Guest Blogger: Contributed by Dr. Geoffrey Stoker, Assistant Professor of Management Information Systems and Dr. Uklu Clark, Professor of Management Information Systems at the UNCW Congdon School of Supply Chain, Business Analytics, and Information Systems (this post originally appeared on WilmingtonBiz.com on August 20, 2020).
There is a clever meme floating around the internet that goes something like this:
“Who led your company’s digital transformation?”
Before the SARS-CoV-2 virus, which causes the COVID-19 disease, arrived in the US, polls indicated that about 4% of US workers worked from home half-time or more. That number appears to have jumped to over 60% recently with 82% of US office workers saying they want to continue regular remote working post pandemic.
From a cybersecurity perspective, this 10 to 15-fold increase in remote workers has created many challenges, some of which include:
- increased worker isolation from workplace situational awareness;
- far more personal devices being connected to business networks and used for work;
- greater use of virtual private network (VPN) software and devices.
All three of these challenges presage a coming uptick in cybersecurity incidents related to insider threats. Whether simply negligent or deliberately malicious, insiders cause a lot of damage with an average cost of $450,000+ per incident according to the Ponemon Institute. With 62% of insider threat incidents related to negligence, having new remote workers is going to exacerbate this problem.
The first challenge above will play into the devious innovations in business email compromise (BEC) and email account compromise (EAC) attacks since COVID-19. The most recent FBI annual Internet Crime Report indicates that BEC/EAC continue to be major attack vectors against all businesses – small, medium, and large. Worldwide losses due to BEC/EAC totaled $26 billion from June 2016 – July 2019. Common attacks are the transfer of funds scam and payroll diversion.
With transfer of funds scams, malicious actors spoof an email of someone in authority and direct an employee to wire funds to an illegitimate account. Payroll diversion involves malicious actors, posing as legit employees, emailing human resources or the payroll department with requests to update direct deposit information.
Frequently, legitimate information is used as part of the ruse. For example, a Texas school district was building a new elementary school and an employee received an email with wire transfer instructions and a request for payment for the construction project. Unfortunately, the email was from a scammer posing as the construction company and the school lost nearly $2 million.
The current pandemic environment has resulted in “improvements” on these classic attacks. Scammers cite the COVID-19 disruption as a believable reason for a sudden need for urgency and/or last-minute changes that targets are more likely to believe and less likely to double-check. Other reasons proffered include changes justified as precautions and/or requirements following quarantine processes or changing bank information because of audits triggered due to large numbers of COVID-19 sicknesses and/or deaths.
With employees isolated at home, it is harder to get someone on the phone to verify the changes and they cannot simply walk down the hallway to confirm the payment action. Staying on guard should include being skeptical of changes to any financial-related information; verifying any change via an email or phone number from a directory rather than what was provided; and being alert to subtle spelling differences in domain names or email addresses.
The second challenge reflects the fact that many employees will be using devices not managed by an IT team and very likely to be unpatched and/or not upgraded with the latest software versions. They will also be sharing a home LAN with other devices in the same state (or worse), including desktops, laptops, tablets, gaming consoles, phones, networked printers, and home routers. In addition, other household members will be using these devices for personal needs. Without formal information security training it is highly likely that they will visit malicious sites or click links that install malicious software.
It is hard enough for most companies to run an effective vulnerability management program when only devices physically present at the company location are involved. It is a colossal challenge to get a handle on a company’s new attack surface when home-based employees are using (or sharing a LAN with) devices that are poorly maintained and only as well-secured as the individual using them knows how to (or cares to) secure them.
To get a sense of the problem scope, consider a year ago it was reported that 32% of businesses still had Windows XP machines and 79% had Windows 7 machines somewhere in their infrastructure. The situation at homes is likely worse than most businesses. Statcounter indicates that today 20% of machines worldwide are running Windows 7. That means one in five Windows computers is using an unsupported operating system – one no longer receiving updates or patches from the vendor.
Confronting this challenge should include reviewing policies regarding what devices are permitted for use with business data; ramping up education of employees regarding potential threats to personal devices and how to mitigate them; and developing/implementing disaster recovery plans for when (not if) an employee’s device/account is compromised.
This brings us to the final challenge. When more people are remotely connecting to a company network there is, by default, less confidence in endpoint security. And, with more remote endpoints, more sensitive data is going to migrate outside of a company’s IT purview making it more readily available to be stolen.
If company devices are required, are they being connected frequently and long enough to receive critical patches and new security policies? If personal devices are permitted, there are many questions including: do they require a strong password for local account access; is there a local firewall and up-to-date anti-virus/malware protection; are “convenience” apps installed that are not part of the normal company software suite but that workers are using to process company data; are strong wireless protocols used to connect to the home network; and are they already compromised? Enumerating these questions is meant to highlight the security concerns of any data that resides on remote endpoints.
COVID-19 really did cause a disruptive digital transformation, and we all need to up our cybersecurity “game” to protect our businesses.
Robert T. Burrus, Jr., Ph.D., is the dean of the Cameron School of Business at the University of North Carolina Wilmington, named in June 2015. Burrus joined the UNCW faculty in 1998. Prior to his current position, Burrus was interim dean, associate dean of undergraduate studies and the chair of the department of economics and finance. Burrus earned a Ph.D. and a master’s degree in economics from the University of Virginia and a bachelor’s degree in mathematical economics from Wake Forest University. The Cameron School of Business has approximately 90 full-time faculty members and 30 administrative and staff members. The AACSB-accredited business school currently enrolls approximately 2,600 undergraduate students in three degree programs and 750 graduate students in four degree programs. The school also houses the prestigious Cameron Executive Network, a group of more than 200 retired and practicing executives that provide one-on-one mentoring for Cameron students. To learn more about the Cameron School of Business, please visit http://csb.uncw.edu/. Questions and comments can be sent to firstname.lastname@example.org.