Please ensure Javascript is enabled for purposes of website accessibility

Today’s remote workforce a target for cybercriminals

Joe Carrigan, a senior security engineer at Johns Hopkins University, said that one of the best ways to thwart cyberattacks is to implement an identity-bases security model that focuses on authenticating a user’s identity to allow access. (Submitted photo)

When the world shut down in March 2020 and companies sent their workers home, opportunities for cybercriminals multiplied.

Nearly two years later, as the pandemic stretches into its third year, cyber threats against a dispersed Maryland workforce continue, targeting small businesses, corporations and families alike — and the threat is growing.

“These last 18 months have been the busiest I’ve ever been, identity-theft-wise,” said Jeff Karberg, director of the Maryland attorney general’s Identity Theft Unit.

Cyberattacks have been on the rise in Maryland for years.

In 2013, there were about 15 breaches per month, Karberg said, adding that the number increased every year, reaching an average of 107 breaches per month in 2020.

Cybersecurity threats are by no means unique to Maryland. Last year, a ransomware attack on the Colonial Pipeline, which carries gasoline and jet fuel mainly to the southeastern U.S., led to a panic-fueled gas shortage. Also last year, the meat processing company JBS suffered a security breach that temporarily shut down some operations in the U.S., Canada and Australia.

The switch to remote work has created a multitude of new opportunities for criminals, said Jonathan Katz, a professor of computer science at the University of Maryland.

Nowadays employees share computers with family members and conduct business from coffee shops or cafes with a range of security settings, Katz pointed out, adding that a dispersed workforce also means companies have less control over what their employees browse or search for during work hours. In addition, he said, many establishments have been forced to open up their firewalls to allow employees remote access to data.

Experts point to a range of scams: Scammers can fake an IT desk or impersonate a credit card company or an Amazon support center. Fraudulent retail, employment and romance scams are also on the rise, as people look for new jobs and deal with loneliness. Rising interest in cryptocurrencies and investing is leading to more cryptocurrency and NFT (non-fungible token) scams promising investors a hefty payout.

Criminals have long used phishing scams — in which cybercriminals impersonate legitimate organizations through email or text — to steal data. Phishing remains one of the most common cybercrimes, along with malware attacks.

“These people are not stupid,” Joe Carrigan, a senior security engineer at Johns Hopkins University, said of cyber criminals. “They’re actually quite clever.”

One of the best ways to thwart attacks is to implement an identity-based security model, which focuses on authenticating a user’s identity to allow access to data, he said.

Over the years, companies have implemented multifactor authentication systems to verify their workers’ identities. The method often involves sending a one-time passcode to an individual’s smartphone. The best version is a hardware-based system, though an SMS model is better than nothing, Carrigan said.

But companies should beware of complicated systems, experts say. Requiring employees to remember difficult passwords could lead to security nightmares like a password scrawled on a sticky note stuck to a laptop. Employees may also find it cumbersome to carry around their phone, which is necessary for multifactor authentication.

“You can always make a system more secure,” Katz said. “But there’s often pushback from users, who will either complain about using these systems or come up with ways of circumventing them.”

Companies are realizing they need to invest in cybersecurity, as recent acquisitions from major technology giants show, said Brian Kime, vice president of intelligence, strategy and advisory at ZeroFox, a Baltimore-based cybersecurity company.

Last year, Microsoft reportedly shelled out more than $500 million for RiskIQ, a cloud security company. Google confirmed last month that it had acquired an Israeli cybersecurity startup called Siemplify for $500 million.

The best way to prevent an attack is to rely on the people you trust, Carrigan said: “When somebody says, ‘I think that might be a scam,’ that’s where you need to wake up and pay attention.”