Today's college students are entering a new working world. With the rise in remote work and technology advancing business operations, cybersecurity in remote environments is more critical than ever. Interns Richie Neumann, Adjua Lake, and Tyler Kluge share their research into the future of work and how cybersecurity must be a priority for every business' strategic plan.
ALLY: Hello everybody and welcome to our panel on cybersecurity in remote working environments. My name is Ally and I am the Enterprise Risk, Security and Compliance Professional at Critical Ops. I am here with Karen, who is our creative developer. With us, we have three of our interns that we have been working with this semester. I’d like to start our panel by asking everybody to introduce themselves. Adjua, could you please start us off?
ADJUA: Yes, good morning, my name is Adjua Lake and I attend the University at Albany in Albany, New York. My major is cybersecurity with a minor in informatics.
ALLY: Thanks for joining us Adjua. Could you please talk a little bit more about what you are researching with us this semester?
ADJUA: Well, I’m studying different vulnerabilities that remote workers need to be aware of and be cautious when they’re working from home, or working in a café, library, even in your own car.
ALLY: That’s very relevant with the amount of companies that were displaced by COVID and sent their employees home to work.
ALLY: Richie, could you please introduce yourself next?
RICHIE: Yes, good morning everybody. I’m a student at the University at Albany as well, and right now I’m studying Cybersecurity as a major and a minor in Informatics. And with my time at Critical Ops, I’m also focusing in the area of cyber hygiene and compliance, and in that area, specifically, I’m looking at how the switch to remote work has impacted small- to medium-sized businesses and what we can do about that.
ALLY: Thanks Richie. And lastly, Tyler, could you please introduce yourself?
TYLER: Yes, I can. So, I’m Tyler, I’m a junior at UAlbany. I’m a dual major of Digital Forensics and Informatics with working on a minor in Theater. At Critical Ops, I’m studying CMMC compliance in an external network, and at one point an Office 365 network. It’s been a great time so far.
ALLY: Adjua, you mentioned that you are studying the different vulnerabilities that companies might face when having their employees work from home. In your research, what vulnerabilities did you find?
ADJUA: Well, there’s several vulnerabilities, but the main ones that we should be looking out on are malware, phishing attacks, weak passwords, unpatched security vulnerabilities, hidden backdoor programs, superuser or admin account privileges, the implementation of cybersecurity measures by employees or users, and most importantly, public wi-fi.
ALLY: I like that you mentioned public wi-fi. I’ve read a lot lately about how public wi-fi can be dangerous for companies with sensitive data. What would happen if these vulnerabilities were exploited?
ADJUA: Well, for example, with public wi-fi, hackers can position themselves in between the user and the connection point of the wi-fi, which then they can distribute malware and implant infected software on the computer. With weak passwords, as well, you can’t use dictionary words, don’t repeat letters or replace letters with numbers, don’t use your personal information, and most importantly, do not write your passwords down or store it near your computer, because it can be easily cracked.
ALLY: I’ve been thinking a lot about shared devices as well with cybersecurity. We like to think that we can trust the people around us, and we probably can. But we also have to think very carefully with who has access around us. Should we be concerned about other people in the home?
ADJUA: Yes, and they can probably download software or programs, which then let that attacker have access to your computer without your knowledge, and when they do that, they can take your stuff and expose it and put you and your company in harm.
ALLY: That’s a great point. I’ve seen that shared devices may pose a risk when there are children around. They may go to a website to download a video game, but not realize that the web page isn’t legitimate. Do you think that parents should be educating their children about cybersecurity too?
ADJUA: I think everyone should be educating themselves on cybersecurity because it’s really important. We, like you said, kids like to play video games, they also like to watch videos and they’re on different sites that’s always not secure, and sometimes these hackers trick users into thinking that the site that they’re on is legitimate when they’re actually not, and they go on the site and they give their personal information or any kind of information and it would be too late by that time. So, everybody should be educated in this field from oldest to youngest, everyone.
ALLY: I’d like to move over to Richie because he is studying some of the solutions businesses can take right now. Richie, what solutions should businesses be focused on to prevent some of these vulnerabilities that Adjua’s been talking about?
RICHIE: Well, that’s a great question, Ally. As I was listening to Adjua, it can sound like there’s always an attack looming, which is very true, and it’s very hard to prevent an attack in a lot of scenarios. There’s almost a 100% guarantee that an attack will happen at some point, but we can mitigate the risks significantly, and in my research, I looked at “back to the basics” was my concept to kind of describe how to prevent a lot of these things, and it’s very simple.
If companies would just go back to basic cyber hygiene in a lot of areas, they’d see statistics go down in terms of their likelihood of an attack. So, some of these things could be installing a network firewall, using anti-virus, using a VPN for encryption–that would definitely help on public wi-fi–backing up regularly. Some strategies that I’ve heard are the 3-2-1 backup strategy where you keep three copies of each important file, two on a different external hard drive, and one in the cloud, which might seem like a lot, but it’s definitely worth it, and it’s shown to do great things in terms of keeping your data secure and having extra.
Using strong passwords and using multi-factor authentication is one of those very important foundational steps. Patching your devices regularly and securing your routers, and least of all, but very important, locking your devices, which kind of goes into having your kids around. If they can get into your personal device, they can kind of mess with it, and you want to keep that separate from home life.
ALLY: That’s a great point. Have you seen any trends lately about how the pandemic has influenced cybercrime?
RICHIE: Well, one of the most startling ones to me when I was reading it was, recently the FBI reported that the number of complaints about cyberattacks their cyber division specifically has been up to 4000 a day, and that’s what they say as 400% increase from what they were seeing prior to the coronavirus. So–it’s–remote workers are being targeted like no tomorrow, and that’s why these principles and these foundational cyber hygiene steps are very important for them to take.
ALLY: When it comes to cybercrime, what types of attacks have increased? Is it phishing, malware, ransomware, or other types of attacks?
RICHIE: They’re a mix. They’re a mix of attacks from ransomware to malware to phishing is a very common one and a lot of the times what I’ve noticed in my research is attackers go for the lowest hanging fruit. So, when you do implement these principles and you have “defense in depth,” which is multiple layers of defense, a lot of the times they’re not going to go for the more defended person. They’re not going to take the time to do that. They want to get the quick hit, they want someone who’s just going to click a link. Phishing tends to be the most targeted that I’ve seen but there’s other avenues, like I said, ransomware, cross-site scripting, things along those lines.
ALLY: That kind of goes back to what Adjua was saying regarding education.
ALLY: So with all of this, should organizations be beefing up their cybersecurity training for employees too?
RICHIE: Without a doubt. I think one of the statistics that made me think about the importance of training was that since the pandemic, 73% of workers have not received any IT security awareness training from their employers. And the reason that’s so important is because they weren’t really getting trained as much as they should be prior to this, but there’s new threats working from home, and companies should really take the time to educate their workers on those threats. The change in—one statistic had to do with phishing and companies, when they did train their employees on phishing, they saw them being way more prepared and so many cyberattacks being mitigated because of this. So, I just think, when you educate, even like Adjua was saying, when you educate your children on it, when you educate the people as a whole and let them know, hey, this is what you should be doing, it really makes a difference.
ALLY: Tyler, your internship has been very focused on the technical aspects of cybersecurity and some of the new compliance standards. What should businesses do if these vulnerabilities are exploited?
TYLER: So, it almost feels inevitable in this day and age that something will eventually be exploited, so these following things a business should do sort of simultaneously if the staffing exists for it. So first, they should follow any of their current policies to stop operations that could be affected by the vulnerability, whether that’s removing their network from the internet, taking down access to certain pages of a website, or removing access from certain employees they feel like might be the method of the hacker accessing their network.
They should assess where the exploit has been affected, like how did it get in? What is it currently effecting? Is it stopped effecting? And did we lack security, or did we have a problem with our current lineup, or did we just miss this entire idea of where security should be for this sector? They should contact law enforcement because cyber crimes are still crimes and law enforcement might be able to help.
As well as anyone affected by it, which could be people in the contract, where if there was sensitive material you now need to let them know that there was a breach and their contract material could be out. Employees, whether it was employee information or employee passwords, you can let them know that, hey this has happened, I’m sorry that your information was leaked, but here’s how we can go about it. Or, hey, your password seems like it might have been the one breached; you have to go through this changing it and make sure you follow the password protocols. And customers, because transparency is very important and if you have a breach, you might as well inform the customers ahead of time, because eventually it’ll get out, and that can lose trust in business or cost more in the long run through lawsuits.
They should also reboot to backups in order to not be working on a corrupted state, like if they have backups they can go back to them, they’ll know that at this point nothing was corrupted, nothing was breached and they can look at it from a clean slate here and see how to fix it and prevent those acts in the future.
ALLY: I like that you mentioned backups. Could you talk a little bit about some of the best practices with backups? Richie gave the 3-2-1 rule. What are other security experts recommending right now?
TYLER: Through new compliance standards, it never says exactly which way you have to back things up, but the recommendations usually fall of backing up something multiple times, whether it’s a physical backup, a cloud backup, and another cloud back up, or a physical backup on premise, off premise, and the cloud backup. It always suggests that you back up things multiple times. So, personally there’s many different ways you can go about it, but my recommendation, as well as what’s followed by a majority of businesses, they use hybrid cloud. They’ll determine what information is critical to the business and they’ll store that on private cloud, as well as possibly physical backups held with the individuals who need them just in case. And then things that are not critical to business or not contracted information that would be bad if it got out but not be detrimental would be stored in public cloud.
The hybrid cloud does provide the security needed for the private critical information while cutting costs by letting some of the information stay on public cloud, so businesses aren’t spending too much on infrastructure but still having all the security they need. If ransomware was to occur, they’d be able to go to their backups and either say, delete it or they’d be able to use the security in the private side to not have to worry about getting an attack of ransomware in the first place.
ALLY: Do backups really make a difference with attacks such as ransomware? What could they allow us to do should a company get hit with ransomware?
TYLER: Yeah, most definitely, because if you have something stored on one device and a ransomware attack comes through and they say, hey we have control of this device and we’re going to delete everything from this device if you don’t pay 700 bitcoins to this address in 12 hours. But if you have a backup of that device and all your information on it, you can just not. You can either call their bluff and see if they’ll just stop, or you can just not pay it and if they delete the information, you’ve got the backup, and you don’t even have to worry about it.
ALLY: What would you recommend to organizations that forget about backups? Are there such things as auto backups?
TYLER: There is auto backup programs that will back things up fully once a week and then do incremental backups every other day that back it up to just the things that were implemented that day. Those are very useful, but they have to make sure that you check up on them to make sure that they’re not backing up information that’s just not necessary or not running. So, with anything that’s automated, you just got to make sure you’re continuously checking on it every once a week or at least once regularly in order to make sure that your backups are actually being stored. And this is where it goes into the importance of testing your backups, where if you have backups that’s all great, but if you don’t test them, maybe they’re corrupted themselves. And if you have a corrupted backup, you don’t know what information you’re going to lose or what backup you had last that’s up to organizational standards.
ALLY: So we are about out of time for today’s panel discussion. I’d like to thank our interns Adjua, Richie, and Tyler for participating in the panel and talking about what they’ve been learning this semester. I’d also like to thank all of our viewers for listening in on our panel. If you have any cybersecurity questions or would like to hear about receiving a free cybersecurity compliance consultation, you can contact me, my name is Ally, and my email address is firstname.lastname@example.org or you can visit www.criticalops.com. Thank you.