On January 13th, the Cybersecurity and Infrastructure Security Agency (CISA) published a report highlighting an increase in successful phishing attacks exploiting cybersecurity weaknesses of remote and distributed teams. Successful attacks gave hackers access to companies’ cloud services via both personal and corporate devices.
These types of attacks frequently occurred when victim organizations’ employees worked remotely and used a mixture of corporate laptops and personal devices to access their respective cloud services. Despite the use of security tools, affected organizations typically had weak cyber hygiene practices that allowed threat actors to conduct successful attacks.– CISA
According to the report, the cyberattacks involved phishing to get employee passwords, brute force login attempts to see if a compromised password granted access to other accounts, and “pass-the-cookie” attacks. In this third kind of cyberattack, a hacker uses the credentials from an initial phishing attack to gain access to additional accounts by exploiting browser cookies to bypass multifactor authentication.
Once hackers gain access to one employee account, they are then able to send phishing emails to other employees and set up inbox rules to automatically forward emails with specific keywords (commonly finance-related terms) directly to the hacker’s account.
According to CISA, the activity and information reported was not explicitly tied to any one threat actor or known to be specifically associated with the security threats attributed to the SolarWinds incident.
What can your business do?
The shift to remote work has forced companies to change how they think about their security. Not only is more work being done on personal devices (and vice versa), the majority of employees (70%) believe it is their employer’s responsibility to make sure their accounts aren’t hacked or breached. Coupled with the fact that more than 80% of corporate breaches are password-related, and more than two-thirds of employees reuse passwords for personal and business accounts, bad actors have begun taking advantage of organizations that are ill-prepared for the shifting landscape of remote work.
Thankfully, there are many tangible actions businesses of any size can take. Here are a few CISA recommends:
Educate and train employees
Most employees have roles that are not focused on corporate security, so it is understandable that most do not think about their role in keeping the company secure. However, IT and security teams can’t succeed without the help of the larger company.
- Conduct phishing trainings: Phishing is one of the most common techniques used by cybercriminals: According to a study by the Ponemon Institute, more than half of businesses reported experiencing a phishing attack in the past year. Not every phishing scam is as obvious as a celebrity emailing you asking for a loan they promise to repay, so the best way to prepare your organization is to conduct an internal phishing test, and provide easily digestible guidance on how to spot phishing attempts.
- Foster a sense of shared ownership: According to an IBM report, the average data breach costs a company nearly $4M. Not only does that have financial consequences for a business, it also can damage your company’s reputation and hurt future business prospects. It’s important to encourage security best practices and help employees understand their role in keeping the company secure.
Enact new policies and provide tools to make policies easy to follow
While educating employees and enacting new policies are important steps to take, you also need to provide employees tools to make these new policies easy to follow. Dashlane helps businesses address many of the recommendations made by CISA, including getting employees to:
- Stop typing passwords: The most common phishing technique CISA observed involved tricking people into entering their credentials on a fraudulent site. However, if you are using a password manager such as Dashlane, which autofills passwords, you never have to worry about typing in the wrong place. Additionally, we are building new anti-phishing messaging across our mobile apps and web experience to help users avoid phishing attempts.
- Use a strong, unique password for every account: According to CISA, the first thing hackers often did after getting access to an employee account was try those same login details on a host of other websites. This tactic, known as credential stuffing, takes advantage of the fact that 70% of employees reuse passwords for multiple accounts. With Dashlane, you can easily generate, save, and autofill secure, random, and unique passwords for every account while enjoying the convenience of only needing to remember your one Master Password.
- Use two-factor authentication (2FA) on all accounts: Two-factor authentication requires users to provide an additional form of authentication on top of their password. The most common form is a six-digit code via email, text message, or an authenticator app. In the scenario where a password is compromised, a hacker would be unable to access your account without the 2FA code. With Dashlane, you can enable, store, and autofill 2FA codes all through the app. Additionally, you can share 2FA codes when you share passwords in the app, so employees no longer need to chase down their colleague who may have received a text message or email.
- Stop using work passwords for personal accounts: Employees with poor security hygiene in their personal lives are unlikely to suddenly adhere to best practices at work. It is important to both foster an internal culture that recognizes the importance of security and to provide employees with tools that help them build good habits for personal and professional accounts. Thanks to Dashlane’s Smart Spaces and easy offboarding, when employees leave your company, you can be confident they are not leaving with sensitive company credentials.
CISA also recommends modifying your company’s email forwarding rules. CISA observed that after accessing company accounts, hackers were setting up email forwarding rules based on specific keywords, such as finance-related terms. The best way to avoid a situation like this is to restrict automatic forwarding capabilities to email addresses outside of your organization. The step-by-step instructions will vary depending on the email service your company uses.
For many, this report will evoke one of two feelings: immediate stress, or, on the other hand, a misguided sense that it could never happen to them or their business. Fortunately, the barriers to improving your company’s security hygiene are low. Employees expect employers to provide security tools, and businesses must protect their data and their brand from bad actors. One of the easiest first steps? Getting a password manager.
For more information, check out our e-book How to Safeguard Sensitive Data for Businesses.