Working Safely From Home - A Labour Day Special

OVERVIEW

Medical laboratories are not the only places where important experiments and trials are currently taking place. In many homes around the world, an experiment in telecommuting is happening on a massive scale. A survey by the Massachusetts Institute of Technology found that 34% of Americans who had previously worked from the office reported that they were telecommuting by early-April 2020 due to the pandemic.

Photo Credit: The New York Times

Similarly, the commencement of circuit breaker measures in Singapore on 7 April 2020 means that organisations and enterprises have also had to make arrangements that allow their employees to work from home in order to minimise the spread of COVID-19. With all non-essential businesses suspending operations at their workplaces, the increase in the proportion of the workforce working from home is exponential.

The transitional arrangements have often come at the expense of security and privacy. On 8 April, during an online geography lesson conducted on teleconferencing application Zoom as part of the Ministry of Education’s (MOE) Home-Based Learning (HBL) initiative, hackers hijacked the session, which was not password-protected. The hackers sent a class of secondary school students obscene pictures and lewd messages. This incident prompted MOE to suspend the use of Zoom for HBL, although they have since lifted the suspension after incorporating new security measures.

From the cybersecurity perspective, this shift to remote working opens up and widens attack surfaces at three levels:

At the Corporate Level

Many companies may be implementing remote work policies for the first time. Others may already have remote working arrangements in place, but never on such a large scale. The short lead-time to migrate the workforce to a telecommuting environment amidst a pandemic gave companies little time to stress test the infrastructure, devices and processes with holistic cybersecurity considerations.

At the Individual Level

Telecommuting may be a new concept to many employees as well. Many of them may be using virtual private networks (VPNs) and participating in teleconferences for the first time. They may not yet have internalised certain habits of cyber hygiene – the need to use strong passwords, encrypt sensitive documents and use multi-factor authentication.

At the Threat Actor Level

There are cyber threat actors that have targeted remote working tools for years, and are very good at what they do. Global mass adoption of telecommuting during this period has vastly increased cyber threat actors’ pool of potential targets. Besides exploiting vulnerabilities inherent in remote access tools such as VPN clients, they may attempt to phish for login credentials to achieve their objectives. 

Wherein the Danger?

Broadly, threat actors carry out malicious activities against telecommuters during the pandemic by exploiting vulnerabilities at two levels:

At the Infrastructure Level

Applications that facilitate telecommuting and remote collaboration have skyrocketed in popularity in the wake of the pandemic. However, these may contain vulnerabilities that malicious actors can exploit to sneak into password-protected meetings, or take over accounts to steal information.

Moreover, with the exponential increase in the proportion of the workforce working from home, the attack surface has expanded, especially when home networks are usually less secured than corporate networks. In other words, the pandemic has increased organisations’ exposure to hacking attempts through their employees who are working from home.

At the Human Level

Working from home or being away from a corporate environment may also result in occasional lapses in one’s security consciousness, which malicious actors can exploit. Individuals may exercise less discernment or caution than necessary when downloading telecommuting applications or VPN clients. With COVID-19 and related issues the relentless focus of daily news coverage, they may also be less vigilant with phishing emails and more likely to click on malicious attachments from seemingly credible sources or reveal sensitive information.

Under pressure to meet work targets amidst the challenges of working from home, people may show greater willingness to take on calculated security risks and trade-offs in order to get work done. A heightened cybersecurity risk appetite could increase the individual’s exposure to hacking attempts.

In view of these risks, companies and individuals may wish to refer to the advisories from SingCERT and CSA, which set out practical and pro-active measures for staying cyber-safe while telecommuting.

Cyber Threats To Telecommuting May Be Here To Stay

The number of telecommuters will probably not recede to pre-COVID-19 levels after this pandemic blows over. A study by the University of Chicago found that about one-third of jobs in the US could “plausibly be performed entirely at home”. Companies may find this period of telecommuting a positive experience and assess that it is a viable arrangement for their business operations. Moreover, telecommuting helps to lower overheads and widen profit margins, and so particularly helpful to companies trying to tide over the economic malady.

Telecommuting also may become an increasingly attractive alternative to working from the office. Market demand will spur technology firms to devise new platforms and solutions to address productivity pitfalls and lessons learnt from this telecommuting experiment amidst the pandemic. For these reasons, telecommuters will probably continue to constitute a significant pool of potential targets for cyber threat actors.