Member Article

Last spring, many businesses did the unthinkable. In response to the spread of Covid-19 and subsequent stay-at-home orders, they seemingly overnight deployed fully remote workforces. Then everyone breathed a sigh of relief upon realizing that a fully distributed workforce ... works.

As it turns out, cybercriminals were among those most eager to take advantage of distributed workforce arrangements.

Almost immediately upon the shift to remote work, phishing attacks increased exponentially, with bad actors exploiting coronavirus-related fears.

So why the sudden spike in attacks targeting virtual workers?

People are more likely to fall victim to social engineering tactics during this time, especially those that aim to exploit fear, uncertainty and doubt or disinformation (sometimes referred to as “FUD” factors). Gifted with the power of autonomous decision-making, humans tend to be the weakest link in information security chains. As a result, corporate workforces are targets for an ingress point to company systems.

Compounding this vulnerability, Covid-19 effectively turned the world on its head, leaving a gift basket of FUD for bad actors to enjoy.

For businesses, rapidly going fully remote left little time to prepare systems or employees for the additional security risks a distributed workforce faces. In an office environment, employees operate within a company-controlled network protected by enterprise-wide security tools, with an IT department on site to assist should threats arise.

Working from home weakens many of those protections. In response, some businesses provide company-issued devices and network security tools for use with remote work. Even so, the devices and tools are deployed in an environment — and connected to a network — that the business does not control.

Replacing the office with the home environment reduces the employee’s ability to spot and respond to threats. Coupling this with isolation and limited human interactions can increase individuals’ susceptibility to social engineering tactics.

Phishing, spoofing and other social engineering attacks can devastate a business. Losses from such attacks are difficult to recover and strain business relationships. Cyber liability insurance tends to cover claims involving non-human system failures or defeats, or fraudulent financial instruments, and may not apply as the employee is performing a task they believe to be legitimate.

It is common for an attacker to gather information about individuals within a business, then leverage it through an interaction with the individual. The interaction creates a sense of urgency, with a call to action to resolve the urgency. If the ploy is successful, the individual takes the bait, believing they are taking an appropriate action, subsequently inviting the vampire in.

Workforce training is one of the most effective ways a business can enhance its information security program to reduce the effectiveness of social engineering attacks. The business should work with its information security team to understand its vulnerabilities, and then tailor training material to address the same.

The training should align with company policies and procedures related to acceptable use of devices and systems, as well as reporting actual or suspected information security threats. It should also educate the workforce as to the purpose of the training — not just how to respond to a threat, but also the context around why certain activities may be higher risk. Individuals who understand risks will better identify and respond to them.

Finally, the training should be easily executed and repeated. Through practice and repetition, individual workforce members can improve accuracy and reaction time for identifying and responding to threats, can become more comfortable when confronted with a potential threat and will be less likely to fall victim to FUD-based tactics.

The social engineering threat landscape looks different for each business. Companies should consult with their advisers and attorneys to better understand their risks and obligations in view of social engineering attacks, and develop workforce training tailored to harden their information security programs against social engineering tactics.

A version of this article was originally published in the Puget Sound Business Journal.