Hi, I'm Tom Field with Information Security Media Group. Pleasure to be talking today with Phil Reitinger. He's the president and CEO of the Global Cyber Alliance, and we're talking about the response to COVID-19, the coronavirus, and securing the remote workforce. Phil, glad to catch you today.
Presumably working remotely. I am, Tom, like not only the majority of Americans, but people around the world. I'm in my home office. So you have had the responsibility of being the CISO in the public sector, in the private sector, both.
You've got a unique perspective. We now have the greatest remote workforce we have ever seen. How does this motivate the adversary? Well, I'm not sure that, Tom, that I'd say it motivates the adversary, but it offers a slew of new opportunities.
And if there's one thing we know about cyber adversaries, is they're adaptive and reactive. When an incident happens that doesn't involve remote work, you see the attackers moving very quickly to launch phishing campaigns around an ordinary threat or a humanitarian disaster. What COVID-19 gives the adversaries is an opportunity both to phish, to sort of weaponize the desire for information, and at the same time, a new set of opportunities to target. With all of these people working remotely, you know, they're now working maybe from computers at home, but maybe from personal computers at home, maybe not work computers.
And there's an opportunity to invade home networks and move laterally on those devices. So the fact that we are remote, the fact that more devices need to be protected, and the fact that since we're not all in the same place, organizations that are used to having, you know, 10,000 square feet, you know, you can't go down and talk to the CFO about whether this is a business email compromise scam or not. You know, it's all the communications that are subject to hackers. You make several good points here.
We've got the remote workforce. We've got potentially unsecured networks. We've got connected devices that likely haven't been patched. Given this broad landscape, what are the threats that most concern you?
I would say the threat that most concerns me is the same as what it was before, and that's phishing. You know, it's the way in for the vast majority of attacks, particularly including the phishing attacks that then lead to ransomware on small businesses. It's over 90%. I can't give you the exact figure, but it's over 90% of the attacks that come through.
And so I think we need to really double down on phishing and think about how in this distributed work-from-home environment, can we make sure that we're as resilient as possible? So you better have people, if they see something, say something, if it's via instant messaging, by email, however. Yeah, see something, say something is really important. A lot of people like to say that your workforce is your greatest weakness.
I'd like to say that, you know, your workforce is your greatest strength. They're an opportunity. They're a sensor network that can find people trying to attack you. And if you're counting on them to not click on any phishing link, then I've got a bridge in Brooklyn I want to sell you.
Phil, the good news is we've got more people than ever talking about securing the remote workplace. But despite the conversation, what are the vulnerabilities you find typically overlooked by organizations? You know, the vulnerabilities aren't that different. The big vulnerabilities are still not patching systems.
I think there's one that is really called out in this environment, and that's the need to use multi-factor authentication. You know, all touching of computers is really action at a distance, right? Because, you know, it's some processor somewhere, even if your fingers are actually on the keyboard. But where you're not in the network anymore, you know, some businesses are used to controlling access because, you know, you've got to get in.
You've got to get physical access to the device on the network. And those barriers don't exist anymore. They've got to be replaced with something. And so when you're talking about customer information, when you're talking about critical information, the vulnerabilities around authentication of users and, I mean, it just emphasizes what happens with cloud anyway.
Authentication of access to cloud resources means that you have to pay really close attention to that. So the Global Cyber Alliance this week has released five specific recommendations for working remotely, working securely. I've seen these well published over social media. Go down through the five for me, please.
I'm actually, for most people, going to limit it to three. I'll talk about all of them. But I think there are three things that workforce that workers and employers absolutely need to do. One is what I said, patch your systems.
And it's not just patch your work laptop at home. Make sure your router at home is fully up to speed. If there are other devices on your network, make sure they're patched as well to give you the best protected surface area possible. The second is what I just mentioned, that you really need to use multi-factor authentication.
So many of the services that you're already using, you know, a lot of people use Office 365 or use Gmail, G Suite or other cloud-based email services. Most of those sorts of services, you can turn on two-factor authentication by checking a box. And so that would be something that is not that hard to do and would be a super significant additional layer of security. The other thing that I'd suggest, and I'm focusing on things that are super easy to do, is to use a protective DNS service.
You know, all you have to do is go into the settings on your device and set up so it uses a protective DNS service like Cloud9. It can be done in literally one or two minutes. And it provides a substantial additional barrier for attackers to go through. So that won't completely protect you, but if you do those three things, you'll do a lot.
I'll suggest there are a couple more things. So the best idea, as we all know, is to stay at home. You know, and if you need a coffee, then you make your coffee pot. But some people are going to Starbucks.
Some people need to get around and get out and do stuff for a while. If you do that, sit away from other people and do a couple of things. One, be really aware of physical security. It's very easy for somebody to walk by and grab your laptop or walk away with your phone if you're just distracted for a second.
You know, it's really fun if you, everybody's on the Internet, right? Go to the City of London Police Twitter account and look at the videos they've got of scooter theft where people are driving by and just grabbing cell phones out of your hands as they go through the streets of London on scooters. It's like that, but it's really a lot easier when somebody's in a Starbucks or a Coso or a Pete's or the coffee shop that you prefer. The other thing is, and this is a little iffy or some people don't think this is necessary, but I still think it's pretty smart to use a virtual private network if you are accessing corporate resources through public Wi-Fi.
I just like the extra touch of authentication and knowing that I'm going through a secure tunnel to get to my workplace and the resources I'm trying to reach and that I'm not being redirected in some way. Those are the five things that I would strongly recommend people do. So as a CISO, how do you both trust and verify? Well, it's hard to do remotely, right?
I'd say multi-factor authentication is the best and most scalable way to do it. But, you know, things get pretty iffy if you're on conference calls, right? And a lot of business is going to be conducted on conference calls. Video chats are a little bit easier, right?
Because they've typically got the UI where you can see who's calling in. You can check the numbers. But even there, you need to be vigilant on who's there. When you are on a conference call, sometimes nobody has any idea who's there.
So depending on the sensitivity of the topic, I recommend extreme vigilance. You can still go back and on the Internet find a recording anonymous did of an FBI conference call years ago. So for really sensitive things, the practice that I prefer, if you've got a system that will let you lock down access, is you wait till everybody's on board. You lock down access.
You press whatever service it is. It'll tell you how many people are called in. And then you do a roll call and you make sure you've got a name you know and a voice you recognize to every line that's on that conference call. That's what I recommend.
And perhaps I'm a little paranoid, but, you know, it's actually not that tough once you get used to it. You just need to have the right, you know, focus on OPSEC, operational security. And just to be clear for anyone that's watching this, we saw each other three weeks ago, so we're pretty convinced that that we're authenticated here. Yes.
So one more question for you. Let's talk about the elections. Coronavirus has made us reevaluate some of our primary elections and whether and how they will happen. What are the security implications as we look months out to the U.S.
presidential election? Well, Tom, I think they're huge. And the reason they're huge is that, you know, voting in person is an activity that has some of the things that you absolutely don't want during a pandemic. You know, a lot of people close together, spending time together and touching surfaces and maybe writing utensils that other people have touched.
So it's maybe not an ideal, but it's a pretty darn ideal environment for spreading the virus. So it makes sense for a lot of people to talk about putting off primaries or moving towards remote voting. The challenge is that there are still a lot of significant security challenges around that. There's really no question that there are additional security challenges presented by things like Internet voting or even mail-in ballots.