With the world discovering alternative ways to work without human contact, the work-from-home force has been getting a facelift. With companies getting their most non-essential works completed at home, a study by Standford of 16,000 workers over 9 months found that working from home increased productivity by 13%, with 30% doing more work in less time and 24% doing more work in the same period. Another report says in 2021, 70 percent of those who worked from home during the pandemic report virtual meetings are less stressful, and 64 percent now prefer hybrid meetings. This increase in performance and employee happiness was due to more calls per minute attributed to a convenient working environment and working more minutes per shift because of fewer breaks and sick days.

As much comfort the employees have been experiencing, the same is also true for organizations in terms of their operational bills. With cuts in some of the major operating expenses like food, water, electricity, and maintenance, some percentage of the profit stays in the accounts of the office despite having all the operations continue. The time used for commuting through hassling traffic is saved right into the pocket of an employee/employer most likely to be used as a morning meditation or a quality evening refreshment with family. All in all, some amount of “happiness” is getting squeezed out of the situation that was missing throughout the years of rush.

However, the transition from an intense work routine to a quiet and calm work-from-home, that was previously thought would take a few years to implement, happened virtually overnight, which brought to surface some alarming cybersecurity risks and the fact that organizations and employees are not properly prepared for this type of threat. WHO reports a five-fold increase in cyber attacks since the start of the COVID-19 pandemic. According to the report, WHO has seen a dramatic increase in the number of cyber-attacks directed at its staff, and email scams targeting the public at large.

Like the global financial system, the Nepal economy that was already not in a good place has been spiraling down even more with the hit of the third wave of the covid-19 pandemic. Working from home has been more of a necessity than an order from the government with more than 80,000 active cases. With this in mind, the national bank of Nepal, Nepal Rastra Bank (NRB) has adopted a ‘work from home policy.’ NRB has issued a notice directing the A, B, C, and D class Banks, and Financial institutions to keep the employees safe and provide online services working from home. Banking services have been affected as the Covid-19 infection has started increasing in banks and financial institutions now. Many banks have now issued circulars to keep their employees safe and therefore, decided to close various branches.

Risk to organizations

Taking a work computer home could at the moment open it to the vulnerability of data loss or data theft. But it is one of the least worrying concerns that employers would have to think of. Here is a list of concerns that would put a great deal of risk to the organization that might not have yet thought about a good solution before handling operations from remote locations:

  • Phishing scams – A phishing scam is where a user sees a link on the internet that looks like some useful stuff but actually causes the computer to perform malicious activities once the user clicks on it; synonymous to the action involved in ‘fishing’. Any employee working remotely could potentially be targeted with some interesting link via e-mail or messages where something attractive lures the user to click on it while it downloads malicious software (say, a virus) that copies all the office data stored in that computer. It could get much worse if the scam spreads out to other employees as an official email from the first victim. This time, people would readily provide any private information that is being asked by a ‘regular-looking’ colleague.
  • Ransomware threats – Ransomware is a malicious program that encrypts (locks) all the files (data, programs, even the operating system) without the user’s permission. It would then ask for money through digital payments (even cryptocurrencies) to unlock the files back. Ransomware could warn the user not to get any IT or police help and get the money within a time frame. An employee working from remote would not dare contact IT support from the office in the fear of having done something very wrong.
  • Data theft – A user unaware of best practices to keep data safe, could fall for theft of data through sometimes intentional and sometimes accidental events. A phishing email could simply make the user click on a link that could download malware that sends all the data to an adversary. Or, simply the user could accidentally cause physical damage to the device while getting all comfy at home. With kids and pets getting involved, there is no guarantee that a laptop/tablet from work is completely safe.
  • System breakage – An adversary always tries best to victimize the weakest link first and then make way through. In a remote situation, non-technical employees are more likely to be targeted by cyber adversaries to enter the office network. They could then seep in to communicate with other devices across the office network to break down the entire system one by one.
  • Identity theft – The risk of being impersonated on the internet is much more likely when someone with low to zero technical knowledge accidentally leaks the office’s private information to an adversary. It is even worse when an adversary gets their hands dirty into the office VPN (Virtual Private Network), FTP(File Transfer Protocol) or RTP (Real-time Transfer Protocol) opening limitless possibilities for the adversary to impersonate an office staff inside and outside the office communication.

The above-mentioned risks are not one more important than the other, or more important to one employee than to the other. The risk of being victimized is spread throughout all the employees pretty much equally. Though physically being remote, since the official communication goes through some common office network (VPN, ROIP, etc), just getting hold of one of the employees could make the process much easier for the breakers to get in.

Causes of Risk

The risk of an organization getting compromised in cyberspace generally boils down to one simple root – employee awareness. Awareness about the best practices applied to keep computer devices and networks safe and secure; otherwise known as “Cyber Hygiene”, is the number one factor that could protect an entire organization from getting compromised in cyberspace. Lack of digital literacy and cyber hygiene makes an organization as vulnerable as its’ least aware employee.

Generally speaking, certain factors that come up more than the others causing a big issue for the organization are :

  • Insecure remote communication.
  • Use of old operating systems
  • Use of pirated software
  • No/un-updated use of old antivirus software
  • No backup policies
  • No monitoring systems
  • Lack of password hygiene
  • Unaware of WiFi security at home
  • Unavailability of appropriate end-point security tool for remote work (antivirus, firewall, etc.)

Mitigation

Any organization with employees working from home must create a remote working policy to manage the risks. Organizations should also explain the technical solutions they’ve implemented to protect sensitive data and how employees can comply. Although it shouldn’t be a concern during the lockdown, a remote working policy should also address the risks that come with employees handling sensitive information in public places. 

A combination of the following measures should be implemented before and during the times when all the employees of an organization aren’t compatible to be physically present and must work with possibly personal devices at home or public places:

  • Training programs
  • Use of VPN for remote access
  • Update of antivirus software
  • Mandatory backup of data
  • Use of password managers
  • Frequent changing of passwords
  • Multi-factor authentication
  • Locking devices with pins/passwords/patterns
  • Wifi security measures
    • BSSID hiding
    • WPS disabling
    • MAC binding

It is of utmost importance that the IT departments of organizations handling sensitive data check these measures. Since the adversaries are looking for monetary gains through cyber attacks, the IT departments of banks and financial institutions should be on high alert regarding the issue. It must be made absolutely sure that any end-point device trying to connect/access the BFI’s system must be completely secure before it could make any request for changes. Banks and Financial Institutions could opt for a third-party security service provider to take care of these issues and overall risk management of their system.

Vairav Technology

Vairav Technology has been providing SOC (Security Operating Center) as a Service to Nepali and foreign organizations throughout the years. With a custom-engineered threat monitoring system, a security package installed into an organization’s system takes care of all the real and potential security issues that might come up at any time. An incident response team is awake 24×7 at Vairav, working to overcome any major to minor challenges that these organizations might have to face in real-time. With growing challenges in cybersecurity, Vairav has also been providing Risk Assessment tools to examine the readiness of any organization against all kinds of potential security issues. This includes Penetration testing, Information System Audit, and Compliance Readiness Assessment. A follow-up from the Vairav team on these reports gives clues to an organization regarding where they stand and where they are headed in terms of securing their clients and employees online.