Returning to work will ensure that safety expert Jenny Radcliffe is busier than usual. She soon expects to walk into the offices of senior executives to remove a computer, photograph a password left on a sticky note, or connect a device that will tell her whatever is typed on a laptop keyboard. If she’s lucky, she may even have time to set up a “pineapple,” a gadget that can snoop around a Wi-Fi network to steal data and passwords when staff log into their computer system. work and sharing inside information.
Fortunately, for any company involved, Radcliffe will only do harm to point out where its staff needs to be supported with better training. As she spends most of her time training her staff to detect cybersecurity threats online and face-to-face, her company, Human Factor Security, is increasingly in demand to supplement courses with testing. realities on employee performance face to face. face. “Believe me, the return to work is going to be a very difficult time for companies,” she said.
“I was sent to an office the other day and the security guy came over and asked me what I was doing. I told him I was doing Covid checks and he should have received an email. I said I had to disinfect the equipment so I had to be left alone. I even put down a yellow cleaning cone to look official. Sure enough, he let me do it and I was able to send clients photos of inside their offices to show that they were vulnerable.
Radcliffe predicts that cybercriminals will use this disinfectant ruse to get their hands on laptops and smartphones, as well as install eavesdropping devices, gain access to private company information or customer details they can sell to. or, more likely, come back if the company pays a ransom.
Under online attack
This kind of deception is not limited to only physical premises. This has been happening online for years and has intensified over the past year or more. Radcliffe describes the pandemic as “the perfect storm”. People have been tired and distracted using home devices and Wi-Fi networks that are not as secure as those provided at work. This has caused them to unintentionally compromise their own safety and, by default, that of their employer.
“People sometimes let kids do their homework or watch Netflix on their work laptops and don’t know if they’ve clicked on any pop-up windows or links that may contain malware. We’ve all been tempted, as it’s called in the company, to “make a Hillary” and answer emails over the phone because it’s easier. The problem is, the phone won’t be as well protected as your laptop in the workplace, ”says Radcliffe.
The other factor that makes the pandemic the perfect opportunity for cybercriminals is that people are working in isolation at a time when they are emotional and fearful. This means that, unlike in the office, they may not always make the best decisions when an email appears to be from a legitimate business address asking them to pass a password or send money. These phishing attempts are the most common form of attack on businesses and are now normally referred to as phishing because a criminal will address the email to an individual and pretend to be someone they know within the company. ‘organization.
“As part of my training sessions, I show people how easy it is to know so much about a company and its employees that you end up knowing better than them who is working with whom on which project,” explains Radcliffe. “It’s also very easy to get personal information about someone from social media. You can make it look like you really know them and then refer to something they’re working on and ask them to send you money or company network credentials because you don’t have the password with you.
Staff need to be trained to understand how sophisticated these attacks can be, to the point that a criminal will register a domain name very similar to the company they are attacking, perhaps replacing an l with one with a 1 or a 0 for o. When sending emails that are supposed to be from senior executives, it can look very realistic.
As cybercriminals perfected their illicit business, employees had the problem of working from home with no one to send a suspicious email. “In the office, you can always bend over and ask a colleague, ‘Did you get it? Does this sound like Bob to you? Radcliffe said. “There is almost certainly an IT professional you can ask for advice as well. But at home, people have been distracted and feeling emotional, with no one to talk to, and that’s what cybercriminals prey on.
To train staff to spot potential cyber attacks, Radcliffe has a few simple questions everyone should ask whenever they receive an email, text, call, or chat message asking them to help a coworker.
“I have four red flags that I train to look for and if they spot one or more, they have to stop and check with a colleague or directly call the person asking them to do something,” says -she. “Whether it’s a call or a digital message, if someone uses emotional language, asks you to make a quick decision, or says it’s urgent and involves money, these are all signs of social engineering. Then you should stop and seek advice.
Self-help safety tips
Besides training, there are practical steps Radcliffe suggests all customers and their staff take to improve their cybersecurity. These actions may not be all new, but they are extremely important, she insists. For starters, every software on every employee’s computer, laptop, tablet and smartphone always needs to be updated.
“A lot of times people don’t realize that these updates are security fixes. A hacker may have found a way to access people’s computers through an app and the developer updated it to keep them safe, ”she says. “So, even if it’s a pain, the training consists of always updating the software. If you can’t be bothered because you’re no longer using an app, then there’s a good reason to delete it. But you need to keep all programs up to date, as well as your security software.
Radcliffe knows staff will have heard it all before, but hard-to-guess passwords are a must and they should not be shared between different connections. One solution is to accept the strong security password suggested by an app, which you have no chance of remembering, and use a password manager to log back in. Another obvious step that it’s getting people to take is using two-factor authentication. Typically, a website or app will only let someone in with the correct password along with a code texted to the owner’s cell phone.
Finally, his training is accompanied by a severe warning regarding the use of public Wi-Fi. This should always be avoided in preference to a smartphone, which will hopefully have a good 4G connection.
“People don’t realize how simple it is for anyone to set up a Wi-Fi hotspot in an area and name it a cafe to entice their customers to connect for free,” says- she. “There is a really easy to use software package that anyone can install and then set up as a free Wi-Fi hotspot. All they have to do is call it ‘x wi-fi client without coffee’ to sound convincing and as soon as you log in anything you do using that connection can be spied on by cybercriminals. . “
If cybersecurity during the pandemic were problematic, Radcliffe predicts things could get worse. Cybercriminals will undoubtedly use Partial Return to Work to target staff with Covid-related tricks, such as the aforementioned disinfection scam. There is also the problem of devices that may not work safely, and might have malware installed, being brought back into the office network. In addition, people are going to be much more mobile and therefore the temptation to save the data allowance and connect to free public Wi-Fi connections is going to be strong.
With the right training, however, staff can work much more securely outside of the office as long as they know how to best protect themselves, detect a cyber attack, and, just as important, know to whom security concerns should be raised.