- Security TWENTY
- Women in Security
With employees working from home and many organisations switching to permanent remote working, there’s an increased need for companies to keep their staff secure from cyber attacks in this new environment, writes Steven Goff, CyberSecurity Specialist at Maintel.
Most CTOs or CSOs will have already taken active steps to address this, but some may have neglected the potential vulnerabilities created by the IoT (Internet of Things) devices in employees’ homes.
In connecting remotely to corporate systems, employees may inadvertently expose their organisations to cyber crime. With IoT integral to many smart gadgets, we are often surrounded by connected devices. Indeed, the average UK household has 10.3 internet enabled devices – that’s more than 286 million nationally. While these products are designed to make our lives easier and safer, they can make us vulnerable to attacks.
Dot the i’s and cross the t’s
Consider the home devices that constantly look (cameras – baby monitors/doorbells) and listen (those with microphones). As well as providing a spying risk, they provide hackers with a multitude of network entry points. Once in, lateral movement from one device to another is possible. So, while a cyber criminal may initially breach a connected doorbell, for example, they can eventually make their way to a corporate device being used in the home.
The key to IoT device security is simple: strong and regularly updated passwords are paramount. Changes to password security help combat hacking. While companies may not be able to enforce this in remote working, they should highlight its importance and provide best practice advice.
In a connected home, the risk that IoT devices pose needs to be countered appropriately. Despite so many devices being internet enabled, it’s easy to forget the potential vulnerabilities they create – particularly if the primary purpose of the device does not require active internet access, for example, heating controls or refrigerators. However, as hackers become more skilled in network intrusion, these devices can be exploited. Moreover, with people now accessing confidential or commercially sensitive work information at home, employees and employers alike need to be smart device savvy.
Getting to the route(r)
A secure network is a barrier against IoT hacking. Home networks are typically less secure than workplace networks, with the router being the primary weak spot. Older routers are likely to have vulnerabilities in their firmware that hackers can exploit. Access at the router level can allow hackers to capture sensitive information and install tools to control the network.
While using a company VPN reduces the risk, it still leaves employees open to attacks. Cloud-based tools such as Office 365 and G Suite enable employees to access most of what they need without connecting to the corporate VPN and this is something employers need to take heed of.
Employees can make two quick changes to boost cyber security. Firstly, update router firmware. An up-to-date router will add an additional layer of security to the network, making it less appealing to hackers. Secondly, change router passwords from weak or default ones. While this may be difficult for companies to enforce, business leaders must emphasise the importance of such preventative steps.
Conferencing with confidence
Staff using applications to replace face-to-face activities also introduces a cyber risk. Take home conferencing, for example. Many people are downloading free personal video conference applications to chat with friends and family. These are often installed across multiple devices with easy to remember password to aid access.
By adopting free and non-corporate applications, employees could be opening themselves up to more than just friends – and putting their corporate devices at risk in the process. Zoom ‘bombing’ or ‘raiding’ is one such example, whereby hackers infiltrate Zoom meetings to harass attendees. Hackers can also use video conferencing platforms to steal Windows credentials. It’s not just non-technical users that are at risk; developers testing applications online can also become easy targets when remote working.
Without the control that in-office working gives, use of such applications should to be monitored carefully by employees. Companies should encourage staff not to use free apps for personal use. Corporate and paid accounts are more secure than free-to-use platforms, so business leaders should consider implementing use of these.
These are basic measures employees can adopt and companies can promote to help protect IoT devices and the home network. Remember, these measures shouldn’t just apply to employees who have adjusted to home working in the last few months. How many seasoned homeworkers have updated their router firmware or changed their smart hub password?
In the digital workplace, there are increased risks and endless routes for hackers to exploit. So, when it comes to protecting mobile employees, it has to be a joint effort across the organisation.
Cyber security risks may not be eliminated but can certainly be mitigated. Understanding the source of threats, having clear guidance and ensuring the right capabilities are in place are essential to securing remote working environments and keeping organisations safe.