As remote working has become the new normal for enterprises of all sizes there continue to be adjustments and pitfalls for both the MSP, and the workforce to navigate. Some companies have been working almost exclusively remotely for nearly a month now. And while some of the initial challenges have been met (establishing VPNs was a big one), others are emerging as we settle in for the long haul.
According to a flash survey of the CNBC Technology Executive Council conducted in March, 85 percent have at least half of their workforce working from home, and 25 percent of organizations are now entirely remote.
It would be challenging to establish a remote workforce even with months of preparation time, but the current COVID-19 crisis allowed for little preparation and that has cybersecurity experts concerned. MSPs that already have education as one of their most powerful tools will need continue to lean in on that to promote good “virtual home hygiene.”
Smarter MSP reached out to University of Toledo cybersecurity professor Ahmad Javaid about some of the work-from-home issues that are continuing to emerge.
Coronavirus-related phishing attempts are getting more sophisticated and targeted, he says. Research by Barracuda Networks shows a 667 percent increase in phishing attacks since the end of February, with a considerable percentage of this increase riding on the coattails of the coronavirus. The real problems, Javaid says, come when social engineering meets the coronavirus crisis.
“We are seeing a rise in specifically designed phishing attacks where attackers will pretend to be someone from your organization, these are more of a social engineering attack…they might try to pretend to be that person and ask for certain information,” Javaid says. Because so many people are working from home, and so many people are exchanging emails (instead of walking to the neighboring cubicle), Javaid says that MSPs must impress the need to have everyone verify every single email.
“People need to be very careful, even if just one email is missed from an attacker, that can really affect the business,” Javaid says.
MSPs need to make house calls
Another problem that is emerging is that personal devices are scrambling the security landscape.
“A lot of people are using their own devices at home to access organizational data,” Javaid says. These devices are often without enterprise-level security like firewalls, email security, and anti-virus. Another issue is that people often just use the manufacturer’s default passwords on off-the-shelf routers and modems.
There’s also, Javaid says, a general lack of awareness with most people that the security they enjoy at work isn’t necessarily applicable to a home network.
MSPs need to, at the very least, virtually visit each employee’s home network and make security upgrades.
“The best solution right now for small businesses is for the service provider to contact individual employees and set up a time to visit remotely and make sure all settings are in place and in install antiviral software.”
Javaid says. The “remote visits” can at least ensure bare minimum protocols in place while maintaining recommended social distancing. During these remote visits, Javaid says MSPs can check to make sure default passwords are changed, and that the Wi-Fi network has strong passwords and a medium-security level firewall.
“Most cable modems have a built-in, but not enacted, firewall at home. No one goes in and enables those firewalls,” Javaid says. MSPs should do that.
MSPs should also have employees do an “electronic inventory” of their home environment so that IoT devices can be “untangled” from work-related ones. And some security experts warn that “listening devices” like Amazon’s Echo should be disabled in sensitive work-from-home situations. If, for instance, HIPAA-protected medical data is being discussed, a listening device could, in theory, breach those protections.
Another emerging issue with the new remote workforce is that texting has become even more ubiquitous. An employee can receive a link from someone pretending to be someone inside the company.
Other fraudulent texts are alleging to come from the local health department or retailers offering “coronavirus specials.”
“Hackers are playing with that and trying to pretend to be from a service you are using,” Javaid says.
Can AI help the remote workforce?
Some MSPs have expressed an interest in using AI-assisted features to create a more secure home office environment. In theory, AI could look for unusual patterns, intrusions, or anomalies. But what works in the office network won’t necessarily fly in someone’s den.
“AI needs a lot of data to learn good and bad behavior, and the home environment isn’t as conducive to that,” Javaid says, adding that the small amount of data that one person produces at home is one of the biggest challenges to adapting AI to it.
AI is at the point where it can provide cost-effective enterprise security, and there are solutions available today that leverage AI to help businesses block threats by learning unique communication patterns and detecting personalized fraud in real-time to protect users against business email compromise and account takeover attacks.
Photo: Monkey Business Images / Shutterstock