Medical laboratories are not the only places where important experiments and trials are currently taking place. In many homes around the world, an experiment in telecommuting is happening on a massive scale. A survey by the Massachusetts Institute of Technology found that 34% of Americans who had previously worked from the office reported that they were telecommuting by early-April 2020 due to the pandemic.
Photo Credit: The New York Times
Similarly, the commencement of circuit breaker measures in Singapore on 7 April 2020 means that organisations and enterprises have also had to make arrangements that allow their employees to work from home in order to minimise the spread of COVID-19. With all non-essential businesses suspending operations at their workplaces, the increase in the proportion of the workforce working from home is exponential.
The transitional arrangements have often come at the expense of security and privacy. On 8 April, during an online geography lesson conducted on teleconferencing application Zoom as part of the Ministry of Education’s (MOE) Home-Based Learning (HBL) initiative, hackers hijacked the session, which was not password-protected. The hackers sent a class of secondary school students obscene pictures and lewd messages. This incident prompted MOE to suspend the use of Zoom for HBL, although they have since lifted the suspension after incorporating new security measures.
From the cybersecurity perspective, this shift to remote working opens up and widens attack surfaces at three levels:
At the Corporate Level
Many companies may be implementing remote work policies for the first time. Others may already have remote working arrangements in place, but never on such a large scale. The short lead-time to migrate the workforce to a telecommuting environment amidst a pandemic gave companies little time to stress test the infrastructure, devices and processes with holistic cybersecurity considerations.
At the Individual Level
Telecommuting may be a new concept to many employees as well. Many of them may be using virtual private networks (VPNs) and participating in teleconferences for the first time. They may not yet have internalised certain habits of cyber hygiene – the need to use strong passwords, encrypt sensitive documents and use multi-factor authentication.
At the Threat Actor Level
There are cyber threat actors that have targeted remote working tools for years, and are very good at what they do. Global mass adoption of telecommuting during this period has vastly increased cyber threat actors’ pool of potential targets. Besides exploiting vulnerabilities inherent in remote access tools such as VPN clients, they may attempt to phish for login credentials to achieve their objectives.
Wherein the Danger?
Broadly, threat actors carry out malicious activities against telecommuters during the pandemic by exploiting vulnerabilities at two levels:
At the Infrastructure Level
Applications that facilitate telecommuting and remote collaboration have skyrocketed in popularity in the wake of the pandemic. However, these may contain vulnerabilities that malicious actors can exploit to sneak into password-protected meetings, or take over accounts to steal information.
Moreover, with the exponential increase in the proportion of the workforce working from home, the attack surface has expanded, especially when home networks are usually less secured than corporate networks. In other words, the pandemic has increased organisations’ exposure to hacking attempts through their employees who are working from home.
At the Human Level
Working from home or being away from a corporate environment may also result in occasional lapses in one’s security consciousness, which malicious actors can exploit. Individuals may exercise less discernment or caution than necessary when downloading telecommuting applications or VPN clients. With COVID-19 and related issues the relentless focus of daily news coverage, they may also be less vigilant with phishing emails and more likely to click on malicious attachments from seemingly credible sources or reveal sensitive information.
Under pressure to meet work targets amidst the challenges of working from home, people may show greater willingness to take on calculated security risks and trade-offs in order to get work done. A heightened cybersecurity risk appetite could increase the individual’s exposure to hacking attempts.
In view of these risks, companies and individuals may wish to refer to the advisories from SingCERT and CSA, which set out practical and pro-active measures for staying cyber-safe while telecommuting.
Cyber Threats To Telecommuting May Be Here To Stay
The number of telecommuters will probably not recede to pre-COVID-19 levels after this pandemic blows over. A study by the University of Chicago found that about one-third of jobs in the US could “plausibly be performed entirely at home”. Companies may find this period of telecommuting a positive experience and assess that it is a viable arrangement for their business operations. Moreover, telecommuting helps to lower overheads and widen profit margins, and so particularly helpful to companies trying to tide over the economic malady.
Telecommuting also may become an increasingly attractive alternative to working from the office. Market demand will spur technology firms to devise new platforms and solutions to address productivity pitfalls and lessons learnt from this telecommuting experiment amidst the pandemic. For these reasons, telecommuters will probably continue to constitute a significant pool of potential targets for cyber threat actors.
 Tips for Staying Cyber-Safe While Telecommuting (SingCERT) https://www.csa.gov.sg/singcert/advisories/ad-2020-001
; How to Stay Cyber Safe During the COVID-19 Situation (CSA) https://www.csa.gov.sg/news/news-articles/covid-19-cyber-tips
 Cyber Actors Take Advantage of COVID-19 Pandemic to Exploit Increased Use of Virtual Environments (FBI) https://www.ic3.gov/media/2020/200401.aspx
 Singapore schools to resume use of Zoom for home-based learning with additional safeguards in place (Straits Times) https://www.straitstimes.com/singapore/education/schools-to-resume-use-of-zoom-for-home-based-learning-with-additional-safeguards
 How Many Jobs Can Be Done At Home? (University of Chicago) https://www.nber.org/papers/w26948.pdf
 COVID-19 and Remote Work: An Early Look at US Data (Massachusetts Institute of Technology) https://john-joseph-horton.com/papers/remote_work.pdf
 Remote Threats to Remote Employees: How Working From Home Increases the Attack Surface (RecordedFuture) https://www.recordedfuture.com/remote-attack-surface/
 COVID-19 Drives Rush to Remote Work. Is Your Security Team Ready? https://www.darkreading.com/operations/covid-19-drives-rush-to-remote-work-is-your-security-team-ready/d/d-id/1337294
 Attack Surface, Vulnerabilities Increase as Orgs Respond to COVID-19 Crisis https://www.darkreading.com/vulnerabilities---threats/attack-surface-vulnerabilities-increase-as-orgs-respond-to-covid-19-crisis/d/d-id/1337369
 VPNs: Not a cybersecurity slam dunk for telecommuters in the age of COVID-19 https://www.scmagazine.com/home/security-news/news-archive/coronavirus/vpns-not-a-cybersecurity-slam-dunk-for-telecommuters-in-the-age-of-covid-19/
 Phishing scams, spam spike as hackers use coronavirus to prey on remote workers, stressed IT systems https://www.cnbc.com/2020/03/20/phishing-spam-spike-as-hackers-use-coronavirus-to-hit-remote-work.html