{"id":7245,"date":"2022-09-13T13:49:33","date_gmt":"2022-09-13T17:49:33","guid":{"rendered":"https:\/\/joindeleteme.com\/blog\/?p=7245"},"modified":"2024-10-10T17:03:47","modified_gmt":"2024-10-10T21:03:47","slug":"operational-security-and-remote-work-the-role-of-employees-and-their-pii","status":"publish","type":"b2b-post","link":"https:\/\/joindeleteme.com\/business\/blog\/operational-security-and-remote-work-the-role-of-employees-and-their-pii\/","title":{"rendered":"Operational Security And Remote Work: The Role of Employees and Their PII"},"content":{"rendered":"\n<div class=\"wp-block-rank-math-toc-block uk-card-default uk-padding\" style=\"font-size:16px\" id=\"rank-math-toc\"><h4>Table of Contents<\/h4><nav><ul><li><a href=\"#remote-work-highlights-human-attack-vectors\">Remote Work Highlights Human Attack Vectors<\/a><\/li><li><a href=\"#as-a-result-professional-opsec-is-becoming-more-important\">As a Result, Professional OPSEC Is Becoming More Important\u00a0<\/a><\/li><li><a href=\"#employees-still-behave-as-if-they-are-working-in-an-office\">Employees Still Behave As If They Are Working In an Office<\/a><\/li><li><a href=\"#surface-web-pii-is-also-a-threat\">Surface Web PII Is Also a Threat<\/a><\/li><li><a href=\"#every-organization-needs-a-professional-opsec-policy\">Every Organization Needs a Professional OPSEC Policy<\/a><\/li><li><a href=\"#protecting-your-business-in-a-new-remote-work-reality\">Protecting Your Business In a New Remote Work Reality<\/a><\/li><\/ul><\/nav><\/div>\n\n\n\n<p>Whatever way you look at it, the move to remote and hybrid working has not been good for corporate cybersecurity. But the most dangerous threats from shifting workplace locations are not necessarily the most obvious ones.<\/p>\n\n\n\n<p>In a recent webinar, <a href=\"https:\/\/www.groupsense.io\/\" target=\"_blank\" rel=\"noreferrer noopener\">GroupSense<\/a> CEO Kurtis Minder and DeleteMe CEO Rob Shavell spoke about the surprising operational security challenges facing remote and hybrid organizations. Here are five essential takeaways from the webinar. If your company has switched to fully remote or hybrid work, understanding them is crucial for maintaining operational security.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"remote-work-highlights-human-attack-vectors\">Remote Work Highlights Human Attack Vectors<\/h2>\n\n\n\n<p>According to Verizon\u2019s <a href=\"https:\/\/www.verizon.com\/business\/resources\/reports\/dbir\/\" target=\"_blank\" rel=\"noopener\">Data Breach Investigation Report 2022<\/a>, the \u201chuman element\u201d was present in 82% of breaches last year.&nbsp;<\/p>\n\n\n\n<p>Whether through mistake or malice, humans have always been the biggest enablers of network breaches. Now, the rise of working from anywhere has amplified the risk of employees inadvertently letting threat actors into corporate networks even further.&nbsp;<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"as-a-result-professional-opsec-is-becoming-more-important\">As a Result, Professional OPSEC Is Becoming More Important&nbsp;<\/h2>\n\n\n\n<p>Operational Security, or OPSEC for short, is a process designed to stop sensitive information from ending up in the wrong hands. There are three important categories of OPSEC:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Cyber OPSEC. <\/strong>This involves IT\/security teams denying critical information to potential adversaries by performing actions like encrypting drives, implementing zero trust, etc.&nbsp;<\/li>\n\n\n\n<li><strong>Personal digital OPSEC. <\/strong>This refers to how employees behave online as individuals, i.e., do they overshare on social media or post selfies that could put them and their organizations at risk?<\/li>\n\n\n\n<li><strong>Professional OPSEC. <\/strong>This refers to employees safeguarding their company\u2019s data in every possible way and scenario.<br><\/li>\n<\/ul>\n\n\n\n<p>With the explosion of remote work, professional OPSEC has become critical. However, many companies haven\u2019t yet recognized how remote working has removed old guardrails. Or the risky behavior their employees are engaging in outside the traditional office spaces.&nbsp;<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"employees-still-behave-as-if-they-are-working-in-an-office\">Employees Still Behave As If They Are Working In an Office<\/h2>\n\n\n\n<p>When employees were working from the office, it was relatively safe for them to talk about sensitive information like corporate finances, intellectual property, special projects, and customer names. Presumably, everyone in the office worked there and had signed a confidentiality agreement. Outsiders were unlikely to glean sensitive corporate information and use it for nefarious purposes.&nbsp;<\/p>\n\n\n\n<p>This is no longer the case. As employees work from home, co-working spaces, hotels, and even airports, it has become increasingly easy for bad actors to overhear or see data that can be used to carry out attacks.&nbsp;<\/p>\n\n\n\n<p>There are several ways this might happen:<\/p>\n\n\n\n<ol class=\"wp-block-list\">\n<li>Someone might overhear an employee\u2019s work conversation at an airport. If their laptop is visible and has an asset tag, they can find the employee on LinkedIn. As a result, they can easily figure out where the employee works and with whom, and they already have some context from the conversation they just overheard. At this point, they can create an effective phishing campaign. A few years ago, Graham Murphy, product manager at the Law Society, wrote about how he <a href=\"https:\/\/www.lawsociety.org.uk\/topics\/blogs\/overheard-on-a-train-how-i-could-have-ransomed-a-law-firm\" target=\"_blank\" rel=\"noopener\">could have ransomed a law firm<\/a> based on a conversation he overheard on a train.<br><\/li>\n\n\n\n<li>An employee at a co-working space might print sensitive and\/or confidential documents on a shared printer but neglect to collect them immediately. The next person to use the printer may or may not intercept these documents.&nbsp;<br><\/li>\n\n\n\n<li>A worker may inadvertently share their entire screen when presenting on Zoom, unaware that they\u2019re giving away valuable information like the kind of operating system they\u2019re using, what apps they have, and where they\u2019re located. Cybersecurity professionals have warned companies that threat actors are hacking into Zoom and Team meetings to <a href=\"https:\/\/www.worklife.news\/technology\/fraudsters-are-hacking-zoom-and-team-meetings-to-eavesdrop-on-sensitive-commercial-information-and-scam-employees\/\" target=\"_blank\" rel=\"noopener\">eavesdrop on sensitive information<\/a>.<\/li>\n<\/ol>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"surface-web-pii-is-also-a-threat\">Surface Web PII Is Also a Threat<\/h2>\n\n\n\n<p>Even if employees are cautious about what they do and say in public spaces, that alone may not be enough to keep their companies safe. The proliferation of data brokers means that threat actors don\u2019t need to overhear someone\u2019s work conversation or spot their laptop asset tag to successfully socially engineer them.&nbsp;<\/p>\n\n\n\n<p>Data brokers are companies that aggregate information on individuals from a variety of sources and then turn this data into detailed dossiers, which they sell to third parties, sometimes for as little as $0.99.&nbsp;<\/p>\n\n\n\n<p>The information that data brokers process and correlate can be:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Corporate<\/strong>: where an employee works, who they work for, their work email address and phone number, etc.<\/li>\n\n\n\n<li><strong>Personal: <\/strong>the employee\u2019s home address, who are their family members, etc.<\/li>\n<\/ul>\n\n\n\n<p>Most profiles include a mixture of corporate and personal data and are remarkably easy to find. Because they exist on the open web, all it takes is a quick Google search to find data on an employee&#8217;s personal and professional lives.&nbsp;<\/p>\n\n\n\n<p>Scarily, the information these companies have on employees is getting more detailed. As we spend more of our lives online, data brokers can scrape and aggregate more information about us than ever. For instance, in 2019, we found an average of 200-220 pieces of personally identifiable information per DeleteMe customer on data broker sites. Today, that number is closer to 450. And in the next few years, we expect it to hit around 1,000.&nbsp;<\/p>\n\n\n\n<p>Although we\u2019ve long suspected that cybercriminals use data brokers to carry out attacks, we now have proof. Leaked chat logs show how the notorious <a href=\"https:\/\/joindeleteme.com\/business\/blog\/the-time-is-now-to-limit-russian-hacker-access-to-pii\/\" data-type=\"URL\" data-id=\"https:\/\/joindeleteme.com\/blog\/the-time-is-now-to-limit-russian-hacker-access-to-pii\/\">ransomware gang Conti<\/a> uses data brokers like ZoomInfo and SignalHire to find names and contact information for important individuals they may want to target, as well as contacts to \u201cname drop.\u201d&nbsp;<\/p>\n\n\n\n<p>Hackers may sometimes also use employees\u2019 family members\u2019 information to sneak their way into corporate networks. In the recent Twilio phishing attack, threat actors used home and work phone numbers of not only employees but also <a href=\"https:\/\/arstechnica.com\/information-technology\/2022\/08\/phishers-breach-twilio-and-target-cloudflare-using-workers-home-numbers\/&#039;\" target=\"_blank\" rel=\"noopener\">their family members<\/a>.&nbsp;<\/p>\n\n\n\n<p>Besides social engineering, attackers may also use data broker information in password cracking attacks (<a href=\"https:\/\/www.comparitech.com\/blog\/information-security\/password-statistics\/\" target=\"_blank\" rel=\"noopener\">many people<\/a> use their name, birth date, or name of their pet, spouse, or kids as their passwords or answers to security questions) or spoofing campaigns.&nbsp;<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"every-organization-needs-a-professional-opsec-policy\">Every Organization Needs a Professional OPSEC Policy<\/h2>\n\n\n\n<p>Ideally, every organization today should have a professional OPSEC policy. There are two key steps to creating one:<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"identify-what-who-youre-trying-to-protect\">Identify what\/who you\u2019re trying to protect<\/h3>\n\n\n\n<p>This could be specific assets or people. In the case of assets, figure out what processes, for example, access control, are needed to protect them. When it comes to people, determine who is most at risk, i.e., executives, financial controllers, etc., from having their PII available on the open web.&nbsp;<\/p>\n\n\n\n<p>However, while you may want to start with the riskiest people, there\u2019s no way of knowing who cybercriminals might target. For example, if a state-sponsored actor were to attack a government agency, they probably wouldn\u2019t attack the agency itself but rather secondary\/tertiary suppliers to that agency. And in the Twilio attack, hackers went after employees\u2019 family members, not just employees themselves.&nbsp;<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"understand-the-environment-your-employees-are-operating-in\">Understand the environment your employees are operating in<\/h3>\n\n\n\n<p>The threats facing work-from-home employees differ from those facing staff at a physical office. For instance, because many remote workers <a href=\"https:\/\/www.securitymagazine.com\/articles\/95746-of-employees-still-use-their-personal-computers-for-work-as-hybrid-landscape-intensifies-enterprise-cyber-threat\" target=\"_blank\" rel=\"noopener\">use personal laptops<\/a>, malware attached to a phishing email that targets them personally could infect their entire corporate network.&nbsp;<\/p>\n\n\n\n<p>As a result, it is crucial that organizations understand their employees\u2019 operational environment and create educational programs that are aligned with them as well as with the things they\u2019re trying to protect.&nbsp;<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"protecting-your-business-in-a-new-remote-work-reality\">Protecting Your Business In a New Remote Work Reality<\/h2>\n\n\n\n<p>Remote work has changed how people work. Outside the physical walls of an office, employees are not only more likely to accidentally divulge confidential information to strangers that may later be used for nefarious purposes. They are also more likely to carelessly click on a phishing email\u2014especially if it is embellished with personal information and appears to come from a trustworthy source.&nbsp;<\/p>\n\n\n\n<p>Unfortunately, as our lives have become progressively more digital, the amount of personal data available about us on the surface web has also grown. This is great news for cybercriminals, who increasingly use employee PII to hack into corporate networks. But it\u2019s disastrous for organizations because traditional cybersecurity measures are no longer enough to stop the bad guys from getting in.&nbsp;<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Whatever way you look at it, the move to remote and hybrid working has not been good for corporate cybersecurity. But the most dangerous threats from shifting workplace locations are not necessarily the most obvious ones. In a recent webinar, GroupSense CEO Kurtis Minder and DeleteMe CEO Rob Shavell spoke about the surprising operational security [&hellip;]<\/p>\n","protected":false},"author":16,"featured_media":7246,"menu_order":0,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"b2b-category":[45],"class_list":["post-7245","b2b-post","type-b2b-post","status-publish","format-standard","has-post-thumbnail","hentry","b2b-category-resources"],"acf":[],"_links":{"self":[{"href":"https:\/\/joindeleteme.com\/wp-json\/wp\/v2\/b2b-post\/7245","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/joindeleteme.com\/wp-json\/wp\/v2\/b2b-post"}],"about":[{"href":"https:\/\/joindeleteme.com\/wp-json\/wp\/v2\/types\/b2b-post"}],"author":[{"embeddable":true,"href":"https:\/\/joindeleteme.com\/wp-json\/wp\/v2\/users\/16"}],"version-history":[{"count":0,"href":"https:\/\/joindeleteme.com\/wp-json\/wp\/v2\/b2b-post\/7245\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/joindeleteme.com\/wp-json\/wp\/v2\/media\/7246"}],"wp:attachment":[{"href":"https:\/\/joindeleteme.com\/wp-json\/wp\/v2\/media?parent=7245"}],"wp:term":[{"taxonomy":"b2b-category","embeddable":true,"href":"https:\/\/joindeleteme.com\/wp-json\/wp\/v2\/b2b-category?post=7245"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}