There are many dangers of using free or public Wi-Fi. However, with digitisation comes a rapidly increasing remote workforce of employees, and most companies feel helpless as their cybersecurity is becoming a directly impacted area of concern. Employers need to adapt existing strategies to avoid modern threats such as; malware, credential threat, data/IP theft and to achieve like-for-like standards of safe internet connectivity to those working outside of the office environment, as those working within an office ecosystem. Firms must stay connected.
Using Public-WiFi From The Airport Business Class Lounge?
Imagine a scenario where you are a UK based business representative, perhaps your name is Harper. You regularly board flights to and from London to Manchester. On this occasion, you must deliver a weighted pitch to a potential customer in your company’s office in Manchester. You have already passed security clearance and wait to board, as you have hundreds of flights prior. Customer service informs you your flight expects one hour delay. You intended to finish your presentation upon return, in the comfort of the office. However, your arrival at the meeting itself is at risk, and the delay means you will not have time to make final iterations to the pitch.
You do not want to lose this opportunity for your company. Therefore, resourceful and determined as ever, you decide to finalise the presentation using your laptop from the airport business class lounge while you wait. Unfortunately for you, you stored the file within company cloud storage, and company files aren’t synchronised to your laptop because you favoured storage space. In a fluster, you connect devices to the available network “London Free Wi-Fi” and mindlessly risk company data pursuing a stable internet connection. Your presentation might indeed impress a potential customer, but your risk is a costly mistake.
Need Access To The Company Cloud Web Portal Without A Virtual Private Network (VPN)?
You open a new web browser and visit your company’s web portal. To gain access to company cloud storage and the file you need, you enter your corporate login details and click ‘download’ – risking company data in committing your second cybersecurity faux-pas of the day, altogether unaware.
With a stable connection and the file in your possession, you recall a bill owed to you for expense claims last week. Not one to sit on a query and in a time-appropriate position to enquire, you log into your bank account and ensure reimbursement. Once satisfied, you log out. That was mistake number three.
Minutes pass. The PA echoes delays and your flight included – a further thirty minutes at least. Making the most of the time at hand, you finish your presentation and take pride in the efforts you have extended to achieve the final result.
Do You Reupload Files To The Company Cloud Network ?
Since you do not need to make any further changes, you proceed to upload the revised copy of your presentation to the company cloud storage before rewarding yourself with a Starbucks caramel latte and salted caramel brownie. This small upload tallies your mistakes of the day up to a total of four. As you finish your coffee, the Gates open – so in a timely fashion, you board your plane, arriving in Manchester an hour later.
In baggage collection, you herald a taxi to the office. En-route you call ahead to prompt reception of your ETA. You finally reach the office gates but find your debit card not working as expected. You have tried paying for your journey via chip and pin and contactless. Still, your debit card has declined the £20 payment twice. Confused, you utter, “that’s not right! I checked before boarding”, knowing your account should have upwards of £1000. Pressed for time, you pay with your credit card and make a diary note to contact the bank after your meeting.
What A Cyber Attack looks like Across All Company Cloud Networks
You arrive a few minutes before your potential customers and prepare for them in the boardroom. You connect your laptop to the network and open the presentation (mistake number five). After a quick run-through, you are still happy with the changes you made in the departure lounge. Janet from reception calls to inform you that your guests have arrived. You greet them in reception to guide them to the boardroom and begin the pitch. Everything appears to be going well – your prospects are impressed. That is, until about thirty minutes into discussions when suddenly your laptop freezes. With a captive audience, your screen is taken hostage by an unwarranted image. The message is clear: your system and files have become encrypted. You must reach out to an unknown email address to negotiate the cost of decrypting your files.
The same message starts to appear across all company devices in the Manchester office. A few minutes later, via a private VPN connecting sites, all company devices receive the message before all company files become encrypted with no access. The meeting ends abruptly with a likelihood of engaging in business with the company minimal to zero, as can be expected.
Cyber Security: Knowledge Is Power
This scenario had an issue that escalated rapidly. Were you aware of the mistakes Harper made as they occurred? Could you relate? To clarify and compare solutions, let us isolate each human error, discuss what happened and identify what Harper didn’t foresee happening.
Mistake number one – connecting to the free Wi-Fi. Simulating Free-Wifi offered by official providers, malicious actors often stage falsified connections to collect and capture traffic transmitted from anyone opting to use the network service. Harper, among countless others before, connected to one such network, giving a malicious actor a gateway to commit data theft. Harper’s second mistake was logging into the company’s corporate network via the employee portal. In doing this, Harper provided the malicious actor with otherwise unknown login credentials to the company cloud platform.
As we know, Harper logged into a personal bank account in a similar vein, giving the malicious actor personal account log in details too. Mistake three. As an effect, when Harper attempted to pay for the taxi outside of the office, the card declined. A notice of insufficient funds in a bank account is often a first warning sign that data theft has occurred. For this reason, many online banks enable bank account freezing capabilities from mobile phones. It is probable that while Harper flew from London to Manchester, the malicious actor transferred the total account balance into an offshore account. To avoid being caught, many attackers transfer stolen funds multiple times, across-borders, under currency conversion. Stolen funds on an exchange platform such as bitcoin are likely then transferred between different bitcoin wallets or saving pots. One could say, at this juncture, the stolen money is irrecoverable.
In the fourth mistake, Harper uploaded the edited file to company cloud storage. Doing this enabled the malicious actor to download and modify the file, embed a Ransomware bug, and reupload it to company cloud storage. This mistake made possible using the stolen credentials provided by Harper when accessing the company cloud.
By reconnecting to the corporate network in the Manchester office boardroom to deliver the presentation, as intended, Harper unknowingly committed Mistake number five. In establishing a connection, the ransomware bug was activated and gained access to the entire company cloud network across multiple sites. Mid presentation, the attackers’ virus had already encrypted varying company files as hostage leverage. Connecting to a free Wi-Fi connection at an airport costs Harpers’ company time, money, reputable loss, and potential profits from unboarded clients.
“Well-intentioned employees who know substantial amounts can fall prey to malicious attacks in pursuit of excellence”
The scenario presented is a worst-case scenario, but it is easy to envision how well-intentioned employees who know substantial amounts can fall prey to malicious attacks in pursuit of excellence. The attacker often has to input minimal effort via a data gateway connection. As shown in the example, Harper unintentionally provided virtual keys to the network.
You might cite negligence from Harper as the root cause of the fiasco. Technically, removing the unawareness of data theft means company data would have remained secure, and prospects would remain so too. However, the negligence established was most likely the result of improper training provided by the company. A company owes a duty of care, in their interest, to deliver cyber awareness training to all employees. With proper training, Harper might have delegated the workload in good time, removing the risk factor. Alternatively, Harper may have connected to free Wi-Fi regardless, holding full accountability, with a sound understanding of all potential consequences. Empowering Harper might have resulted in a profitable contract for the company.
Many businesses have cloud computing security issues in the structure of their network. By investing in future-proof antivirus/IDS/IPS operations, a company could prevent or mitigate criminal malware effects and stop the spread of criminal malware internally throughout organisations and their partner networks, avoiding exposure to weakened security infrastructure with working threat management procedures in place.
Attackers often scan networks to gain access to connected devices. These devices enable them to steal data, spread viruses, or monitor device activity/history for more lucrative information.