A Major Security Gap In Duty Of Care Of CEOs And Board Directors?
Last week, I wrote an article on CyberSecurity on my Forbes Channel and it was the highest read blog article since I started writing for Forbes. This blog examines the impacts from Cybersecurity, but from the increased realities of working at home, and the impacts that security operations have become more complex. Security focus is now turning to how we all connect and have access with identify control technologies being at the top of cybersecurity risks as more entry points equals more risks.
Cloud security is a major area for focus in the data protection sector and many are now discussing the increased risks of the home office as companies need to understand perhaps all the technology enablements in their employees home offices.
A few key questions to reflect upon: what are the risks of having multiple users in a home, accessing the same network and impact on its community bandwidth or risk of being hacked? How far does our responsibility go to protect our corporate assets into people’s homes?
The laws protect personal privacy in our homes but do our laws need to change given our new realities?
With Covid-19, the majority of companies are rethinking their expensive leasing office space(s), as next to an employee’s income, office space is one of the largest operating expenses of a company. As commercial real estate investments shift, the reach of corporate security policies are increasing to examine an employee’s home infrastructure and understand the risks that home offices may pose, as more permanent work from home space is not going away anytime soon.
Here are a few sobering reality checks. One in four executives have malware already on their home personal devices. This means that cybersecurity extends far beyond the enterprise. We now have a digital integrated life, and suddenly the weak soft underbelly for cyber-security professionals is our home office space.
So what can you do to protect yourselves?
BlackCloak offers a cybersecurity service for executives at home technology. Why attack a central bank’s network, when you can attack the CFO’s daughter’s iPad at home? According to BlackCloak, an average of 27 percent of their new clients have malware detected on their personal devices, and that they find that 20 percent have wide open home networks that allow their adversaries to see into their cameras, home automation, and IoT devices. In addition, 75% of the companies they look at their home footprints have over 75% security risks exposed due to: improper security settings or passwords being exposed and being made freely available on the Dark Deep Web.
Adversaries being able to peer into my home cameras on my personal computers, how creepy is this?
But since this risk is true, hence this means that odds are over 90% of small businesses are in high risk security zones, 70% of mid-sized companies are at risk, while 30% of larger enterprises are working hard to get their softer unbellies of their home office space under greater control(s).
The attack surface of a company is exposed every time an employee works remotely from home and in the COVID new normal – that is almost every single day.
Prevailion is another early stage innovative company which offers secure monitoring services to patrol a company’s network and all its connections. So security officers in all companies have to accelerate looking at the broader footprints or attack risk surfaces that could cause a security breach from home office spaces. Prevailion empowers companies to audit and continuously monitor the security of their supply chains to an unprecedented degree, with the possibility of even predicting future breaches based on this real-time intelligence.
Being aware of all the IP addresses connected with access to a company’ s infrastructure has many security experts started to worry as the perimeter to monitor has increased in many cases 1000x greater as in many companies, no employees are working in the secure office towers.
Locking down company assets and devices increases every time an executive works remotely. Yet, how many board director or CEO home computers have been recently inspected by third party security experts? With Covid-19 all of a sudden, homes are no longer off limit, as CEO’s must think harder of how to protect their digital assets beyond their company’s four walls.
Yet, most of the IT budgets on cybersecurity globally are not focused proportionately enough on employee’s home security practices.
Just reflect and answer this question: what percentage of your cybersecurity corporate budgets have shifted to personal home office security services as an additional safety, privacy and security benefit to your employees? Do you know the answer as a CEO or as a Board Director? If not why not?
Do you remember the movie the Patriot Games when the terrorists tried to kill the main character, Jack Ryan? Rather than try to kill him in his CIA office, they targeted his beach home instead, where access was much easier. Although this is a bleak picture, to think about, our homes as higher risk targets, but it’s imperative to modernize our digital security footprint based on my research.
Below are three questions to expose a few vulnerabilities that you can personally reflect upon, in terms, of your own home office set-up:
1.) Do you have anti-virus software implemented on all your home personal devices and is it in a unified protective home digital footprint?
2.) Have you ever had a third party examine all your default security settings to ensure you are not vulnerable?
3.) Where do you store your personal passwords? Are they in a post it note visible in your office, or written down in a notebook in your office?
Research validates that these are all high risk exposure areas. For example, over 90% of C level executives are not using dual factor authentication for their personal emails. Increasingly more documents are being sent in Gmail and in linked in accounts which also increases risks if stolen to shared.
In the cybersecurity blog on AI that I wrote last week, I discussed how fast the bad actors/hackers are innovating using AI methods, and that every day they are finding new ways to innovate. The 2020 M-Trends report, produced by FireEye, also stated that over 41 percent of the malware deployed in 2019 was never seen before. The hackers are always innovating and hence we need to keep a tighter focus on protecting our employee and company assets.
So where do you think the hackers are all likely putting their attention now due to Covid-19 realities? It is safe to say – likely your homes are now higher targets on the abuser’s minds.
So companies that are investing in innovative home security solutions, leveraging AI methods, that integrate into the company’s bigger perimeter vision of increasing cybersecurity budgets must now include personal homes of their employees as one of their top risk concerns that board directors and CEO’s have as a duty of care responsibility.
But how much of the conversation in discussing the home office space and its continued risks post Covid-19? There is no question that the return to the office as we know it, will be a shadow of its former self.
So it’s time to prepare for and ensure your organization is further protected from increased teleworking and home office access risks.
The USA Cybersecurity and Infrastructure Security Agency (CISA) released a formal statement, just after Covid-19 intensified to rain upon all of our doorsteps, on the heightened need for increased cybersecurity considerations regarding tele-work that offers guidance to executives to plan for improved operational risks . Some of the considerations exposed were
- As organizations use VPNs for telework, more vulnerabilities are being found and targeted by malicious cyber actors.
- As VPNs are 24/7, organizations are less likely to keep them updated with the latest security updates and patches.
- Malicious cyber actors may increase phishing emails targeting teleworkers to steal their usernames and passwords.
- Organizations that do not use multi-factor authentication (MFA) for remote access are more susceptible to phishing attacks.
- Organizations may have a limited number of VPN connections, after which point no other employee can telework. With decreased availability, critical business operations may suffer, including IT security personnel’s ability to perform cybersecurity tasks.
For more guidance, refer to this report at the USA Homeland Security Office to seek more guidance.
Hence, as well all advance foreword into The Decade of the Home, or The Home Economy, depending on which phrase you prefer, it’s now time to accelerate preparing for new cybersecurity policies, practices and investments that extend to protect our home office spaces. What we can all be assured of is that Artificial Intelligence (AI) methods will be front and center in helping all of us continue to crack the hacker malicious code and vulnerability risks. This is where Trusted AI for Good comes into play, as all the world’s toughest problems require advanced forms of man and machine working together as our digital footprints increasingly are extending beyond our office doors.