User Unfamiliarity is the Greatest Enemy to Secure Remote Working
Unfamiliarity leaves humans susceptible to all sorts of bad decision making. Take, for example, the first day of a holiday in a foreign country that you’ve never previously visited. The random taxi you picked at the airport takes the scenic route and uses a meter which runs so fast that it could have been used as an official timer in a 100-metre Olympic sprint. You visit the local bureau de change office, which, while promising 0% commission, gives you an exchange rate so bad you’d think you had handed the cashier a fistful of Argentine pesos. At this stage, you’re tired and starving. A restaurant tout lures you into their premises with the promise of authentic local cuisine, but the food ends up being about as authentic as a fresh cod fillet in a Mongolian sushi bar.
When humans are dealing with the unfamiliar, we’re liable to make all sorts of mistakes and bad decisions. The same applies to technology. And when this is set against the backdrop of fear and uncertainty that’s been engendered by the COVID-19 pandemic, it provides fertile ground for cybercriminals.
“Without the familiar, differentiating between the normal and the abnormal becomes blurred.”
This situation is not helped by the way that our brain works. When interacting with new technology, our brain’s cognitive processing centres are bombarded with new stimuli. Without the familiar, differentiating between the normal and the abnormal becomes blurred. Moreover, the acuity of our inbuilt trust radars is severely blunted because our normal trust or distrust cues get lost in a muddle of newness. For example, a person who is not familiar with the modus operandi of Zoom, WebEx or Microsoft Teams will be more susceptible to that phishing email masquerading as a video conference invitation. It is important to remember that it’s not just video conferencing applications that hackers are exploiting at this time but also tried-and-tested campaigns involving Office 365, Dropbox, WeTransfer, Skype and DocuSign. Hackers are also sending out emails trying to phish VPN credentials. Only last week, we came across a very convincing phishing email purportedly sent out from a “technical support department”. This body text of this email acknowledged there were problems with a slow VPN (a very credible pretext, as most VPN users find this connection type to be slow at some stage) and offered the recipient a faster solution. But here’s the rub, to enjoy the faster connection speed, the user is asked to input their existing VPN credentials. Very clever – even seasoned remote workers will get duped by this.
“The COVID-19 pandemic has put many organisations into a state of flux and given hackers a slew of pretexts and emotional triggers to use.”
But it does not stop there. The COVID-19 pandemic has put many organisations into a state of flux and given hackers a slew of pretexts and emotional triggers to use in their phishing campaigns. Expect to see more of these campaigns, using pretexts, such as health notifications, employment notifications and changes in organisational technology policy. These emails will be suffused with emotional triggers, such as curiosity, fear and loss aversion, which will make opening up email attachments a veritable minefield over the next few months.
Protection Layers Removed, Old Systems and “taking a chance”
The insecurity of remote working is compounded by the fact that many workers are connecting directly to the internet using their home router – without the extra layers of protection offered by a VPN, perimeter firewall or security gateway. It is also likely some remote workers will be dusting off that old Windows 7 laptop or desktop to access their work network or email system. Such out-of-date operating systems are not only inherently insecure, they could also be harbouring some nasty strains of data-stealing malware.
Perimeter defences are not the only safety net removed. The ability to quickly verify a suspicious email or URL by asking a tech-savvy colleague in your office has also been removed. This makes remote working employees more likely just to “take a chance” when clicking on attachments and weblinks.
Protect your Organisation with IT Security Awareness Training
Employees need to be educated on how cybercriminals are feeding on the disorientation, worry and fear of this pandemic in order to exploit them. They need to be informed about how COVID-19 and remote working themed pretexts are going to be extensively used in the next few months, as well as advice that is both actionable and memorable to thwart these attacks. Now more than ever, robust IT security awareness training is required.
SecureClick are based in Dublin, Ireland. We provide engaging IT Security and Cyber Awareness Training for your employess via interactive webinar and elearning. Subject areas include phishing, invoice fraud, malware, ransomware and data breaches. Highly rated by participants. Phone us on 01 254 9702 for more details.