SALEM — Offices across the state are reopening as coronavirus cases decline, but people, out of concern for their safety, are still opting to work from home.
That poses a challenging problem for companies trying to keep their data and networks secure amid a remote workforce, according to Andy Sauer, director of cybersecurity at Steel Root, a cybersecurity and IT services company in Salem.
Located on Front Street, Steel Root has more than a dozen employees. In the spring the company was busy warning businesses of potential threats from both independent and nation-state cyber criminals trying to exploit telecommuters.
Steel Root co-founder and managing partner Ryan Heidorn said most companies were not prepared for the shift to a remote workforce at the start of the pandemic. Small companies were especially at risk, he said.
"The problem of cybersecurity and who is at risk mimics COVID-19 itself," said Heidorn, who was recently named to the board of directors of the National Defense Industrial Association New England, and who teaches cybersecurity at Endicott College.
Even with offices reopening as COVID-19 cases in the state have waned, "the subject is still top of mind," Heidorn said,
"The complexities introduced by the pandemic are realities we have to deal with," he said.
With many companies extending work-at-home policies through the end of the year, many workers may be plugging away on their home computers or personal laptops instead of work-issued ones. They may be working over a home network or on one in a cafe, making security a challenge.
Cybersecurity became a topic early in the pandemic due to "Zoom bombing," in which pranksters were able to hijack a video conference run on the now popular video conferencing app, Zoom, before the company addressed those issues.
Sauer said these incidents, while high profile, were mostly innocuous. It's the less visible attacks, ones that may not become apparent for weeks or months, that are the threat.
The problem, Sauer said, is that companies have built their IT security based on the office, using firewalls and defenses with one gate in.
Now, a company's crown jewels, its propriety company data, are sitting on home computers or personal devices outside the castle walls.
Education is key
Cybersecurity came up in May during a virtual meeting on the reopening held by the North Shore Chamber of Commerce.
"It's been an environment that's been ripe for the bad guys to take advantage of fear, take advantage of misinformation, and manipulate that in a way that they get the user to do things that they normally wouldn't do," said David Gravel, founder, president and CEO of the Peabody IT consulting firm, GraVoc Associates.
"The key to most of it is ... user education," Gravel said.
While big businesses have specialists who worry about IT security, many small businesses look at security as "nice to have but not necessary to have. And I think now, people have to look at security as a have to have," Gravel said.
The key is educating employees about cyber threats. Gravel said ransomware attacks, in which a hacker takes control of someone's device and requires a ransom to free it, have been on the rise.
"Those occur relatively easily because people are buying things remotely," said Gravel. Users click on what they think is a link to track a package and the next thing they know, their network is infected.
"The criminal has what he wants," Gravel said. "He doesn't have your money, but he has your data, and as a result, you are willing to pay for that data unnecessarily."
Small businesses also have to update their IT infrastructure.
"In the 800 calls we got in the first week to push people remote," Gravel said, "we were underwhelmed at the level of equipment that was out there."
They found inexpensive equipment such as firewalls were eight or nine years old, leaving companies relatively wide open. There was also no pre-planning involved as to whether employees could use their own equipment or the company's. Many employees were working on early-age Windows products "that have no security protection whatsoever," Gravel said.
For employees, security awareness training is key, Heidorn said.
"Some of the protective measures that were in place in your office are not in place at home," he said.
Sauer said there has been a "behavioral shift" among those working at home which malicious actors are trying to exploit. Workers at home may be less aware of potential cyber threats, and less willing to call to the IT department if they have a problem. With their guard down, they may unwittingly accept a phishing attack which can open up a company to be hacked.