We’ve all done it. You leave your computer with a stranger’s promise to “keep an eye on it” in a café. Your kid messes around on your laptop in your home office. You scroll through Facebook during a tedious Zoom meeting. What’s the harm?
During the pandemic, the boundary between work and home all but disappeared. For remote workers, this newfound interconnectedness of our personal and professional lives, from the devices we use to the places we work, represents a growing data security threat to many companies.
“Home and work [have become] mingled,” Roxana Geambasu, an associate professor of computer science at Columbia University, told Commercial Observer. “At work they probably tell you not to browse certain websites, and they can also have a firewall that prevents us from browsing certain websites. … But at home, maybe you want to take a break, and it may be a little bit easier.”
The potential for security threats has only grown as companies built remote work into their business models. Lyft decided to ditch 45 percent of its 615,000 square feet of U.S. office space after implementing a policy that lets employees choose when they go into the office. It’s the latest in a long line of firms, including Yelp, Netflix, Salesforce, Twitter, HSBC Bank and KPMG, to shutter or cut office space nationwide.
With remote work here to stay, getting employees to prioritize data security becomes an issue of endurance, said Geambasu. While workers may have steered clear of doing personal tasks on company devices in the early days of the pandemic, the odds that staffers can resist the temptation indefinitely are slim.
Yelp and other employers have attempted to answer that question by scamming their own workers. No wait — hear them out.
“With phishing becoming increasingly sophisticated, Yelp runs phishing simulations that direct employees to additional training if they engage with the test emails,” Sam Eaton, chief technology officer at Yelp, said in an email. “Yelp also employs sophisticated anti-phishing tools that identify malicious emails and assess suspicious content through automated sandbox testing in safe environments.”
Yelp’s test emails are probably a bit more sophisticated than the average Nigerian prince scam (though it’s worth noting that Americans lose about $700,000 a year to that particular con). While Eaton said he couldn’t provide examples of Yelp’s tests, he said its scam attempts mirror the most common industry-wide phishing attacks, including emails with suspicious attachments, false log-in pages and malicious links.
Training is crucial because phishing attacks are on the rise as remote work becomes more common, said Emily Stapf, the cybersecurity, privacy and forensics integrated solutions leader for auditing firm PricewaterhouseCoopers (PwC), whose 40,000 U.S. client services professionals log on remotely for some of the work week. Phishing attempts rose 61 percent between May 2021 and April 2022, according to an analysis of more than 3 million global phishing reports by the consulting group Interisle. The number of monthly phishing attacks doubled from 40,000 in May 2020 to more than 100,000 in April 2022, according to the report.
“People are more willing to engage with unfamiliar emails than they normally would,” Stapf said. “In this work environment, organizations can’t just implement new technology or practices; they must roll out effective training and awareness for employees, too. You can’t underestimate the importance of that user behavior and offering people training and assistance to do their job remotely, using new technology.”
That new technology often includes using a virtual private network (VPN), which lets employers restrict and monitor access to its network, and two-factor authentication, which requires someone to identify themselves on a secondary device before gaining access to a company’s data.
Yelp has “significantly invested” in technologies like two-factor authentication, antivirus software and security systems that monitor the devices accessing Yelp’s networks in real time — though it declined to share how much it spends on data security, Eaton said in a statement. The firm also encrypts data on employees’ computers and has the ability to remotely wipe clean a compromised laptop.
JLL, a commercial real estate brokerage with offices in 80 countries, also monitors remote workers to make sure actual JLL staffers, not bad actors, are accessing the company’s data. First and foremost, JLL never assumes a connection is trustworthy, said Joe Silva, JLL’s chief information security officer.
“It’s [about] leveraging attributes. … All of that is part of a zero trust strategy to validate that you are who you say you are, the device is a trusted device, and the network connection you’re using isn’t suspect and is reasonable based on previous behavior,” Silva said. “Are you an impossible traveler? Did you just access your HR portal from New York, and then five minutes later we saw that you accessed your shared drive or your SharePoint from Los Angeles?”
There’s an age-old phrase in journalism: If your mother says she loves you, check it out. “Zero trust” is cybersecurity’s way of saying the same: Trust no one and verify everyone.
Many firms will go one step further, refusing to talk publicly about their security measures because doing so could be a threat in itself. Of the 32 landlords, law firms, utilities, financial institutions, tech companies and brokerages CO contacted, nearly all either did not respond or declined to comment on their cybersecurity strategies. But Geambasu said it’s dangerous for a business to assume that it’s any safer because it doesn’t publicly discuss its algorithm or practices.
“I do not tolerate security through obscurity because I don’t believe it works in the long term,” Geambasu said. “In practice, people tend to believe that there is some level of security that can be gained from obscurity, meaning you don’t talk about what you’re doing, you don’t publish your methods or your algorithm, and this is somehow supposedly going to confuse an attacker so they’re not going to break in. But, time and time again, this has been proven to be not true.”
Still, it’s an outlook that makes sense when data security is predicated on trusting no one — including your employees. As the dividing line between work and home continues to blur, businesses should expect staffers to take their work to their personal devices and vice versa, Stapf said. And with 82 million Americans working at least in part remotely, you can bet your bottom dollar that some of them will fall for a scam, maybe even a Nigerian prince.
“We know how to make security work from many perspectives like the technical side,” Geambasu said. “But oftentimes these things break due to user mistakes. … Human error is indeed a huge factor.”
Celia Young can be reached at email@example.com.