Whatever way you look at it, the move to remote and hybrid working has not been good for corporate cybersecurity. But the most dangerous threats from shifting workplace locations are not necessarily the most obvious ones.
In a recent webinar, GroupSense CEO Kurtis Minder and DeleteMe CEO Rob Shavell spoke about the surprising operational security challenges facing remote and hybrid organizations. Here are five essential takeaways from the webinar. If your company has switched to fully remote or hybrid work, understanding them is crucial for maintaining operational security.
According to Verizon’s Data Breach Investigation Report 2022, the “human element” was present in 82% of breaches last year.
Whether through mistake or malice, humans have always been the biggest enablers of network breaches. Now, the rise of working from anywhere has amplified the risk of employees inadvertently letting threat actors into corporate networks even further.
Operational Security, or OPSEC for short, is a process designed to stop sensitive information from ending up in the wrong hands. There are three important categories of OPSEC:
With the explosion of remote work, professional OPSEC has become critical. However, many companies haven’t yet recognized how remote working has removed old guardrails. Or the risky behavior their employees are engaging in outside the traditional office spaces.
When employees were working from the office, it was relatively safe for them to talk about sensitive information like corporate finances, intellectual property, special projects, and customer names. Presumably, everyone in the office worked there and had signed a confidentiality agreement. Outsiders were unlikely to glean sensitive corporate information and use it for nefarious purposes.
This is no longer the case. As employees work from home, co-working spaces, hotels, and even airports, it has become increasingly easy for bad actors to overhear or see data that can be used to carry out attacks.
There are several ways this might happen:
Even if employees are cautious about what they do and say in public spaces, that alone may not be enough to keep their companies safe. The proliferation of data brokers means that threat actors don’t need to overhear someone’s work conversation or spot their laptop asset tag to successfully socially engineer them.
Data brokers are companies that aggregate information on individuals from a variety of sources and then turn this data into detailed dossiers, which they sell to third parties, sometimes for as little as $0.99.
The information that data brokers process and correlate can be:
Most profiles include a mixture of corporate and personal data and are remarkably easy to find. Because they exist on the open web, all it takes is a quick Google search to find data on an employee’s personal and professional lives.
Scarily, the information these companies have on employees is getting more detailed. As we spend more of our lives online, data brokers can scrape and aggregate more information about us than ever. For instance, in 2019, we found an average of 200-220 pieces of personally identifiable information per DeleteMe customer on data broker sites. Today, that number is closer to 450. And in the next few years, we expect it to hit around 1,000.
Although we’ve long suspected that cybercriminals use data brokers to carry out attacks, we now have proof. Leaked chat logs show how the notorious ransomware gang Conti uses data brokers like ZoomInfo and SignalHire to find names and contact information for important individuals they may want to target, as well as contacts to “name drop.”
Hackers may sometimes also use employees’ family members’ information to sneak their way into corporate networks. In the recent Twilio phishing attack, threat actors used home and work phone numbers of not only employees but also their family members.
Besides social engineering, attackers may also use data broker information in password cracking attacks (many people use their name, birth date, or name of their pet, spouse, or kids as their passwords or answers to security questions) or spoofing campaigns.
Ideally, every organization today should have a professional OPSEC policy. There are two key steps to creating one:
This could be specific assets or people. In the case of assets, figure out what processes, for example, access control, are needed to protect them. When it comes to people, determine who is most at risk, i.e., executives, financial controllers, etc., from having their PII available on the open web.
However, while you may want to start with the riskiest people, there’s no way of knowing who cybercriminals might target. For example, if a state-sponsored actor were to attack a government agency, they probably wouldn’t attack the agency itself but rather secondary/tertiary suppliers to that agency. And in the Twilio attack, hackers went after employees’ family members, not just employees themselves.
The threats facing work-from-home employees differ from those facing staff at a physical office. For instance, because many remote workers use personal laptops, malware attached to a phishing email that targets them personally could infect their entire corporate network.
As a result, it is crucial that organizations understand their employees’ operational environment and create educational programs that are aligned with them as well as with the things they’re trying to protect.
Remote work has changed how people work. Outside the physical walls of an office, employees are not only more likely to accidentally divulge confidential information to strangers that may later be used for nefarious purposes. They are also more likely to carelessly click on a phishing email—especially if it is embellished with personal information and appears to come from a trustworthy source.
Unfortunately, as our lives have become progressively more digital, the amount of personal data available about us on the surface web has also grown. This is great news for cybercriminals, who increasingly use employee PII to hack into corporate networks. But it’s disastrous for organizations because traditional cybersecurity measures are no longer enough to stop the bad guys from getting in.
DeleteMe is built for organizations that want to decrease their risk from vulnerabilities ranging from executive threats to cybersecurity risks.