The rise of cyber hacks in an age of remote working – and how to prevent them
By Steve Hanna, Embedded Systems Work Group Co-Chair at Trusted Computing Group (TCG) and Jun Takei, Japan Regional Forum Co-Chair at Trusted Computing Group
Technology is replacing a number of real-life activities, helping to maintain a level of normalcy and connection with familiar faces amid unprecedented times. As remote working continues to prove an ever-essential trend in light of our current global climate, organizational networks have expanded from single offices to cross-country residential spaces, from kitchens to spare rooms.
In fact, according to global tech market advisory firm ABI Research, Connected Home devices are expected to become more popular in the coming months, with a 30% year-on-year sales increase projected, with more than 21 billion Internet of Things (IoT) devices expected by 2025. Cloud services have also been adopted at an increasing rate by organizations to deliver remote services and, with 84 percent of enterprises now running on a multi-cloud strategy, is expected to account for 70 percent of tech spending this year. As a result, collaboration tools, including various video conferencing platforms, are being used far more frequently as companies adjust to the new normal of telework. Meanwhile, social media and video calling services such as FaceTime are allowing families and friends to stay connected and streaming services are providing entertainment on a more personal level.
This new normal brings with it changed user habits and, with inadequate security protection on these devices, an increased level of risk in the form of new unknowns such as hacked devices and distributed denial of service attacks. Connected Home and other IoT disrupts our traditional methods of business, acting as a bridge between the virtual and physical world and offering new, almost limitless benefit for workforces and education. However, at the same time, it also increases the number of opportunities available to hackers that have never been possible before; remote work is a game changer for society, bringing huge benefit, but it is crucial that we also understand the risks. Faced with a more integrated and widespread network, security protection against business email compromise, data thefts and scams is something that all organizations and users must implement. As a result, it is critical that organizations invest in collaborative tools to enable remote workers to do their jobs securely whilst adhering to protective stay-at-home initiatives worldwide.
It Starts at Home
Working from home presents a communication barrier between employees, preventing instant, in-person discussions about suspicious digital activity that they may observe, for example an unusual email. The only current replacement of these face-to-face discussions is virtual conference calls – another popular security oversight and target for attackers. However, while this face-to-face communication is important, it is not essential to security protection measures, given that the correct automated detection and prevention security mechanisms are put in place. To successfully protect these avenues of online correspondence, it is vital that organizations work to become more security-conscious, starting with the user and their awareness of attacker behavior.
Such measures can be difficult due to the added distractions faced by workers at home, including childcare and deadline pressures, among other things. From a technical perspective, the home network should not be trusted as it brings new vulnerabilities and is unable to support devices in the same way a corporate business network would, making a Virtual Private Network (VPN) essential. In some cases, a home PC may be used for other purposes by other members of the family, or an employee may want to use their personal device to access corporate information, for example with a work USB. This misuse not only provides opportunities for information hacking within the network, but also physically exposes devices to threats. Such technical risks, combined with the rushed and unpredictable nature of home working, presents a wide range of vulnerabilities that hackers can take advantage of as they get ever smarter. However, it is not enough to advise employees as to the correct device and data conduct at home; organizations need to go beyond this to accept the given risks and implement the appropriate protection mechanisms.
To prevent device protection from being overlooked amid the irregularity of working from home, organizations should consider investing in training for remote workers to increase user awareness or more thorough backup systems. These can be crucial for safe, efficient and secure business operations, as well as helpful for maintaining normalcy. Preventative measures can also be taken on an administrative level, especially during video conferencing over collaboration platforms. For example, using unique access codes for each meeting, enabling a waiting room to keep track of meeting participants and limiting shared screen options within the meeting, privacy can be protected. By having the knowledge to put basic security measures in place, question browser pop ups and access a backup system if things become corrupted, organizational breaches – and breakages – can be prevented.
Securing Devices from the Inside, Out
With many countries having passed the peak of the COVID-19 pandemic, it is expected that this ‘new normal’ will continue far into our future, meaning that the demand for remote device security is not likely to wane. In answer to this search for long-term, full-coverage protection, Trusted Computing Group (TCG) has been working to develop device security which protects against these new-found risks that have come with our “new normal” from the inside. Offering agility and fast deployment, Trusted Computing ensures multi-layered security to safeguard corporate confidential information and personal data against the growing sophistication of interception and threats in the realm of remote working, not only within PCs but also among IoT and cloud-connected devices and networks.
Such solutions come in the form of hardware-based, embedded security subsystems, such as the Trusted Platform Module (TPM). When implemented, these chips create a reliable trust relationship between interconnected devices, protecting against cyberthreats. Their cost-effective nature enables organizations to affordably protect entire networks of devices, securing systems thoroughly and efficiently. TCG specifications are needed to collaborate with government guidelines for a safer-connected future. This includes not only internal components such as the TPM, but also the use of security reinforcing authentication mechanisms, such as multi-factor authentication or longer passwords. Within a network, it is also encouraged to use device provisioning, ensure strong user authentication mechanisms, employ PKI based certification and conceal the whole system via a hardware-based root-of-trust. Many of these measures are already available for use in commercial entities and government digital infrastructures and are recommended for full-coverage data protection.
COVID-19 has significantly impacted society, having pushed Digital Transformation (DX) in many places all over the world. Where working from home was not previously standard practice before the pandemic, many organizations now see it as the future of business, education and collaboration. However, while DX has been long-awaited among society, we must simultaneously implement the appropriate security protection measures in order to realise its full benefit, and more must be done to create this safe and secure digital ecosystem. The nature of technology, and therefore cybersecurity, is that it is ever-changing; as devices advance, so do threats. Organizations, having implemented the current recommended measures, must ensure they remain vigilant and keep systems, software and backups updated for the ultimate protection. To do so, the integrity of the network endpoints needs to be measured and constantly monitored to avoid endpoint compromises. In adapting to our new normal and changing environment, it is vital that we adjust to the new technology challenges rapidly and proactively. By employing this security-first approach and building on these essential principals of updating, protection and resilience, billions of IoT and cloud systems will benefit, providing a safe, secure future despite a growing cybersecurity risk in our increasingly connected world.
About the Authors
Steve Hanna is the co-chair of the Embedded Systems Work Group in the Trusted Computing Group (TCG) and Senior Principal at Infineon Technologies. Hanna is a member of the Security Area Directorate in the Internet Engineering Task Force, also serving as the liaison from the TCG to the Industrial Internet Consortium. He is the author of several IETF and TCG standards and published papers, an inventor or co-inventor on 47 issued U.S. patents, and a regular speaker at industry events. He holds a Bachelor’s degree in Computer Science from Harvard University. Steve Hanna can be reached online at email@example.com and at our company website: https://trustedcomputinggroup.org/.
Jun Takei is the co-chair of the Japan Regional Forum in the Trusted Computing Group and is a Principle Engineer in Intel. Since joining Intel, he has been responsible for technology policy and standards, and has a wealth of experience in the Internet and wireless communications from both a technology and policy point of view. From 2004 to 2015, he was a board member of the one of the most successful Internet research consortiums, the WIDE project, and has also spent time lecturing at Keio University. Now, he is working as the director of Security and Trust Policy in Intel. Jun can be reached online at firstname.lastname@example.org and at our company website: https://trustedcomputinggroup.org/.