Cyber attacks are big business for fraudsters, and frontline workers – 80% of the global workforce* – are a mature target.
It’s a common scenario implemented in retail, healthcare, manufacturing, and logistics…a worker uses a computer that is logged in, or alternatively, a co-worker asks “What is a login?”
Then they jump to accomplish their mission. Their activity—and everyone else’s—is recorded as “PEC 9 North Wing Team” or “Warehouse,” not in their name.
Without their own network identity, they can’t have a company email account, so they log into their personal email to send some customer information to another coworker, or type it into the personal messaging app on their phone.
“Can you get Psychiatry CL to see Jane Jones 9 North bed 6 URN 9551389 today – pt has been a patient for 74 days with recurrent infection/spine surgery and was desperate to go home.”
This is fake information, but if it makes you uncomfortable reading it, keep in mind that this kind of potentially disastrous information sharing via personal apps happens every day in many settings.
Although this may be well-intentioned, sharing access to and use of personal applications puts organizations at great risk, whether through a violation of privacy regulations or reputational damage.
There are also often high costs to address security breaches if an attacker exploits the leaked information, with highly paid consultants parachuting into forensic analysis of what happened.
Employees may not even know they are doing the wrong thing by emailing sensitive company information to another coworker on a personal email system, but even if the company wants to stop that, it can be hard to determine who is doing it.
However, the biggest concern is that employees are left unprotected against social engineering attacks when they use a mixture of different personal apps to communicate.
Corporate email and messaging apps are built with layers of anti-spam and anti-phishing, machine learning systems, but only personal apps may have the most rudimentary protection against spam communication, if at all.
The cost of security breaches on the front lines
The May 2021 ransomware attack on the Colonial pipeline in the United States was the result of a single username and password combination being leaked.
The company paid the attackers more than $6 million (US$4.4 million) in ransom in exchange for a key to decrypt the encrypted servers and not publish 100 gigabytes of stolen data.
However, this was a fraction of the $8 billion cost of shutting down the entire pipeline – responsible for delivering 45% of the fuel to the US East Coast – for several days, and the massive security response from outside consultants needed to re-secure the entire system.
It disrupted flight schedules with airports running out of fuel and prompted President Biden to declare an emergency to allow more fuel than usual to be transported by road freight.
Closer to home, several Australian health networks have been hit by ransomware as well, causing elective surgery services to be canceled and productivity disrupted through hospitals as staff re-maintained patient records entirely manually.
A factory worker at a water facility in Florida who noticed a mouse pointer moving across his screen wasn’t alarmed at first when he saw what he believed to be his boss using Teamviewer remote control software to fix things on his computer.
Fortunately, note that your mouse pointer adjusts NaOH levels from 100ppm to 11100ppm at the waterworks. At these levels, the water would have damaged human tissue and flowed from thousands of nearby taps within 24-36 hours. It turns out that his Teamviewer login credentials had been hacked and he was an intruder making the modifications.
Front line workers insurance
There are solutions now to make securing the front lines easier. Here are four main recommendations from Google:
#1 Train, dig and train again
Frontline workers aren’t always in constant contact with other workers, so they don’t necessarily benefit from hearing about the new types of security attacks the company sees. So, proactive cybersecurity awareness training for frontline workers is the first thing every organization should do. Training should also include regular training activities to put workers in phishing simulation exercises, for example, to know which employees to target with further training.
#2 Give everyone an identity
It is a pseudo-economy of believing that it is cheaper for frontline workers to share network identities. If they do not have a unique identity, they will not have email which means they will be using their own personal email platforms. These will not be protected by sophisticated systems to guard against social engineering attacks. It only takes one phishing attack to work, which is to trick an employee into typing one of their shared network credentials into a fake login page. The company would then have an intruder in the network, using shared credentials used by many other workers, making it difficult to detect and see what happened.
#3 Properly Provide Hardware
Many frontline workers will use their consumer devices. If they are performing work activities on this device without a management system, then it presents a huge risk of data loss, whether through unsecured applications or through device loss. You must have a device management system that can secure business information even within the employee’s personal device. If the device is lost, you will be able to erase work information without affecting the employee’s family photo library.
#4 Use second factor authentication
Companies are starting to use SMS-based second factor authentication, and this is better than nothing. However, attackers are sophisticated and have become accustomed to accessing SMS-based codes. This can either be through social engineering (“Hey, it’s IT… I’m about to send you a code to verify this call before discussing it with you…”) or through moving mobile service to a different SIM. What we really need is hardware-based 2FA – a security switch that can be plugged into a laptop or phone, or even just kept nearby and detected through NFC. These solutions are now inexpensive, easy to deploy and most importantly, even if an attacker gets a username and password, they won’t be able to log in because there is no way to simulate machine code.
How can Google help
Google has decades of experience in detecting and preventing attacks on its own infrastructure, which is done automatically through sophisticated machine learning and artificial intelligence. This experience can help your organization, too.
Gmail – now part of Google Workspace – automatically blocks 99.99% of incoming spam and phishing attacks (100 million phishing attacks per day). Not a single customer participating in Google services has been notified to Google Advanced Protection Program successfully caught. Google Phishing Protection can detect new URLs used for phishing attacks before they are manually reported by anyone, due to Google’s ability to analyze websites and determine the intent.
google browser Beyondcorp Allows employees to work safely from anywhere, without Connect first to a VPN, using a hardware key for strong authentication that is highly resistant to any known forms of simulation or practical attack.
google browser cloud identity It allows users to quickly and easily provide them with network identities, with automatic provisioning of the Google Workspace suite of services, along with other critical ecosystem applications such as Slack, Docusign, and many others.
google browser Endpoint management It allows Google Pixel devices to seamlessly integrate with Google Cloud Identity for work applications and sandbox information so that it can be managed by the company, without affecting the applications and personal user information. It also runs Windows 10, Android, and other iPhone/iPads.
new google Safer work The initiative brings together the Google Workspace, BeyondCorp, Cloud Identity, Data Loss Prevention and Endpoint Management suite of applications, helping take the guesswork out of purchasing a comprehensive security solution, even for organizations without in-house expertise.
It also includes Recaptcha to protect your corporate website from bots and malicious users and Google Chrome Enterprise to provide consistent browser security across the enterprise, regardless of the type of device that is being used.
Organizations can also choose Manage their encryption keys to their own Google Workspace, which means that Google cannot access these organizations’ documents or see the contents of any data that travels between our facilities. It’s an important health care feature, for example, which must meet very high standards of privacy and security about patient data.
google drive It has fine-grained control for administrators to assign users, or groups of users, who can share data with third parties, while Google Workspace as a whole has an advanced data loss prevention feature that can stop files containing sensitive data from being shared automatically (where there are Medicare customer numbers or details bank account, for example).
Learn more about securing frontline workers with Google.
* The rise of the officeless workforce, 2018, http://desklessworkforce2018.com/