With coronavirus lockdowns continuing around the world, many offices remain empty. Staff working from home – often on their own equipment – are the big new security target.
Security firm Trend Micro’s recent The State of Ransomware report concluded by highlighting the threat to home workers. Ransomware has shifted over the past few years from a threat that’s targeting consumers to one largely focused on companies, with the hope of shaming firms into paying a huge ransom to unlock their most sensitive data. Employees – and especially homeworking employees – are the weakest link in the chain.
The average ransom paid in 2019 was around $800,000; that shot up to $1.3 million in 2020, according to Trend Micro’s technical director, Bharat Mistry. That’s partly because the ransomware gangs have become more vindictive in their approach.
Companies that initially refuse to pay a ransom (perhaps because they’ve got good backups) are given a secondary demand: pay up or we’ll publish your stolen data online. Such “double extortion” was one of the key ransomware trends of 2020, Mistry claims.
Now, with many employees working outside of the security ring of the office, homeworkers are being targeted as the route into a company’s network. “It [homeworking] just opens up that whole attack infrastructure, the surface of the attack,” said Mistry.
“When devices are in the corporate environment, you’ve got layers of protection you can enforce,” he said. “When you’re working from home, it’s fine if you’ve got a corporate device, but if you haven’t, like many people in the current pandemic… you’re the last layer of defense.”
Many employees might think they’re safe if they’re using a virtual private network (VPN) on a personal device to tunnel back into the company network. But, as Mistry points out, with homeworkers’ laptops connecting to other insecure devices on the home network, or with a poorly secured home router, if an attacker “can work out a vulnerability and pivot back in, they’re all the way through” to the company network.
How to avoid falling victim
Nobody wants to be the person who let the attackers into the company network. If you’re working on a company or a personal device, here are some of the steps you can take to mitigate the risk of attack:
- Take great care with email. Phishing attacks that attempt to steal your details have become a lot more common since the start of the pandemic. Emails seemingly sent from your company offering Covid-19 vaccine jabs are just one of the latest tricks to get you to click on something you shouldn’t. Be very wary of clicking on any links or opening attachments sent by email. Here are five dangerous types of email attachment to look out for.
- Make sure your router is fully updated. Most people are in the habit of keeping their computers and security software up to date, but what about the software on your home router? If an attacker can get into that, they can potentially intercept traffic passing over your network. Many routers will update themselves, but it does no harm to check. Open your router’s settings via a web browser or mobile app (check with your broadband provider or router manufacturer for instructions on how to do this) and make sure the software – or firmware – is up to date.
- Observe good password hygiene. Don’t use the same passwords for different accounts, especially work accounts. Use a password manager that can store strong passwords that you’ll never need to remember – and ideally not the password manager in your browser, but one such as the free Bitwarden which you can use on any device. Better still, have accounts protected with two-factor authentication, so that if anyone attempts to log in from a new device, they need a code sent to your smartphone, for instance.
- Isolate a personal device used for work. If you’re forced to use your own laptop for work purposes, isolate it from the rest of the home network as far as possible. Don’t allow other computers on the network to have shared access (you’ll find details of how to switch off file and printer sharing in Windows 10 here). Don’t swap files with other computers using USB drives. Try and avoid other family members using the same computer – if they must, make sure they are using a different user account. Children should always be put on child accounts in Windows 10 to limit what they can install and download.