Operational Security And Remote Work: The Role of Employees and Their PII

Whatever way you look at it, the move to remote and hybrid working has not been good for corporate cybersecurity. But the most dangerous threats from shifting workplace locations are not necessarily the most obvious ones.

In a recent webinar, GroupSense CEO Kurtis Minder and DeleteMe CEO Rob Shavell spoke about the surprising operational security challenges facing remote and hybrid organizations. Here are five essential takeaways from the webinar. If your company has switched to fully remote or hybrid work, understanding them is crucial for maintaining operational security.

Remote Work Highlights Human Attack Vectors

According to Verizon’s Data Breach Investigation Report 2022, the “human element” was present in 82% of breaches last year. 

Whether through mistake or malice, humans have always been the biggest enablers of network breaches. Now, the rise of working from anywhere has amplified the risk of employees inadvertently letting threat actors into corporate networks even further. 

As a Result, Professional OPSEC Is Becoming More Important 

Operational Security, or OPSEC for short, is a process designed to stop sensitive information from ending up in the wrong hands. There are three important categories of OPSEC:

• Cyber OPSEC. This involves IT/security teams denying critical information to potential adversaries by performing actions like encrypting drives, implementing zero trust, etc. 
• Personal digital OPSEC. This refers to how employees behave online as individuals, i.e., do they overshare on social media or post selfies that could put them and their organizations at risk?
• Professional OPSEC. This refers to employees safeguarding their company’s data in every possible way and scenario.
  

With the explosion of remote work, professional OPSEC has become critical. However, many companies haven’t yet recognized how remote working has removed old guardrails. Or the risky behavior their employees are engaging in outside the traditional office spaces. 

Employees Still Behave As If They Are Working In an Office

When employees were working from the office, it was relatively safe for them to talk about sensitive information like corporate finances, intellectual property, special projects, and customer names. Presumably, everyone in the office worked there and had signed a confidentiality agreement. Outsiders were unlikely to glean sensitive corporate information and use it for nefarious purposes. 

This is no longer the case. As employees work from home, co-working spaces, hotels, and even airports, it has become increasingly easy for bad actors to overhear or see data that can be used to carry out attacks. 

There are several ways this might happen:

1. Someone might overhear an employee’s work conversation at an airport. If their laptop is visible and has an asset tag, they can find the employee on LinkedIn. As a result, they can easily figure out where the employee works and with whom, and they already have some context from the conversation they just overheard. At this point, they can create an effective phishing campaign. A few years ago, Graham Murphy, product manager at the Law Society, wrote about how he could have ransomed a law firm based on a conversation he overheard on a train.
   
2. An employee at a co-working space might print sensitive and/or confidential documents on a shared printer but neglect to collect them immediately. The next person to use the printer may or may not intercept these documents. 
   
3. A worker may inadvertently share their entire screen when presenting on Zoom, unaware that they’re giving away valuable information like the kind of operating system they’re using, what apps they have, and where they’re located. Cybersecurity professionals have warned companies that threat actors are hacking into Zoom and Team meetings to eavesdrop on sensitive information.

Surface Web PII Is Also a Threat

Even if employees are cautious about what they do and say in public spaces, that alone may not be enough to keep their companies safe. The proliferation of data brokers means that threat actors don’t need to overhear someone’s work conversation or spot their laptop asset tag to successfully socially engineer them. 

Data brokers are companies that aggregate information on individuals from a variety of sources and then turn this data into detailed dossiers, which they sell to third parties, sometimes for as little as $0.99. 

The information that data brokers process and correlate can be:

• Corporate: where an employee works, who they work for, their work email address and phone number, etc.
• Personal: the employee’s home address, who are their family members, etc.

Most profiles include a mixture of corporate and personal data and are remarkably easy to find. Because they exist on the open web, all it takes is a quick Google search to find data on an employee’s personal and professional lives. 

Scarily, the information these companies have on employees is getting more detailed. As we spend more of our lives online, data brokers can scrape and aggregate more information about us than ever. For instance, in 2019, we found an average of 200-220 pieces of personally identifiable information per DeleteMe customer on data broker sites. Today, that number is closer to 450. And in the next few years, we expect it to hit around 1,000. 

Although we’ve long suspected that cybercriminals use data brokers to carry out attacks, we now have proof. Leaked chat logs show how the notorious ransomware gang Conti uses data brokers like ZoomInfo and SignalHire to find names and contact information for important individuals they may want to target, as well as contacts to “name drop.” 

Hackers may sometimes also use employees’ family members’ information to sneak their way into corporate networks. In the recent Twilio phishing attack, threat actors used home and work phone numbers of not only employees but also their family members. 

Besides social engineering, attackers may also use data broker information in password cracking attacks (many people use their name, birth date, or name of their pet, spouse, or kids as their passwords or answers to security questions) or spoofing campaigns. 

Every Organization Needs a Professional OPSEC Policy

Ideally, every organization today should have a professional OPSEC policy. There are two key steps to creating one:

Identify what/who you’re trying to protect

This could be specific assets or people. In the case of assets, figure out what processes, for example, access control, are needed to protect them. When it comes to people, determine who is most at risk, i.e., executives, financial controllers, etc., from having their PII available on the open web. 

However, while you may want to start with the riskiest people, there’s no way of knowing who cybercriminals might target. For example, if a state-sponsored actor were to attack a government agency, they probably wouldn’t attack the agency itself but rather secondary/tertiary suppliers to that agency. And in the Twilio attack, hackers went after employees’ family members, not just employees themselves. 

Understand the environment your employees are operating in

The threats facing work-from-home employees differ from those facing staff at a physical office. For instance, because many remote workers use personal laptops, malware attached to a phishing email that targets them personally could infect their entire corporate network. 

As a result, it is crucial that organizations understand their employees’ operational environment and create educational programs that are aligned with them as well as with the things they’re trying to protect. 

Protecting Your Business In a New Remote Work Reality

Remote work has changed how people work. Outside the physical walls of an office, employees are not only more likely to accidentally divulge confidential information to strangers that may later be used for nefarious purposes. They are also more likely to carelessly click on a phishing email—especially if it is embellished with personal information and appears to come from a trustworthy source. 

Unfortunately, as our lives have become progressively more digital, the amount of personal data available about us on the surface web has also grown. This is great news for cybercriminals, who increasingly use employee PII to hack into corporate networks. But it’s disastrous for organizations because traditional cybersecurity measures are no longer enough to stop the bad guys from getting in.