It’s the summer holidays, the sun is out (mostly, or has been), and holidaymakers are taking a well-deserved break from work. But new research from Palo Alto Networks shows that businesses have reason to be concerned about their employees connecting to unsecured Wi-Fi networks and the dangers that this presents, as Tim Bandos, Vice President of Cybersecurity at Digital Guardian – along with several other IT experts – reveals.
“Palo Alto’s research found that over a third of UK workers would be likely to use their work device on an open Wi-Fi network when they go on holiday. This study not only suggests we have a difficult time in disconnecting from the work world during a much deserved and needed vacation, but also that individuals are ready to overlook traditional company policy in avoiding these types of practices.
“Connecting to open Wi-Fi networks can leave your PC at risk for attackers to discover and target your device; along with the possibility of capturing your web traffic data. If you must connect, you should always use a secure VPN over an open connection or seek out secured Wi-Fi services in order to encrypt your communications properly and safeguard your computer. Otherwise, take a break.”
How the criminals take advantage
“As boundaries between work and personal life continue to blur, employees are increasingly dipping into work emails or documents while they’re away on their holidays,” Paul Rose, Chief Information Security Officer at Six Degrees, acknowledges. “Any device will require a data connection to transmit and receive information, and this often means jumping on slightly suspicious looking airport or hotel Wi-Fi.
“All unencrypted Wi-Fi – where you do not need to enter a password to connect – is susceptible to cyberattack. Cybercriminals can use unencrypted Wi-Fi to harvest data and they are often able to intercept anything that is sent to and from a device. This can include emails, images, usernames, passwords, attachments, images and cookies; potentially incredibly damaging in the wrong hands.”
Derek Lin, Chief Data Scientist at Exabeam, dives deeper into the finer, technical details.
“Many network attack vectors start with a link to a phishing URL. A carefully crafted email containing the malicious link is sent to an unsuspecting employee. As soon as it’s clicked, the cycle of information loss and damage begins. Any company that houses sensitive data – especially electronic healthcare records – should aim to nip this problem early on by identifying and alerting on these malicious links,” he said.
“There are many public and commercial data providers that offer blacklisting services or databases for potential phishing domain/URL lookup. However, like any signature-based approaches, newly crafted phishing URLs cannot be identified this way. New Machine Learning approaches can actually flag a suspicious phishing URL previously unknown to blacklist data providers and should be considered by frequently targeted industries.”
The expert advice
Roderick Bauer, Marketing Director at Backblaze, shares his top tips to avoid becoming vulnerable to these attacks.
“The temptation to connect to the quickest and easiest Wi-Fi network when travelling is dangerous when considering the bad actors seeking opportunities to steal your personal information from these weak or public Wi-Fi networks. If you do need to access public Wi-Fi networks, remember to use strong passwords and change them often, look for the HTTPS prefix in a URL to signify it has a Secure Socket Layer (SSL), turn off sharing abilities on your devices, reject requests to share data and set up a virtual private network (VPN) to protect your connection by routing your traffic through a secure network while still enjoying the freedom of public Wi-Fi.”
Bryan Becker, DAST Product Manager at WhiteHat Security, agrees: “I would advise not accessing anything of value while on a public network, including email or accounts that need to be logged into.
“However, organisations can provide their employees access to a virtual private network, or VPN, which forces all traffic to travel through an encrypted channel. In this case, using external Wi-Fi networks is generally safe. For organisations that want to take things to the next level, they can even set up employees’ computers or accounts to only be accessible when on the company VPN, preventing a situation where a user might forget to secure themselves before checking their email.”
Anurag Kahol, CTO at Bitglass, identifies how a BYOD culture may be increasing the risks of cyberattacks.
“Bring-your-own-device (BYOD), where employees use their personal devices to access corporate data, is a growing trend for organisations to offer employees more flexible working, whatever their location: in an airport, at the office, or on the beach.
“However, when an employee leaves the corporate network behind and accesses business email, data and files directly from their unsecured device, their organisation loses its traditional ability to protect its data and exposes the business to a great deal of risk.
“The best approach here is for IT teams to switch their focus from securing the device to securing data. Rather than focusing on whether or not a device is ‘trusted’, IT teams should ensure that company data is safe, no matter where it travels – even if that is to the beach.”
There’s more to security than the technology
Many employees find it difficult to ‘switch off’ from work completely. But Steve Wainwright, Managing Director EMEA at Skillsoft, explains that social engineering attacks may pose a particular risk to employees checking their emails with a ‘holiday head’ on.
“Social engineering attacks are a go-to method for hackers. They rely on unwitting, unsuspecting and, at times, careless employees. A recent PositiveTechnologies study found that more than one in 10 employees fall for this type of attack. Hackers use information gained on social media or the dark web to build a profile of a person and then pose as someone they might know via email. They might then encourage their victim to click on a link or download a file that contains malware. The key to defending against this type of threat is education. By training employees to question and look out for suspicious emails – for example, checking if the sender email address looks odd and scanning the email for poor grammar and spelling – organisations can reduce the likelihood of successful attacks. Giving employees the skills and knowledge they need to identify potential attacks is the best way of mitigating the insider threat risk.”
Graham Marcroft, Operations and Compliance Director at Hyve Managed Hosting, agrees that training needs to take priority.
“When it comes to online security and data protection, human errors are often considered to be the biggest threat and ‘weakest link’. So, without appropriate training and education, individual employees and the businesses they work for can fall victim to cyberattacks. While many attacks are designed to take advantage of human errors, business owners should avoid solely putting the blame on employees and focus on improving their cybersecurity training and in-house security practices. Every business should encourage employees to understand that they are the best line of defence and create a culture of cybersecurity that they carry with them, not just in the workplace but also when using business devices or applications abroad.”
“If you work in the technology industry, it’s likely you’ve gotten a call from an upset customer who’s fallen prey to a tech scammer,” says Jeff Bishop, CPO at ConnectWise. “They received a scary email informing them that their computer was infected and all their files were at risk. Disturbed by the notion that they might lose all their data, they complied with the instructions and allowed the stranger on the other side to remotely access their machine. Unfortunately, you know all too well how the story ends. The scammer gains access to the device and then requests payment for fixing a non-existent issue, and possibly installs malware or spyware for easy access later. Your customer is left feeling violated and confused.
“Proactive and continuous customer outreach and education will go a long way in showing that you care about their cybersafety. And if you pair those efforts with remote support and access software that offers transparency and security, you’ll be well on your way to establishing your business as a trusted technology adviser.”
Steve Nice, Chief Technologist at Node4, similarly argues for the importance of preparing your employees for worst-case scenarios.
“Regardless of how many layers of protection security experts implement, the weakest link is the people involved. Managing this portion is essential in any cybersecurity strategy, so it is important to ensure that employees are fully up to date with the latest security protocols and processes in their company, to help combat the ever increasing tide of cyberattacks. This is a key part of cybersecurity and even more so because the human element is the hardest to control and measure, especially when they are accessing and using work applications out of the office environment.”
Recovery should be your safety net
Unfortunately, it is not always possible to completely avoid cyberattacks. To conclude, Avi Raichel, CIO at Zerto, explains why disaster recovery should be just as much of a business priority.
“Having appropriate role-based access control and an extensive tiered security model will help minimise risk. But the attack itself is only half of the problem because, without sufficient recovery tools, the resulting outage will cause loss of data and money, as well as reputational harm.
“In the event of any disaster, businesses should utilise tools that allow them to roll back and recover all of their systems to a point in time just before an attack. This level of disaster recovery is paramount, as emails continue to exist at the core of most businesses, they remain a standing target for ever-sophisticated cybercriminals.”Click below to share this article