Equifax Inc. EFX -0.59% had spent years working to repair its reputation after a massive data breach when lockdown orders meant office workers around the world had to start working from home this spring.
With most of its 11,000-plus employees scattered far from the company’s security team, the credit rating agency couldn’t afford a repeat of the painful 2017 breach, in which cybercriminals accessed Social Security numbers, addresses, drivers-license information and other details of about 150 million Americans.
Work-from-home requirements have magnified cybersecurity threats for practically every company, whose data now must traverse Wi-Fi networks with passwords named after the family dog while workers share devices with teenagers taking classes on Zoom or playing Fortnite with their friends.
In an effort to protect its most sensitive information, Equifax gave customer-support agents laptops with software designed to detect suspicious activity that could expose information or give hackers a way into the company’s computer network. Those employees normally work in restricted call centers and typically weren’t allowed to work from home, said Jamil Farshchi, the company’s chief information security officer.
Security researchers have warned that hackers are targeting employees doing business from their new, makeshift workplaces, using techniques such as scam emails that pretend to be videoconference invitations but that actually steal network credentials.
Technology, health-care and financial companies aren’t the only ones under siege. With around half the U.S. workforce working remotely, according to a June study from the National Bureau of Economic Research, even companies like Kraft-Heinz Co. are experiencing an uptick in attempts on their networks.
Before the pandemic, some firms tracked thousands, even millions of threats a day. As soon as workers headed home, companies started seeing attacks surge.
“In the course of [the first] two weeks, we saw orders-of-magnitude increases in our alerts,” said John Masserini, who leads cybersecurity for telecommunications operator Millicom International Cellular SA. “We watched our security operations center light up.”
Most attacks are beaten back, but not all. Twitter Inc. saw hackers take over the accounts of several prominent users, including former President Barack Obama and musician Kanye West after tricking Twitter employees into sharing administrative information. Hackers have breached suppliers for financial services firms such as Freddie Mac and disrupted operations at hospitals in the U.S. and Europe.
The FBI, as of May 28, had received around 320,000 complaints of internet crime, a senior official told the Senate Judiciary Committee in June—nearly double the rate for the prior year. A Secret Service official told the same hearing that he expects over $30 billion in stimulus funds will end up being pilfered through scams, many of them cyberattacks. Intelligence agencies in the U.S. and Europe warn that companies are prime targets for government-sponsored hackers going after corporate secrets, especially coronavirus research, and have accused China and Russia of backing these attacks. Beijing and the Kremlin deny involvement.
So far during the pandemic, Kraft-Heinz has observed a jump of 10% to 15% in attempted email attacks, said Ricardo Lafosse, head of cybersecurity. In recent weeks, hackers adopted new tactics, making fraudulent phone calls to the company’s support center. They pose as employees or suppliers to gather information that could help them launch more sophisticated attacks in the future, he said. Hackers use tactics such as calling the help desk and pretending to be an employee who is locked out of an account, or a supplier who needs to confirm account credentials to process payment, he added.
“We had a large influx of remote users,” Mr. Lafosse said. “That really opened the opportunity for malicious attackers to start banging against the door to see what would stick.”
The shifting spread of the virus complicates corporate security. Companies that straddle international borders have to keep up with which employees must work remotely and which can go to the office as governments issue and rescind restrictions, said Mr. Masserini, the security chief at Millicom, the telecommunications firm, which provides mobile phone services in Latin America and Africa.
“It actually impacted us first here in Miami, and then as [the virus] propagated through Latin America, you had one country that would all of a sudden be working from home and then the country right next to it would not,” he said. As offices closed, Mr. Masserini worked with Millicom’s technology department to equip employees, in some cases telling them to take company computers with them or use their personal machines at home.
Nasdaq Inc. watched email traffic swell by 35% after almost all of its 4,500 employees went home in March, said Lou Modano, the stock-exchange operator’s head of cybersecurity. Mixed with the email surge have been hacker ploys that play on Covid-19 fears or solicit charitable donations, he said. Some hackers pose as equipment suppliers, requesting payments.
Potential vulnerabilities are alarmingly widespread. About 53% of people working remotely conduct company business on personal laptops, which often lack safeguards that many employers provide, such as firewalls and antivirus software, according to research from International Business Machines Corp. Equally alarming to security chiefs, 29% of remote workers said they let kids and other family members use their work laptops for online shopping and gaming, potentially exposing them to viruses, according to a survey from cybersecurity firm CyberArk Software.
At Equifax, security-monitoring tools had been tuned to recognize employees’ habits at the office, such as when someone typically logs into email and which computer they use. “You’re used to your network traffic being in your network offices. You know what Monday at 10 a.m. looks like,” said Bryson Koehler, Equifax’s chief technology officer. “We upended all of that.”
Companies learned which alerts signal legitimate security problems and which point to new work patterns. Highmark Health, a nonprofit health-care company based in Pittsburgh, didn’t have the technology needed to support all roughly 35,000 employees on its network at once, so it split nonmedical staff into day and nighttime shifts—a step companies in several industries have been forced to take. That means time of day for network activity isn’t the obvious indicator of suspicious behavior it once was, said security chief Omar Khawaja.
The company reset security monitoring tools to more heavily weight factors such as multiple authorization attempts from the same internet address but trying different user credentials. “In the past, we looked at people excessively working off-hours because maybe something malicious was happening,” Mr. Khawaja said. “But rules changed.”
Battling attacks during the pandemic has also reinforced a basic security lesson, executives say. No matter how a hacker tries to infiltrate a company’s systems, an individual worker can be the strongest—or weakest—link.
“No matter what we do with our tools,” Nasdaq’s Mr. Modano said, “the employee is always the first line of defense.”
Copyright ©2020 Dow Jones & Company, Inc. All Rights Reserved.