks against other users in the company.”
Fortunately, there are many controls and solutions out there. “If an organization is prepared and has the right controls up front, recovery can happen much faster and limit the damage otherwise caused,” says Gupta.
An ounce of prevention
The level and types of cybersecurity measures an organization needs are unique to each business. The first step is to thoroughly consider key assets requiring protection, or, which lost data would render the business inoperable if not recovered, including regulatory requirements and proprietary information. “If proprietary information were to be lost or stolen, it’s likely your business will be at its knees as competition comes to market and you’ve lost your edge,” says Gupta.
Next, consider where these valuable assets are located. Are they on the server, in the cloud, accessible through a third-party system, who can modify them and who are they shared with? “Understanding this, placing effective controls becomes much easier,” says Gupta.
One of the strongest risk management controls used today is multi-factor authentication (MFA), better ensuring users prove their identity. Toblan says it’s not uncommon for a persistent hacker to go on guessing for months until they break a password, even if the account is locked after so many guesses. MFA counters this activity by requiring multiple confirmations within three categories: something you know, like a password or code; something you have, say a key or card; and something you are, such as a fingerprint or retinal scan. An early example is the bank card, a combination of something you have, your card, and that you know, your PIN. More recent is the code the CRA texts the user’s smart phone to allow a log-in.
“MFA is one of the big things we encourage all our clients to use,” says Toblan. “Making sure people are who they say they are is one of the strongest technical defenses you can have over people trying to break in now that everything is accessible from everywhere. It’s become a cornerstone of modern security.”
Most major business platforms have an MFA feature included as a no-cost option. Setup can be somewhat complex, but the biggest challenge often lies in training people and overcoming their reluctance to install security applications on their personal devices.
That people piece of the protection equation can be the most challenging, but also make the most impact. “We can make people aware of threatening fraudulent activity and communications, as well as provide training and testing materials to identify where remedial training can help,” says Toblan.
One of the most important steps is to mandate a policy around the use of personal devices for work. The policy may require workers install the company’s antivirus or device management software, allow the organization’s internal IT team administrative access to the device and may restrict company information from being saved locally to the device. “In the event a device is stolen or lost, it can be remotely wiped to prevent data leakage,” says Gupta.
Policy should also make clear which corporate resources employees should and should not access remotely, as well as where and where not to access them. “If I’m suddenly trying to log in from Guadalajara or the nearest cyber café, security controls can prohibit me from logging in, or layer on additional controls,” says Toblan.
Here’s another common faux pas. In the early days of the pandemic, Gupta was at home on a work conference call when his Google Home Assistant began participating in his group conversation. “These digital assistants do listen and can store data. In many cases, that’s against privacy regulations,” says Gupta. “These devices are not difficult for hackers to break into. When working from home, be sure to disable them.”
Worth a pound of the cure
If people think consulting with an IT expert to create a customized cybersecurity strategy is too expensive, imagine reaching out for help when it’s too late. In the IT world, the common adage is, “it’s not ‘if’ you’ll be breached; it’s ‘when’.” “We’ve seen people send in excess of $50,000 to fraudulent and non-existing company accounts that are promptly then cleaned out and shut down before law enforcement could take action,” says Toblan.
Cybersecurity’s costs increase, however, when it’s not done right or not implemented at all.
“Chances are you’ve already been breached and don’t even know it yet,” says Gupta. “Research shows it takes four to six months for an organization to realize they’ve been hacked or had unauthorized access within their systems. If you do end up with a breach, you’re going to end up paying a lot more money to recover your data and potentially paying ransom if you didn’t have any backups. The cost of protection and recovery becomes much more expensive at that point.”
A good consultation can bring awareness around the concerns, the data that might attract a hacker, the controls needed to identify a breach and the best protective solution to put in place that meets a business’ budget.
“When planning up-front preventative care, you don’t have to buy a Ferrari where a Honda Civic will do,” says Gupta.