Charity employees working from home are a tempting target for hackers. We highlight some of the sophisticated new techniques that hackers are using, and the cyber security measures that can help keep them out
The millions of people working at home because of the COVID-19 pandemic present a potential bonanza for hackers. That’s because home workers’ cyber security measures are usually less effective than the cyber security systems running in the offices of the charities and businesses they work for.
Back in March, when people started home working in large numbers with little or no prior warning, hackers were quick to exploit any obvious cyber security weaknesses that they could find.
Fortunately most charities have now had the time to introduce cyber security measures designed to better protect staff who are working from home, including ensuring that all computers are running good endpoint protection software from a reputable vendor such as Avast, Bitdefender, or Norton. Most staff working at home now also understand the importance of securely backing up any charity data stored on their home computer.
But hackers never give up. Home workers now face a new generation of cyber security threats that have been designed specifically to target them while they work away from their offices. These threats aim to sidestep standard cyber security measures that many home workers now have in place, and that means that its necessary to take some extra steps to thwart them.
Phishing attacks, where hackers use misleading emails or fake web sites to trick people into clicking on malicious links or downloading malware onto their computers, have long been one of the most dangerous types of cyber attacks.
Hackers are now seeking to exploit people’s desire for information about COVID-19 while they work at home by setting up fake advice websites and sending out emails purporting to contain important information. Security firm Barracuda Networks reports a 667% increase in phishing emails that claimed to be about ways to protect against Coronavirus to trick people into opening emails containing malware that can infect the user’s computer.
The best way to protect against phishing attacks is to be aware of the risks. That means that staff should be educated and reminded never to click on links in emails that they are not expecting, and never to download software from websites that they reach via a link in an email – especially if they purport to contain information about COVID-19. Products like PhishMe can also help prevent phishing attacks by sending employees harmless phishing emails to train them how to recognise them.
Since phishing attacks often result in user names and passwords being compromised, another line of defence is to ensure that when charity staff log on to office computer systems or cloud services from home they use two factor authentication (2FA). This usually involves receiving a text message with a one-time code which needs to be supplied in addition to a password when logging on.
Many charities and other organisations with a high proportion of staff working from home use applications running in the cloud, and also use the cloud as a collaboration space where documents, spreadsheets and all kinds of data can easily be stored and shared.
The security of most cloud services is generally very high, because most cloud cyber security measures are the responsibility of the cloud service provider who ensures that any security weaknesses are fixed and software is updated automatically on behalf of all its customers. But some of the responsibility for the cyber security of cloud services lies with customers, who need to ensure that they keep their passwords secure, configure their storage correctly, and access the cloud services over secure networks from malware-free computers.
Hackers understand that there are rich pickings to be had in the cloud, which explains a new type of threat which is emerging: cloudjacking. This involves exploiting any weaknesses in cloud services and the ways that home workers connect to them in order to get access to the documents, customer information and other data that may be stored there.
The simplest reason that hackers are able to pull off cloudjacking attacks is because of misconfigurations. A common example is when someone uses cloud storage to share documents with colleagues but mistakenly configures the storage so that anyone can view it. Earlier this month researchers from CyberNews announced the discovery of a database stored on Amazon’s cloud service containing 350 million email addresses which was publicly accessible.
Hackers can also use phishing attacks to steal passwords, allowing them to access cloud services with stolen login details. More sophisticated attacks involve hackers tricking home workers into downloading modified versions of the client software used to access some cloud services. The modified software allows the hackers to steal login details as well as any data stored in the cloud service.
Charities and other organizations using cloud storage should check the configuration of their storage regularly, and use a service such as Amazon Macie to identify sensitive data such as credit card numbers or client details and ensure that it is encrypted or suitably protected in some other manner.
All home workers using cloud services should also use two factor authentication to log in to these services, along with a strong, unique and hard-to-guess password. Ideally, home workers should use a dedicated computer which is not used by other members of the household to access cloud services, to help minimise the risk that the computer is infected with malware. Where available, home workers should also turn on account alerts so that they are notified if an attempt is made to access their account from a new device or location. If they suspect a hacker at work they should change the account password immediately.
Charities can also make use of services from companies like Skurio to monitor the Dark Web to check that their data is not being offered for sale by cyber criminals. If it is for sale on the Dark Web then this is an indication that a cyber security breach has occurred, and advice should then be taken on removing the data, informing users, and investigating the breach to ensure that it cannot happen again.
Charity staff working from home probably do a very high proportion of their work on a laptop or desktop computer, which should be running endpoint protection software and other cyber security measures such as a firewall.
But smartphones are now personal computers in their own right, so it is inevitable that many charity staff choose to access and reply to emails, open Word and Excel files and even access cloud based applications such as constituent relationship management (CRM) on their phones from time to time.
Working on smartphones is not in itself a new development, but what is new is the large number of home workers who may not be aware of the security risks of using a smartphone for work purposes, or the cyber security measures that they should be taking.
Hackers are beginning to exploit this in a number of ways, most significantly with malware designed to infect smartphones and enable the hackers to access data stored on them, and accounts that the devices can access.
"As more and more critical and sensitive tasks are performed on smartphones, it is only a matter of time before mobile malware emerges as one of the most prominent cybersecurity concern."
- John Emmitt - Director of systems management company Kaseya.
Basic mobile device cyber security measures include ensuring that a smartphone can only be accessed after entering a PIN or biometric (such as fingerprint or face scan), and that a system such as Apple’s Find My or Google’s Find My Device is running so that a lost or stolen phone can be locked or the contents deleted remotely.
Smartphones should also have antivirus software such as Norton Mobile Security, Avast Mobile Security, or Bitdefender Mobile Security installed to protect against malicious websites and malware (such as password-stealing key loggers) concealed in email attachments.
For charities with more than a handful of staff working at home, it can also be a good idea to use a cloud-based mobile device management (MDM) application such as ManageEngine, IBM Maas360 or Microsoft InTune to ensure the security of employees’ smartphones. An MDM allows the charity to configure staff smartphones with appropriate security measures, check that a smartphone has not been jailbroken (because this compromises security), and can also impose restrictions such as preventing staff from downloading apps such as games from untrusted sources (because such apps may contain malware).
For charity staff working from home in areas where ADSL or fibre broadband services are not available, a common way to get a high-speed internet connection is to use a router which connects to a 4G or 5G mobile network.
One possible cause for concern here is that many of the most popular routers supplied by mobile networks or for sale on sites like Amazon are made by Huawei – a Chinese company which many intelligence agencies believe collects data for its government.
Another concern surrounds the use of 5G connectivity, for the simple reason that the technology is relatively new and unproven. That means that there will inevitable be vulnerabilities in the technology and in the firmware of 5G routers, and hackers will undoubtedly be working to discover and exploit them.
Charity staff should avoid using 5G routers until the technology is more mature and its security is proven. Charities concerned about Huawei should encourage staff to use 4G routers from trusted manufacturers such as TP-Link.
Artificial intelligence (AI) technology is advancing at a very high rate, and one area that hackers are likely to use this in the future is in the production of "deepfake" voices which mimic the voice of a real person.
Using deepfake voice technology, hackers could reproduce the voice of a charity leader, and then call a charity employee working from home. Using the deepfake voice the hacker could then tell the employee to transfer money to a bank account using some plausible pretext.
This is a new twist on a scam where the hacker impersonates a charity leader in an email, and the same security precautions should be taken: instruct home workers to check any unusual payment requests with another charity leader, preferably by phone, to confirm the payment request. Charities should also establish a documented internal process for requesting payments, and any request made outside this process should automatically be queried.