When an employee sends a work email to the wrong person, the consequences can be disastrous. But what causes people to make this kind of mistake?
Security Risks of Working from Home
Due mainly to the pandemic, people all around the world had to adapt to a new way of working. Remote work became the ...
Due mainly to the pandemic, people all around the world had to adapt to a new way of working. Remote work became the default in many industries, and the overall impact on productivity has been positive. But out-of-office work requires additional security measures.
All too many executives ignore this new vulnerability, continuing business as usual and leaving their business open to attacks.
What are the main security threats that come with working from home, and how can we best address the problem?
The New Normal
A decade ago, working from home was still a controversial option in most professions. There was a preconception that only unambitious workers wanted to work from home. Most people believed that it was impossible to maintain the same level of productivity and dedication when working outside of the office.
This changed rapidly during the 2010s. More and more employers realized that allowing employees to work from home (either full-time or part of the time) could be a good investment. The improvement in employees’ work-life balance led to increased productivity, and cutting down on the cost of maintaining offices was another upside.
The pandemic accelerated an existing trend. Any workplace that could switch to remote work was forced to do so by the public health situation.
Surveys have consistently found that productivity is on the rise - nearly 90% of people say that they’re "just as productive or more productive" compared to when were working from the office. So we can put our worries about low productivity aside.
Instead, it’s better to focus on a genuine threat that comes with remote work: people working from home are more vulnerable to certain cybersecurity attacks.
Unfortunately, security concerns haven’t been widely addressed yet in most industries. Some executives still assume that working from home is a temporary measure, and it’s not that important to upgrade their security since things will go back to normal soon enough. Others keep their focus on other pandemic-related concerns and lose sight of the possibility of cyberattacks.
This is a massive mistake, and it can be a costly one. BEC scams are becoming more sophisticated and adapting to new circumstances. Companies lose millions of dollars due to a single moment of carelessness. Any business, big or small, can become a target.
How Does Working from Home Impact Security?
Let’s look at some of the ways that working from home may affect a company’s security posture.
1. It’s Harder to Verify Instructions
The most important thing to keep in mind about security attacks in 2021 is the social engineering aspect. The most lucrative attacks happening these days are BEC scams - attacks where an employee receives an email from someone who appears to be a legitimate in-company source. They’re asked to urgently transfer a large sum to a particular account. They comply immediately, and so they inadvertently send company funds to the scammers.
The best defense against BEC scams is to double-check every instruction that involves money transfers or confidential information. But employees won’t get legitimate confirmation over email, and live messaging options like Slack may be compromised too.
In an office setting, it’s simple to visit the office of the person who sent the request and ask if the email was legitimate. But when the email recipient is stuck at home, it’s harder for them to reach the possible sender. It can feel intimidating to call a higher-up out of the blue, and not every company has phone details freely available.
In fact, phone communication can also be targeted. According to the FBI, “as of December 2019, cyber criminals collaborated to target both US-based and international-based employees at large companies using social engineering techniques. The cyber criminals vished these employees through the use of VoIP platforms. Vishing attacks are voice phishing, which occurs during a phone call to users of VoIP platforms. During the phone calls, employees were tricked into logging into a phishing webpage in order to capture the employee’s username and password.”
2. Employees May Neglect to Inform IT of Suspicious Emails and Other Threats
Workplace communication is slightly more complicated when everyone is working from home. Consequently, employees may be less likely to message IT when they notice any problems. They may feel like they’re blowing a problem out of proportion, inconveniencing their coworkers, etc. This means that email attacks can fly under the radar, causing considerable difficulties later down the line.
Another aspect to consider is the psychological one. As the threat of unemployment looms over the world, employees may be more reluctant to admit they made a mistake. For example, some people will try to hide or ignore the fact that they sent an email to the wrong address. This makes it hard to track data leakage and mitigate the damage.
3. Password Sharing Has Become Frequent
Another unexpected threat to a company’s security is the relatively new practice of coworkers sharing various workplace account details with each other. They do this to make collaboration easier and quicker (while in an office setting, they could simply call a coworker over to show them the problem they’re having).
While it may seem harmless, this practice leads to data leakage within the workplace. IT services struggle to monitor who has access to which information, and it becomes possible for careless or malicious employees to leak the information further.
4. Unsecured Devices and Connections Can Give Hackers “A Foot in the Door”
Only 17% of employees work from a device provided by their employer. This means that they access workplace accounts from devices that don’t necessarily have the best malware protection. They may infect their whole company (or business partners/clients/customers) because of malware that’s already on their device.
They might also use low-security apps, as they’re likelier to choose free software for their personal devices. It is much harder for IT teams to track the weak spots in a network if there’s no uniformity in which apps are being used.
It’s important to note that some employees use unsecured connections, which gives hackers easy access to their accounts. Re-using passwords is another risk factor - some people use the same password for their workplace accounts and some personal accounts, which is a massive security threat.
5. Good Habits May Fall on the Wayside - Data Leakage Often Happens Due to Carelessness
Let’s go back to the scenario where an employee sends an email to the wrong address. This can happen because they don’t double-check everything as carefully as they would in the office.
While remote work can make it easier to complete high-focus tasks, it also comes with numerous distractions. This can disrupt established routines. For example, an employee might get interrupted by some minor household emergency while they’re writing an email. This jolts them out of what they’re doing, and when they come back, they quickly send the message without making sure it is addressed to the right person.
The Best Way to Combat Remote Work Cybersecurity Threats
A quick checklist of ways employers can address security weak spots and protect their company from data leakage:
- Provide employees with secured devices.
- Make sure everyone is using company-mandated software.
- Teach employees how to recognize suspicious emails and websites.
- Implement a company-wide password policy that forbids password sharing or reusing passwords.
- Make sure every employee account uses 2-factor authentication and everyone changes their passwords regularly. Subscribing to services like 1Password or Bitwarden is a good idea as well.
- Monitor employees’ outgoing emails. With non-invasive solutions like the Preava Prevent app, it’s possible to stop accidental data leakage before it happens.
- Create a workplace culture that takes cybersecurity seriously.
- Encourage employees to come forward if they made a mistake or don’t understand a particular protocol.
Don’t Stick Your Head in the Sand - Remote Work Is Inevitable
Some executives believe that the shift to remote work is temporary. Most notably, Goldman Sachs CEO David Solomon said that “for a business like ours, which is an innovative, collaborative apprenticeship culture, this is not ideal for us. And it’s not a new normal. It’s an aberration that we’re going to correct as soon as possible.”
But this isn’t the majority opinion at the moment.
Studies show that most US executives are all for the work from home revolution. 83% of employers agree that “work from home has been a success” and the consensus is that it increased innovation and dedication.
Let’s work with the assumption that remote work is the best option for now. With that in mind, it’s important to start looking for easy-to-implement solutions that will keep employees on the right track and decrease vulnerability to security threats.
Protect Your Professional Integrity with Outbound Email Security
At Preava, we aim to help growing and large enterprises alike combat data loss and leakage in email communications. Thus, our software, Prevea Prevent, works with Gmail for Business to stop companies from sending emails to unintended recipients.