Cybersecurity experts are sounding the alarm that widespread work-from-home orders to combat the coronavirus outbreak are significantly raising the risk of hacks and breaches.
U.S. employers large and small have asked employees to work remotely as the nation grapples with the pandemic, and cybercriminals are already taking advantage of the opportunity, according to security researchers, practitioners and trade groups.
“We always say that you can’t manage what you don’t know about and that is going to be a truth with nightmare consequences for many companies and government agencies struggling to respond to the coronavirus situation,” said Dr. Barbara Rembiesa, president and CEO of the International Association of IT Asset Managers.
Recent reports indicate that cybercriminals have been quick to seize upon the coronavirus crisis, but may have a variety of goals. Over the weekend, The Department of Health and Human Services was attacked as it tried to respond to the coronavirus outbreak, reportedly suffering a multi-front intrusion that included a DDoS [distributed denial of service] attack and an intrusion into a department server, with the apparent goal of spreading misinformation about the outbreak.
"Now that email is the primary mode of communication between co-workers, it may no longer seem out of place for some transactions to be completed over this channel,” said Crane Hassold, a director of threat research at the email security firm Agari. “This opens up the possibility for things like payroll diversion BEC [business email compromise] attacks to potentially become more successful since it may not raise any red flags that an employee would email someone in HR to ask them to update their direct deposit information.”
Experts are emphasizing the need for U.S. companies to take a variety of steps to tamp down security risks that arise from employees suddenly working from home en masse. Those could include requiring employees to use a company VPN, rather than personal wifi networks that are often more insecure, ensure that solid firewall and password protocols are in place for accessing company assets at home, and stressing the need to remain vigilant in an environment where typical communication channels no longer apply.
"Criminals will use the crisis to scam people for money, account information and more. With more people working from home, people need to make sure they are practicing good cybersecurity hygiene, just like they would at work,” added Purdue University professor Marcus Rogers, who specializes in cybersecurity and cyber forensics.