Securing the front-line
The increasing number of cyber attacks on companies in recent years has fueled a growing interest in cybersecurity, especially for frontline workers. This article highlights the costs of such attacks, potential solutions and how you can equip your employees with the right tools to keep data secure.
Cyber attacks are big business for scammers, and frontline workers – 80% of the global workforce* – are a ripe target.
It’s a common scenario, played out in retail, healthcare, manufacturing, logistics… a worker uses a computer that’s left logged in, or alternatively, asks a coworker ‘what’s the login?’
Then they jump on to get their task done. Their activity – and everyone else’s – is logged as “Ward 9 North PEC team” or “Warehouse”, not by their name.
Without a network identity of their own, they can’t have a company email account, so they log on to their personal email to send some customer information to another coworker, or type it into a personal messenger app on their phone.
“Can you get Psychiatry CL to see Jane Jones 9 North bed 6 URN 9551389 today — pt has been inpatient for 74 days with recurrent infections / spinal surgery and has been feeling hopeless about her return home.”
That’s dummy information, but if it made you uncomfortable reading it, consider that this kind of potentially calamitous information sharing over personal apps happens every day in many settings.
Although this may be well-meaning, sharing of access and use of personal apps puts organisations at enormous risk, both of breaching privacy regulations and reputational damage.
There are also often huge costs of remediating security breaches if an attacker takes advantage of leaked information, as highly paid consultants are parachuted in to forensically analyse what happened.
Employees may not even know they’re doing the wrong thing by emailing sensitive company information to another coworker on a personal email system, but even if a company wants to stop it, it may be hard to determine who is doing it.
Of greatest concern, though, is that staff are left unprotected against social engineering attacks when they’re using a patchwork of different personal apps to communicate.
Corporate messaging and email apps are designed with layers of machine learning anti-spam and anti-phishing systems, but personal apps may only have the most rudimentary protection against unsolicited contact, if at all.
The cost of frontline security breaches
A ransomware attack in May 2021 on the Colonial Pipeline in the USA was the result of a single leaked username and password combination.
The company paid over $6 million ($US4.4M) in ransom to the attackers for the key to decrypt the encrypted servers and not publish 100GB of stolen data.
However, this was a tiny fraction of the cost of halting its entire $8 billion pipeline operation – responsible for delivering 45% of fuel to the East Coast of the United States – for several days, and the enormous security response from external consultants needed to re-secure the whole system.
It disrupted flight schedules as airports ran low on fuel and prompted President Biden to declare a State of Emergency to allow more fuel than usual to be carried by road freight.
Several Australian health networks have been subject to ransomware attacks as well, causing cancellation of elective surgery services and crippling throughput through hospitals as staff reverted to fully manual patient record keeping.
A plant operator at a water utility in Florida who noticed his mouse cursor moving on his screen wasn’t initially alarmed when he saw what he thought was his boss using Teamviewer remote control software to fix things on his computer.
Luckily, he noticed the mouse cursor adjusting the levels of sodium hydroxide from 100 parts per million to 11,100 parts per million in the water plant. At those levels, the water would have damaged human tissue and flowed out of thousands of neighbourhood taps within 24-36 hours. It turned out his Teamviewer login credentials had been compromised and it was an intruder making the adjustments.
Securing frontline workers
Solutions now exist to make securing the frontline easier. Here are four key recommendations from Google:
#1 Train, drill and train again
Frontline workers aren’t always in constant contact with other workers, so they don’t necessarily have the benefit of hearing about new types of security attacks that the company is seeing. So, proactive cyber security awareness training of frontline workers is the first thing every organisation should be doing. Training should also include regular drill activities to put workers through simulated phishing exercises, for example, to see which staff need to be targeted with more training.
#2 Give everyone an identity
It’s a false economy to think it’s cheaper for frontline workers to share network identities. If they don’t have a unique identity, they can’t have email which means they will be using their own personal email platforms. These won’t be protected by sophisticated systems guarding against social engineering attacks. It only takes one phishing attack to work, tricking an employee into typing one of the shared network credentials into a fake login page. The company will then have an intruder in the network, using a shared credential that many other workers are using, making it harder to detect and see what has happened.
#3 Provision devices correctly
Many frontline workers will be using their own consumer devices. If they are conducting work activities on that device without a management system that’s a huge risk of data loss, both through insecure applications and through device loss. You need to have a device management system in place that can secure the work information even within an employee’s personal device. If the device is lost, you’ll be able to wipe the work information without affecting the employee’s family photo library.
#4 Use second factor authentication
Companies have started using SMS-based second factor authentication, and that is better than nothing. However, attackers are sophisticated and becoming accustomed to getting access to SMS based codes. This can either be through social engineering (“Hi, it’s IT… I’m about to send you a code to verify this call before I discuss the matter with you…”) or through porting a mobile service to a different SIM card. What’s really needed is hardware based 2FA – a security key that can plug into a laptop or phone, or even just be held near it and detected through NFC. These solutions are now inexpensive, easy to deploy, and importantly, even if an attacker gets a username and password, they won’t be able to log in because there’s no way to emulate the hardware token.
* Rise of the Deskless Workforce, 2018, http://desklessworkforce2018.com/