Where Phishing Threatens and Computers Are Poorly Protected
by Mark Großer
What previously appeared unimaginable to a majority of companies – and even to many employees – turns out to be feasible after all during a crisis: working from home. The digital economy is apparently leading the way. Which is no surprise. The nature of this sector means it has the most jobs that lend themselves to remote working. It is completely understandable that, according to a survey by Bitkom in the middle of March 2020, almost 90 percent (89 percent) of the surveyed IT and telecommunications companies had recommended to their employees that they work from home. Almost two-thirds (64 percent) had even ordered this step.
Bitkom again had just a few days previously found out in a representative survey for the total population that 49 percent were in the meantime working from home and that this was a completely new experience for 18 percent. Almost one-third (31 percent) had previously been able to work from home. However, 41 percent said that their job could not feasibly be performed at a home desk or kitchen table.
Phishing particularly dangerous
So much for the latest statistics on working from home. Another question that is at least as pressing: What about security? Whether hackers are really exploiting the current pandemic for targeted attacks and whether the number of attacks has increased significantly has not yet been confirmed – but there are signs that this is happening such as the fake WHO appeal for donations.
Companies whose employees have had the option of working remotely for a long time are usually technically well prepared. Laptops, PCs, and tablets are probably protected from hackers, viruses, and worms as far as possible. But even a normal “bombardment” – continuous, automated campaigns, for instance – by cyber attackers is enough to endanger poorly secured computers. Phishing is currently an especially favored type of attack. This is an attempt by hackers to access sensitive data and passwords by sending emails that have been cleverly designed so as not to arouse suspicion. The line of attack may be through browsers in the network, email, USB ports, or local coupling to other devices that are “managed.” The result is that identities are hijacked, and this can be expensive when sensitive company data are obtained.
Exercise caution when using free tools
Many of those now sitting in front of their private computers while working from home often do not have professional protection installed, however, nor do they have encrypted remote access to company applications and shared resources. Their situation demands improvisation and pragmatism. The collaboration tools that workers are quick to deploy are very helpful and usually provide protection when corporate networks are well secured. But not everything that is quickly set up for use meets all the “usual” requirements for IT security and data protection. Asking probing questions about security becomes especially critical when solutions are provided free of charge.
In addition to the widespread solutions Microsoft Teams, Cisco WebEx, or ZOOM, “private” communication channels are also very popular; many messenger services and platforms such as XING or LinkedIn also offer chats. The rule when using them is the same: be cautious and look at them closely. If messengers are used for business, make sure they are encrypted. The employer should regulate approval for use, including the policies about contacts on cell phones used for business.
The risk that emails or bots with direct or digital contact to employees will be exploited (the example of “CEO Fraud”) becomes greater under the conditions of remote working. Social engineering seeks to manipulate or instrumentalize people in the company to the advantage of external attackers; one common example is to fake situations with time pressure and instructions “from above.” Attackers find it easier to achieve their objectives if victims cannot check questionable activities in person at the office in “just a second.” Or the boss is not available at the moment for a confirmation by telephone. The classic case: an order to “transfer the amount right away to company X” sent by email from the boss or even using a deceptively real voice imitation on the phone.
Little encryption and VPNs
The IT Security Association Germany (TeleTrusT) conducted a nationwide survey at the end of March 2020 and asked users what IT security measures they had implemented. Around two-thirds of the respondents had password protection for their computers (65 percent) and Wi-Fi systems (63 percent) and had installed an antivirus program (61 percent). But only half (49 percent) had separate computers for personal and business use. The situation was even worse when asked about encrypted data transmission (38 percent) or VPN connections (37 percent). Yet the special risks in terms of data protection concern exactly this encryption, the secure connections to business software – even in the cloud – or access to documents requiring protection.
Even though categorizations for data protection vary from one company to the next, most documents can be classified in one of three protection categories: normal, high, very high. However, “normal” protection is required as soon as personal data such as address, year of birth, public registers, or telephone directories are involved. Data that provide information about the financial position of a person or a company demand a “high” level of protection. Such information includes leases, account balances, or figures from the finance division. And a “very high” need for protection corresponding to “Classified Information (VS) Confidential” is accorded to employees’ health data, tax data, or administrative data.
“Our employees are aware of all this, and employees working from home have no contact to such sensitive information,” might be the response. But what about the bookkeepers who now write bills or post received payments and expenses from home? What about the employees in human resources who process illness notifications or prepare pay slips? Or what about employees who develop strategies for mastering the current crisis? What about financial information and the latest information relating to mastering the crisis?
All of these people work with data and documents that are subject to protection requirements, some at a less, some at a more critical level. The same is true of video, desktop sharing, and voice calls using collaboration tools – all participants (perhaps even some no one thought about?) see and hear this information. This cannot be controlled completely – there is no choice but to rely on the appropriate conduct of everyone in the “remote” state.
Clear policies and sensitization
So what can companies implement in the short term to ensure that their employees working from home comply by and large with data protection regulations while using devices that their own IT department has not set up for remote use? First of all, sensitization to risks and the issue of policies are necessary; these two steps alone can reduce some of the risks involved in handling data and documents. Team leaders should give employees working from home clear instructions about the information they are allowed to process and how they are to proceed.
Some documents must remain exclusively in a secure environment inside company walls. If there is no technology to ensure their security, such data must not be processed by employees working from home. In plain terms: downloading the data, editing them on a laptop, perhaps sending them back via an unsecured email connection? Absolutely not. It is especially disastrous when the document is still stored on the computer, has perhaps been placed in the digital recycle bin, but has not been finally erased. And people should definitely avoid throwing printouts into a normal wastepaper basket and then emptying it in the recycled paper bin on the street. As a general principle, but especially for sensitive personal data. The same rules apply at home as in the office; information security extends to both digital and analog form, i.e., paper and oral comments. Special focus, however, is on the technical aspects for remote work and online collaboration.
Tunneled VPN connections
Secure remote access to a company’s network and applications is possible solely via an encrypted virtual private network (VPN). Such a VPN can also be set up remotely. Employees do not have to come to the office for this. Users setting up a point-to-point connection from a client to a VPN server in the company need the IP address of the VPN server and the login data for the VPN. The IT administrator can send both securely and guide even an untrained employee through the installation by phone.
IT administrators can also manage such VPN connections by specifying exactly who can access what applications and when and what permissions a specific user has – for example, read-only permission or write permission, too. By the way, a VPN tunnel provides secure access to corporate applications even if an employee logs in on a public Wi-Fi network such as in a café, at the airport, or on the train.
Zero trust model
A relatively new technology is the zero trust model, which is aimed in particular at protecting access during the use of cloud services. Applying the zero trust principle allows data exchange within and outside a company network that is completely compliant with the GDPR. Employees can use any device to access the requested application if they have the correct user login authorization. Centralized remote access is ideal for enterprise applications in a public cloud.
Even without a dedicated system environment, additional hardware, and VPN, zero trust can be implemented within a maximum of two days. Access and authentication are initiated by going to a landing page in the browser and using a single sign-on. In one respect, the procedure is even more secure than a VPN. Access does not require users to dial into the company network first and be directed from the network back to the external cloud. Zero trust architecture provides special protection against the unnoticed infiltration of malware or the unnoticed tapping of company data.
Secure data room
Even when working from home, employees usually remain part of a team and exchange data or access the same data. One way to store and use particularly confidential documents securely is to utilize secure data rooms. They can even be used safely for documents classified as “Secret.” A data room satisfies important risk management requirements and standard guidelines for handling confidential documents. Companies use such secure data rooms for the administration of supervisory board and management board communications, for example, or in the legal and finance departments as well as for cross-company collaboration on the internet. All members of a team, even those who do not have access to a company’s internal network, can collaborate and communicate with one another.
Dialing into these data rooms employs two-factor authentication with time-limited TANs sent by text message, an encryption of the data on the server, and encrypted data transmission. The documents are also protected by encryption on the client computer. And every access to the data room as well as the documents or changes to the data are documented in an audit-proof and traceable manner.
Updates and patching
Even if speed is required to maintain business operations, the principle still applies: as close as possible to the standard, even for remote connections.
In other words, devices are updated by sending the most recent release of the security software through the VPN, and other software is regularly updated as well (patching). Should a problem occur, remote ad hoc intervention by a help desk should be possible.
And when the crisis has passed, companies without clear rules must as a minimum answer the following questions unambiguously:
- Is remote work regulated at all?
- If so, how is the connection to the company network or access to data supposed to be technically achieved, and what devices are allowed (BYOD yes or no, “shadow IT,” cloud solutions)?
- If so, how is the same level of security as for managed devices achieved, or are there risks that are accepted – but then consistently monitored?
- Have new policies been checked against possible regulatory requirements, i.e., has overall compliance been observed?
- Are any effects on the agreements with the employee representatives to be expected (e.g., in security monitoring)? If so, must these representatives be involved?