Taking cybersecurity home: Practices for remote work

Executives are working from home but their cybersecurity practices are OOO, according to a survey from the research center Ponemon Institute and privacy-protection company BlackCloak that found that a large portion of C-suiters aren’t performing important protection practices while working remotely.

The lack of WFH safeguards—patch management, VPN usage, and two-factor authentication, to name a few—demonstrates weaknesses that attackers are especially happy to find given the value of their targets, who might be moving from the office to the couch.

“The issues of remote work and executives aren't an order of multitude; it's an order of magnitude,” said Lodrina Cherne, certified instructor for the SANS Institute in the digital forensics track.

In the May survey of 553 IT and IT security practitioners, 42% of respondents reported cyberattacks on key executives or their family members. Such cyberattacks against execs resulted in the theft of sensitive financial data, intellectual property, and company information.

And the consequences of a CEO-targeted attack can go beyond the executive.

“When you start talking about corporate attack surface, you start talking about shareholder confidence. This is where the idea of magnitude comes in, and all of the ripple effects,” said Cherne.

Other data points from the survey revealed a lack of remote readiness:

• “As security improves within organizations, cybercriminals are increasingly targeting individuals' private lives by attacking home networks and compromising unsecured devices with malware and ransomware,” read the report, citing tactics like doxxing, malware, infections, personal email attacks, and online impersonation.
• The report revealed a lack of visibility into personal devices (74% of respondents), executives’ personal email accounts (66%), the executives’ home networks to prevent cyberattacks (64%), and password hygiene (57%).
• Many steps to secure the home environment were affirmed by less than half of those surveyed. Of the respondents, 47% admitted to using a VPN application on every personal device; 45% noted two-factor authentication; and 51% said they used password managers.

Some remote-control tips

• To avoid falling for someone impersonating a remote CEO, switch to a different communications channel when sensitive information is being transferred—move from email to phone, perhaps, or from text message to an end-to-end encrypted channel like Signal, said Cherne, who also urged remote staff to confirm the identity of potential phishers with a few thoughtful questions:

“What was it that we had for dinner at the holidays last year, you know? Is that the last time I saw you? So it could be something as simple as validating information that only the asker would know,” Cherne told IT Brew.

• For an IT staff, Sue Bergamo, CIO and CISO at the cybersecurity consultancy BTE Partners, is big on company-sponsored laptops. “Because I can control the antivirus software, that endpoint detection… I can also make sure that you have a VPN.”
• Jen Miller-Osborn, former director of threat intelligence for Unit 42 at Palo Alto Networks, and Tony Hughes, director of cyber security and technology risk consulting at ANSEC IA, recommend patching and configuring routers to segment networks and set login access rules.

“Your own home router is not owned by the corporation. It's effectively a bring your own device. You have to enforce some rules on to that,” said Hughes.

A multitude of rules to fight a magnitude of trouble.