Battling Cyberthieves from Home
The number of closed sales for homes in the Duluth area hit a 15-year high this past summer, according to the Lake Superior Realtors Association. Fall temperatures didn’t cool demand: The median home sale price in October reached $210,000—an all-time high.
Extremely low interest rates certainly have been a factor in driving home sales. But an even bigger reason seems to be that people from the Twin Cities and elsewhere can now relocate to northern Minnesota without quitting their jobs.
That’s because some of their employers are making pandemic-driven work-from-home arrangements permanent. For companies, work from home (WFH) has meant greater employee productivity and lower overhead costs. For employees, it means that “home” can be just about anywhere they can access a strong broadband connection.
But there’s a risky downside to a remote workforce: Cybersecurity, already a big worry for companies of all sizes, has become even more of a headache.
“We’ve seen a real rash of security incidents as fallout from a migrating workforce,” says John Marinac, president and CTO of Compudyne, a Duluth-based IT services company with other offices in northern Minnesota, St. Paul, Michigan, and Colorado.
Because workspaces are dispersed, he says, “it’s easier for bad actors to get involved.” When employees use their own machines for work, that opens up even more vulnerabilities. “A), now you’re accessing things remotely that aren’t as secure as they should be,” Marinac says. “And B), you’re doing it from a device that is substantially less secure than [those in] the corporate environment.”
Remote employees shoulder a greater burden to keep company data safe than they would in an office. Company IT staff don’t only have to protect the network from cyberattacks, they also have to worry about what cybersecurity experts call “securing the endpoint”—safeguarding the devices their workers are using.
But there are measures companies can take and one simple guideline employees at all levels should follow.
Blunting ransomware risk
“There are over 300 million digital messages sent daily, and around 55 percent of those messages are malicious,” says Michael Kennedy, CTO and COO of Ostra, a Minnetonka-based cybersecurity company he founded in 2018 after a decade and a half as an IT leader for UnitedHealth Group. “It’s an onslaught, and the bad guys are getting more and more sophisticated.”
Too many people with computers and digital devices haven’t kept pace with that sophistication. “A lot of the attacks we’re seeing are simple things like this: An employee is using his or her corporate email address and password on an e-commerce site, that site gets hacked, and the hacker thinks, ‘Lo and behold, let’s try logging into the corporate environment with the same email address and password, and wow, look at that, it works,’ ” Marinac says.
Though they’ve gotten somewhat less media attention, corporate network breaches that allow hackers to access data of customers and vendors remain a danger. During the pandemic, a new threat has company IT people on edge. Here, the direct target isn’t the company network. It’s the workforce.
Ransomware “is one of the biggest threats that’s out there,” says Todd Carpenter, co-owner of Adventium Labs, a Minneapolis-based firm that develops cybersecurity technologies (he also serves as the firm’s chief engineer). “It’s a great way for organized crime to quickly monetize attacks.” Once a piece of malware finds its way onto a computer, it encrypts everything, effectively locking you out of your own device. Then the user gets a message: Send us money, and we’ll give you the key to unlock your data. And if you refuse? “They can spray your information all over the internet,” Carpenter says.
Even if you pay, the attackers “can still leave their hooks in there,” he adds. “If you get this on your home computer, it might lie dormant waiting for a high-value target,” he says. “And as soon as you connect to the office, it will try to get into the corporate system. After all, you can make more money from a corporation than from an individual.”
The number of ransomware attacks has exploded in recent months. In October, researchers at American and Israeli cybersecurity firm Check Point reported that the number of daily ransomware attacks in the U.S. nearly doubled in the third quarter of 2020 from the second quarter. Check Point cited WFH vulnerabilities as one of the chief reasons.
Someone can target an email to you that looks exactly like your email. You’ll click on a link to check your account. You’ll log into your account. And now they’ve got your username and password.
—Daren Klum, Secured2 Corp.
Read more from this issue
IBM’s cybersecurity response team reported that the ransomware attacks in the second quarter of this year tripled from the first quarter, before WFH became established. The IBM team also noted that data-nappers, or cyberthieves, are increasing ransom demands from their victims’ companies, with some demands as high as $40 million.
Don’t try to reason with these guys, because most likely they’re not guys at all. One of the particularly unnerving aspects of today’s cybercrime is that the malware and emails are being created by highly programmed bots that can generate hundreds of attacks at once. “These are robots running on the computers,” Carpenter says. “It’s not a person behind that attack.”
What’s just as remarkable, and unnerving, is that even with their digital sophistication, these attackers are using strategies that have been around for years. They’re all too familiar to IT people. Phishing and spearphishing—emails from falsified “trusted” sources that contain links that unleash malware—are still the most common ways that ransomware infiltrates a computer.
“We’re not seeing anything new,” Compudyne’s Marinac says. “But they’re getting better at their attacks. Back in the day, you’d see [a phishing email] and say, ‘This is clearly a scam. It’s in broken English. It looks like something a first-year graphic design student would put together.’ ”
These days, scam artists “will go so far as to put the CEO’s photo on the email,” he adds. “They’ll register a Gmail account that has the same first and last names. Then they’ll send an email to the CFO saying, ‘Hey, I’m tied up in an important meeting. You have to wire money right now, I need it, no questions asked, get it done.’ ”
In September, the FBI announced that it was investigating a global business email compromise campaign that has netted cybercriminals at least $15 million in illicit proceeds. The attacks, which impersonate senior executives via Microsoft Office 365 email services, have hit more than 150 companies in numerous sectors, including law, retail, and construction.
“Those types of things—they work,” Marinac says. “And they’re easy. A third party could send out a hundred of those a day just by farming LinkedIn.”
When it comes to spearphishing, the bots are very good at it, Carpenter says. Company IT departments can filter out “a good chunk of the bad stuff” that comes through the email system. “But if you’re at home and you’re reading email and corporate information on the same machine, you’ve increased your vulnerability.”
Part of WFH vulnerability, Carpenter maintains, happens because “we’re getting tons of email, because instead of talking office to office, we’re now communicating online. We want to get the work done, and we’re overloaded. So it’s harder to spend time looking at all those email addresses and double-checking.” (Employees who have to care for children while working are all too familiar with being overwhelmed.)
Even if employees can use company-provided laptops, they’re susceptible to the same risks they would face if they were still working at the office—phishing attacks, clicking on malevolent links.
—Joe Payne, Code42
In malware attacks, “the name of the game is to get you to click on something,” says Daren Klum, CEO and chairman of Secured2 Corp., a Minneapolis-based cybersecurity firm. “Someone can target an email to you that looks exactly like your email. You’ll click on a link to check your account. You’ll log into your account. And now they’ve got your username and password. A lot of these guys are so good that they’ll actually pass you on to your bank and it will log you in, because they automate it.” The victim often suspects nothing until it’s too late.
Cybercriminals, whether human or robot, also exploit the sharing mentality engendered by social media. “There’s so much private information about people available publicly that it’s very easy to draw these roadmaps between [executives] and sometimes even sprinkle in some personal data,” Marinac says.
“ ‘Hey, I’m out of town on a hunting trip.’ It’s easy to find out the guy is hunting because he has it posted all over his Facebook page.” These kinds of details can make a fake email “more personal and more targeted than the old Nigerian prince scam.”
Ostra’s Kennedy argues that many email-based hack attacks succeed because bad actors try to evoke an emotion so people will click on something. “We’ve seen an increase in the variety of those attacks,” he says. A new hire might be sent what appears to be an email from HR that provides a link to the company’s payroll schedule. During the federal Paycheck Protection Program application period, many businesses received emails promising to “expedite your PPP loan” by simply clicking on a handy link.
Every business is vulnerable
To protect their valuable data and block malware attacks, numerous companies have provided WFH employees with work-dedicated computers that can be linked to the corporate IT network via a virtual private network (VPN).
“This is your basic, fastest way to get at least a modicum of cybersecurity in place,” Adventium Labs’ Carpenter says. “Basically, it won’t talk to anything else outside of that company network. If you get to the internet, it goes through the company IT-managed network out to the rest of the world. It looks as though the employee’s laptop is on the company network.”
Carpenter acknowledges that many small businesses can’t afford to do that. But they also should keep in mind that they’re targets nonetheless. Cybercriminals are “hitting the small businesses because they generally don’t spend money on cybersecurity,” he adds. Infiltrating small businesses can provide crooks access to the networks of larger companies that are vendors and customers of smaller companies. And there have been instances where small businesses have had to fold because they couldn’t access their IT systems after a ransomware attack.
Even if employees can use company-provided laptops, “they’re susceptible to the same risks they would face if they were still working at the office—phishing attacks, clicking on malevolent links,” says Joe Payne, president and CEO of Minneapolis-based software company Code42, which specializes in cybersecurity solutions. Remote workers could still be exfiltrating data out of the company’s control, he says. According to Code42’s research, employees were involved in about two-thirds of the breaches in 2019—even though hackers, nation-states, and cybercriminal gangs get most of the attention.
This “insider risk” isn’t necessarily due to an employee’s bad intentions. One reason for data exfiltration, Payne says, is that “companies have opened up their information, and rightly so, so that their employees can work from home. We’re seeing more employees taking advantage of that by copying that information to their Dropbox account or mailing it to their own Gmail account or putting it on a thumb drive.”
In addition, Payne says, companies are trying to increase collaboration within their teams to get them to work together. Technologies such as OneDrive, Slack, and Box “let us all collaborate on documents, presentations, and all kinds of important information. It’s made our workforce much more productive.” However, he says, that same technology makes stealing data even easier. Many cybersecurity solutions, Payne says, are designed to block that kind of sharing, which can frustrate employees. In September, Code42 introduced Incydr, a software-as-a-service offering designed to protect company data across email as well as data-sharing collaboration platforms.
Twin Cities companies are offering other types of cybersecurity solutions. Secured2, for instance, incorporates its Shrink>Shred>Secure>Restore data security technology into a suite of remote or hybrid work solutions designed to protect company data over the wire or at rest in the cloud. And the company’s Secured2 Toolkit provides secure cloud storage, team collaboration, and data backup; it also includes a security API (application programming interface) that can be integrated into existing applications.
Ostra provides what founder Kennedy describes as multilayered managed security, which comprises email protection, antivirus software, VPN, firewalls, and cloud security. This multilayer approach has been available to the Fortune 100s, Kennedy says, but it hasn’t been easily scalable to a small or midsize business. Ostra offers this technology to smaller companies via a monthly “cybersecurity as a service” subscription.
These types of solutions and strategies can help protect company IT networks from attacks.
So can a Compudyne offering called SAT. The acronym stands for “security awareness training,” and it focuses solely on end-user education. “We run false phishing campaigns,” Compudyne’s Marinac says. “We then get metrics on how many people clicked on the link, how many people entered their credentials into the link.” The goal isn’t for employers to shame their employees, he says, but rather “to get a sense of what they’re falling for and to teach staff how to identify and avoid email phishing attacks.”