Cyber attacks are big business for scammers, and frontline workers – 80% of the global workforce* – are a ripe target.
It’s a common scenario, played out in retail, healthcare, manufacturing, logistics… a worker uses a computer that’s left logged in, or alternatively, asks a coworker ‘what’s the login?’
Then they jump on to get their task done. Their activity – and everyone else’s – is logged as “Ward 9 North PEC team” or “Warehouse”, not by their name.
Without a network identity of their own, they can’t have a company email account, so they log on to their personal email to send some customer information to another coworker, or type it into a personal messenger app on their phone.
“Can you get Psychiatry CL to see Jane Jones 9 North bed 6 URN 9551389 today — pt has been inpatient for 74 days with recurrent infections / spinal surgery and has been feeling hopeless about her return home.”
That’s dummy information, but if it made you uncomfortable reading it, consider that this kind of potentially calamitous information sharing over personal apps happens every day in many settings.
Although this may be well-meaning, sharing of access and use of personal apps puts organisations at enormous risk, both of breaching privacy regulations and reputational damage.
There are also often huge costs of remediating security breaches if an attacker takes advantage of leaked information, as highly paid consultants are parachuted in to forensically analyse what happened.
Employees may not even know they’re doing the wrong thing by emailing sensitive company information to another coworker on a personal email system, but even if a company wants to stop it, it may be hard to determine who is doing it.
Of greatest concern, though, is that staff are left unprotected against social engineering attacks when they’re using a patchwork of different personal apps to communicate.
Corporate messaging and email apps are designed with layers of machine learning anti-spam and anti-phishing systems, but personal apps may only have the most rudimentary protection against unsolicited contact, if at all.
The cost of frontline security breaches
A ransomware attack in May 2021 on the Colonial Pipeline in the USA was the result of a single leaked username and password combination.
The company paid over $6 million ($US4.4M) in ransom to the attackers for the key to decrypt the encrypted servers and not publish 100GB of stolen data.
However, this was a tiny fraction of the cost of halting its entire $8 billion pipeline operation – responsible for delivering 45% of fuel to the East Coast of the United States – for several days, and the enormous security response from external consultants needed to re-secure the whole system.
It disrupted flight schedules as airports ran low on fuel and prompted President Biden to declare a State of Emergency to allow more fuel than usual to be carried by road freight.
Closer to home, several Australian health networks have been subject to ransomware attacks as well, causing cancellation of elective surgery services and crippling throughput through hospitals as staff reverted to fully manual patient record keeping.
A plant operator at a water utility in Florida who noticed his mouse cursor moving on his screen wasn’t initially alarmed when he saw what he thought was his boss using Teamviewer remote control software to fix things on his computer.
Luckily, he noticed the mouse cursor adjusting the levels of sodium hydroxide from 100 parts per million to 11,100 parts per million in the water plant. At those levels, the water would have damaged human tissue and flowed out of thousands of neighbourhood taps within 24-36 hours. It turned out his Teamviewer login credentials had been compromised and it was an intruder making the adjustments.
Securing frontline workers
Solutions now exist to make securing the frontline easier. Here are four key recommendations from Google:
#1 Train, drill and train again
Frontline workers aren’t always in constant contact with other workers, so they don’t necessarily have the benefit of hearing about new types of security attacks that the company is seeing. So, proactive cyber security awareness training of frontline workers is the first thing every organisation should be doing. Training should also include regular drill activities to put workers through simulated phishing exercises, for example, to see which staff need to be targeted with more training.
#2 Give everyone an identity
It’s a false economy to think it’s cheaper for frontline workers to share network identities. If they don’t have a unique identity, they can’t have email which means they will be using their own personal email platforms. These won’t be protected by sophisticated systems guarding against social engineering attacks. It only takes one phishing attack to work, tricking an employee into typing one of the shared network credentials into a fake login page. The company will then have an intruder in the network, using a shared credential that many other workers are using, making it harder to detect and see what has happened.
#3 Provision devices correctly
Many frontline workers will be using their own consumer devices. If they are conducting work activities on that device without a management system that’s a huge risk of data loss, both through insecure applications and through device loss. You need to have a device management system in place that can secure the work information even within an employee’s personal device. If the device is lost, you’ll be able to wipe the work information without affecting the employee’s family photo library.
#4 Use second factor authentication
Companies have started using SMS-based second factor authentication, and that is better than nothing. However, attackers are sophisticated and becoming accustomed to getting access to SMS based codes. This can either be through social engineering (“Hi, it’s IT… I’m about to send you a code to verify this call before I discuss the matter with you…”) or through porting a mobile service to a different SIM card. What’s really needed is hardware based 2FA – a security key that can plug into a laptop or phone, or even just be held near it and detected through NFC. These solutions are now inexpensive, easy to deploy, and importantly, even if an attacker gets a username and password, they won’t be able to log in because there’s no way to emulate the hardware token.
How Google can help
Google has decades of experience in detecting and blocking attacks on its own infrastructure, automated through sophisticated machine learning and artificial intelligence. That experience can help your organisation too.
Gmail – now part of Google Workspace – automatically blocks 99.99% of inbound spam and phishing attacks (100 million phishing attacks daily). Google hasn’t been made aware of a single customer participating in Google’s Advanced Protection Program that has been successfully phished. Google’s phishing protection can detect new URLs being used for phishing attacks before they’ve been manually reported by anyone, due to Google’s ability to parse websites and determine intent.
Google BeyondCorp allows employees to work safely from anywhere, without first connecting to a VPN, using a hardware key for robust authentication that is highly resistant to any known forms of emulation or practical attack.
Google Cloud Identity allows users to be provisioned with network identities quickly and easily, with automatic provisioning of the Google Workspace suite of services, along with other important ecosystem apps like Slack, Docusign and many others.
Google Endpoint Management allows Google Pixel devices to be seamlessly integrated with Google Cloud Identity to sandbox work apps and information so they can be managed by the company, without affecting a user’s personal apps and information. It also manages other Windows 10, Android devices and iPhones/iPads.
Google’s new Work Safer initiative brings together the Google Workspace suite of applications, the BeyondCorp, Cloud Identity, Data Loss Prevention and Endpoint Management, helping take the guesswork out of purchasing a comprehensive security solution, even for organisations without in-house expertise.
It also includes Recaptcha to protect your company website from bots and malicious users and Google Chrome Enterprise to provide consistent browser security across the enterprise, no matter what type of device is being used.
Organisations can also choose to manage their own encryption keys for their Google Workspace, which means Google can’t access these organisations’ documents or see the contents of any data moving between our facilities. It’s an important feature for healthcare, for example, which has to meet very high standards of privacy and security around patient data.
Google Drive has fine-grained control for administrators to set which users, or groups of users, can share data with external parties, while Google Workspace as a whole has advanced Data Loss Prevention which can automatically stop files with sensitive data in them from being shared (where there are customers’ Medicare numbers or bank account details, for example).
Learn more about securing your frontline workers with Google.
* Rise of the Deskless Workforce, 2018, http://desklessworkforce2018.com/