After a year in pandemic mode, many are eager to embrace a new normal. For some, that may mean once again being able to spend time with loved ones without the need for a webcam and mic, or an end to wearing face masks. For others, it may mean being able to take vacations or attend in-person events, like concerts.
For those who shifted to working remotely in 2020, a new normal may mean a return to the office. Already, many organizations have started requiring staff to return to their cubicles and conference rooms. Some are even offering incentives beyond free food, like CoStar, the company featured prominently in a Wall Street Journal article earlier this month that is rewarding employees who return to the office with cash prizes and even, for one lucky employee, a Tesla.
Unfortunately, these changes spell O-P-P-O-R-T-U-N-I-T-Y for those who exploit vulnerabilities for fun, financial gain, or other, more nefarious, purposes. If you thought we would get a reprieve, that the number of phishing emails would decrease or ransomware would become a thing of the past, that is unlikely to happen. If anything, the shift to a new normal is likely to increase the number of attacks and the costs associated with cybercrime, which is expected to reach $10.5 trillion USD annually by 2025 according to Cybersecurity Ventures.
Not convinced? Have you ever tried thinking like a hacker?
Remote vs. Office Work
Prior to the pandemic, 11 percent of the workforce worked remotely, according to a survey by Willis Towers Watson, the global company “that helps clients around the world turn risk into a path for growth”. As of February 2021, 57 percent of the workforce was still working remotely, and employers were expecting 37 percent would continue to be working remotely by the end of 2021, according to the survey.
While the projected shift back to the office for 20 percent of the workforce may mean that some companies will no longer need to support remote workers, the more plausible scenario is that employees will spend some of the work week in the office and the balance working remotely. From a risk standpoint, this means fewer vulnerabilities, right?
Not necessarily. The pivot to remote work introduced security issues, and the pivot back or to a hybrid model is sure to introduce them as well.
For starters, the equipment that has been sitting in offices and not used during the past year poses a problem. Desktop PCs, printers, copiers, and even devices such as DVRs may have been powered down before the lights were turned off and the last person left the building to work from home. Without routine maintenance, like firmware and software updates, these devices will be vulnerable to attack once they are powered on and put back into service.
Next, since normal behavior patterns were disrupted – when working remotely we may only need to migrate from a bedroom to a kitchen for coffee and then to a home office each morning – devices will be more vulnerable physically as we begin to work elsewhere. When someone isn’t used to hauling something around, like a laptop, it may be easier to leave it behind or to forget it is in a vehicle and leave a door unlocked, especially if the local gas station and grocery store have been the only places the vehicle’s been driven in a year.
Likewise, as a new normal takes hold, despite best efforts, we may find ourselves busier than ever and trying to make up for lost time. Whether we call it information overload, overwhelm, or simply distraction is of little consequence since the effects will be the same. Rather than reading an entire email, we might give it a split-second glance and click on a link.
In fact, that’s what scammers/hackers will be counting on! It will be easier to conduct Business Email Compromise (BEC) attacks – to spear phish or use social engineering to gain access to an account or impersonate someone in the C-suite – if employees don’t know who is working where on a given day or are distracted. For reference, in 2020, IC3 received 19,369 BEC/EAC (Email Account Compromise) complaints. The adjusted losses totaled more than $1.8 million.
Vacations and Vaccines
Similarly, it’s safe to conclude phishing attacks that were prevalent before the pandemic will resume and increase. Take attacks aimed at travel, for example. During the pandemic, when flights were cancelled and travel was restricted, it would have been difficult at best to target someone with a travel certificate, free trip, or “grandparent” travel scam. That’s likely to change soon since, according to TripAdvisor, over two-thirds of Americans are planning to travel this summer, and American tourists will be able to visit the European Union if they’ve been fully vaccinated against COVID-19, according to The New York Times.
And, of course, as long as the coronavirus continues to cause infections, there will be scammers who use the Internet to offer up cures, and sell fake vaccines, the opportunity to skip the line to schedule appointments for vaccinations, or fraudulent vaccination cards.
