Employees need to maintain their security habits while working from home, emphasizes Scott Godes, a partner at Barnes & Thornburg. On the CyberWire’s Caveat podcast, Godes explained that cybercrime has continued as usual throughout the pandemic, but business processes have shifted dramatically.
“It's largely more of what we have been seeing. And what I mean by that is ransomware has continued,” he said. “Business email compromises continue. And I see more phishing attempts on a daily basis than I had ever seen before. And so criminals, apparently, are not going away. Efforts to compromise systems aren't going away....And so from that perspective, it's more, unfortunately, of the same.”
He added that social engineering attacks, such as business email compromise (BEC), may be harder to thwart when employees aren’t working in the same building.
“And so there are stories where – apocryphal stories and real stories – for example, in the context of a business email compromise where when I've talked about this, people say, oh, sure, we almost had that happen,” he explained. “We received a message saying, please wire the following amounts to this location. And just before it happened or just after it happened, I ran into this person in the hallway and said, oh, by the way, I've got your – I sent your wire or I'm about to send your wire, just FYI. And in the hallway, the person says, what are you talking about? I didn't ask for you to wire anything or do anything like that. And they manage to catch it. Well, if you're not in the office and you're not going to see people in person, you don't have that same opportunity to correct for that. That's just one example of how things are not able to correct it.”
Additionally, Godes said that as people become accustomed to remote work, they may grow laxer about verifying requests they receive by phone or email.
“Or if you're used to doing things by phone, ‘cause that's how we're operating, then – or by email, rather than by phone, because that's how things are operating, then the mindset of following up with someone to say, well, I need to see you in person, or, I need to get a phone call, is not the same,” Godes said. “And there's going to be much more reliance on emails and other electronic communications to get things done so that the perspective of and the viewpoint of, well, you shouldn't click on email, you shouldn't do things by email – that's how the world is operating these days.”
New-school security awareness training can help your employees adapt to changing circumstances by instilling in them a healthy sense of suspicion that can enable them to prevent social engineering attacks, no matter where they are.
The CyberWire has the story.