Hackers Hot for Hotspots: Protect Your Remote Workforce

Your remote workforce is only as strong as its weakest link — which, believe it or not, may be a public WiFi hotspot. Insecure networks have been at the forefront of a recent spike in business-impacting cyber attacks, namely among organizations that have deployed a remote workforce who accessed malicious WiFi networks or hacker-enabled hotspots.

Have we become so dependent on the ubiquity and convenience of connectivity that remote employees will connect to any nearby network, so long as it looks legit? The answer is yes, and it’s the reason why 80% of security and business leaders said their organizations were more exposed to risk as a result of remote work.

Though remote work enables employees to work from anywhere, these harmful hotspots are everywhere, and many employees are simply none the wiser to the risks. The vulnerability of the remote workforce to these cyber attacks can no longer be ignored. Learn how to protect your remote workforce (and organization) from the harmful effects of network-induced cybercrime.

The Remote Workforce is Here to Stay

If 2020 was the year of remote work, 2021 was the year of the remote workforce — and recent data suggests it’s not going anywhere any time soon. While 70% of full-time workers were forced to switch to remote work in 2020, 69% still voluntarily worked remotely throughout 2021. Today, a whopping 81% would prefer a hybrid or remote working style indefinitely, even post-pandemic. 

Plus, it’s not just employees who favor a permanently remote workforce. According to the 2021 State of Remote Work, 26% of employers have voluntarily chosen to maintain a fully remote workforce and 20% have opted for a hybrid work model. Not to mention, approximately 40% of employers have either reduced or closed their physical office spaces. 

All signs point to an ongoing remote workforce. But if employers weren’t prepared for their teams to work from home in 2020, are they actually prepared now? Or will the risk of cybercrime dampen the otherwise fantastic benefits of remote work? Recent statistics suggest there’s still work to be done to protect both employees and organizations. 

But Are Remote Workers Safe from Cyber Crime? 

Are you familiar with the phrase, “One bad apple spoils the barrel?” Well, that’s a pretty accurate way to view public WiFi and free hotspots in relation to remote work. Though employees have the freedom and autonomy to dial in from anywhere in the world, they almost always require an internet connection to access company servers or internal databases. 

98% of remote workers use a personal device for work daily, yet 71% of security leaders lack high or complete visibility into remote employee home networks — which could explain why 67% of cyber-attacks directly targeted remote workers. From the local café to a hotel across the globe, it’s far too easy for employees to unintentionally connect to an unsecured network. 

A recent study, Cybersecurity in the New World of Work, found that 74% of organizations attribute recent business-impacting cyberattacks to vulnerabilities in technology put in place during the pandemic, namely migrating business-critical functions to the cloud. Two-thirds of security leaders plan to increase cybersecurity investments over the next two years, but what about right now?

So, Is Public WiFi a Trap Door for Hackers?

While security leaders scramble to implement better network practices for remote workers, this remote-work expert will let you in on a secret: Using free public WiFi is like licking the grade-school water fountain while you’re taking a drink. Sure, you get what you need out of the deal, but you open yourself up to a lot of nastiness… like, next-level gross. The same can be said for public WiFi. 

Though a public, insecure internet connection allows remote employees to access whatever they need for work, it also provides cybercriminals with access to business-sensitive or customer-centric data. A hacker can examine every piece of information a worker enters on the network, from important emails to security credentials for your corporate network.

Unfortunately, many people consider tethering their laptop to their phone as too technical or lack the appropriate data plan, so they default to a local hotspot. These hotspots are often unencrypted and require no login or password — that’s like open season for hackers! And with slim chances of tracking a cybercrime to the hotspot (or hacker) in question, they continue to be a blind problem. 

Why Public WiFi Makes a Hacker’s Job a Breeze

We as a society have become so dependent on connectivity, whether for remote work or pleasure, that the average person will connect to a random nearby network as long as it is named in a manner consistent with their place on the map. Near a café? FreeCafeWiFi it is! But why is it so easy for cybercriminals to create these malicious networks in the first place? 

First and foremost, it’s because you don’t have to hack a public network, you just have to imitate one. With an average iPhone, anyone can set up an “evil twin” WiFi network at the nearest café, airport, or hotel, and sniff any unsecured traffic that passes through. Most people don’t know the difference between the various WiFi or tethering symbols on their phone, so they’re in the dark about the inherent risks.

With slightly more sophisticated equipment and the right software, a true “evil twin” can be set up in a matter of seconds. In fact, when I’m in the field as a cybersecurity speaker, I often rename my iPhone to the name of the hotel or conference center hosting the event, like !SECUREMarriotWiFi. This naming convention makes the hotspot rise to the top of the list, and I regularly have attendees joining my hotspot to collect their email, log in to work, and more.

It’s that easy, friends. And it’s not always criminals doing the involuntary data grab: Retailers have been known to offer free WiFi with the specific purpose of learning more about their customers, meaning even “legitimate WiFi” can be a risk. The average café or retailer doesn’t actually care about the safety of your data, they are just keeping expenses low and connections convenient. 

Cybersecurity Expert Tips to Protect Your Remote Workforce 

Would you trust and inject a vaccine someone handed you at your favorite Starbucks? Don’t delude yourself. Working on free WiFi with sensitive material will never be as safe as using a secure hotspot or WiFi connection you own. If your remote workforce is spread across the city, state, or country, there’s no way they can all access a company-backed Internet connection.

So, you must do the next-best thing — educate your team on how to safely work remotely. Here are five tips, as told by a cybersecurity expert who has seen behind the curtain, to improve your Wi-Fi safety and protect your business. 

1. Connect (Work Remotely) via Cellular Data 

When remote employees are working on something sensitive or confidential (read: internal data), it’s best to connect to the internet via cellular data connection whenever possible. Connection from a smartphone to a personal device is encrypted and far more secure than any free WiFi.

If they don’t have a dedicated hotspot, tether a smartphone to a laptop and use that to communicate instead. In many cases, an available 5G network is faster than what the free WiFi will be. 

2. Utilize a Virtual Private Network (VPN)

A Virtual Private Network (VPN) extends access to a private network across a public network, so a user can send and receive data across a public network as if their personal device was directly connected to the private network. In layman’s terms, it’s like having a private tunnel between your device and your destination. If you haven’t already, install a VPN on every worker’s device to cyber secure your virtual office

For the remote workforce, a VPN is an excellent method to add security to employee communication, especially when leveraging an insecure connection like public WiFi. Even if a hacker accesses an employee’s device, the data will be strongly encrypted and is more likely to be discarded than run through a lengthy decryption process. 

3. Always Use HTTPS 

Take a look at your browser bar. Right now, the current web address should begin with https:// — that’s on purpose. HTTPS (Hypertext Transfer Protocol Secure) is an extension used for secure communication over a computer network. The majority of trustworthy sites will leverage HTTPS to encrypt communication, especially those that require log-in credentials. 

Entering those credentials in an unencrypted manner could open the door to a hacker, who can then repurpose those details to access your corporate or client network. So, be sure to personally enable (and encourage employees to enable) the “Always Use HTTPS” option of frequently-visited sites. Alternatively, install a web extension like HTTPS Everywhere for Chrome, Firefox, and Opera to essentially force each website you visit to connect using HTTPS. 

4. Safeguard All Settings

The settings on a personal device are the difference between leaving the backdoor wide open for cybercriminals or dead-bolting that door shut. When your remote workforce connects to the internet at a public place, be sure their settings have been optimized to prevent a cyber attack as much as possible. 

For one, turn off sharing from the system preferences or Control Panel. It’s unlikely your team has anything to share with the other patrons of a café, save the hacker lurking in the corner. Secondly, turn off Auto Connect for WiFi networks and log out of the WiFi when you leave, as many of today’s devices will automatically connect to the closest available network, without regard for safety.

5. Verify Legitimacy Whenever Possible 

Lastly, if you or your remote workforce ever find the dire need to use public WiFi, make sure to verify with the business that any WiFi hotspot you join is the legitimate one — not the “evil twin” — and make sure it requires a password to join. Confirm details such as the connection’s name and IP address before connecting any personal devices to the business’s network. 

Stay Protected with a Cybersecurity Overhaul 

Even a remote workforce that takes every possible precaution against third-party networks can encounter a cybercriminal. That’s just a risk of doing business in this increasingly digital age. As cybercriminals continue to evolve, cybersecurity best practices will also progress; and it’s up to business leaders to continue to upgrade their security practices to remain protected.

Don’t let the threat of cybercrime impact the longevity or productivity of the remote workforce. Take action today by empowering your remote workforce with the tools they need to remain safe, even when dialing in from halfway around the globe. Now is the time to invest in a cybersecurity crash course, if not for the safety of your business, for the protection of your employees and customers. 

Face Computers: Privacy Violation by Pupil Dilation? 

Smartwatches, holograms, self-driving vehicles — we may have just rung in the year 2022, but here on Earth, we’ve started to live (blindly) like the Jetsons in 2062. The latest technological advancement coming out of Orbit City, err, Silicon Valley is the face computer, wearable tech that will plunge users into the notorious “metaverse.” 

Just saying the word metaverse makes me throw up a little in my mouth. Though similar technology has been in the works for quite some time, rumor has it that Apple may be launching an augmented reality headset (face computer) sometime soon. And where Apple goes, hundreds of millions of followers go. I am one of them. So, what does this mean for you and me? 

Is it time to embrace the next gen digital lifestyle à la the Jetsons? Well, you might want to pause before strapping into a newfound face supercomputer and diving headfirst into the metaverse. Here’s what the rise of face computers may mean for your privacy, and how we should begin to implement boundaries that protect both our data and our security… before it’s too late. 

Pitfalls of Not Prioritizing Privacy 

As a society, we often become distracted by all of the fancy bells and whistles advertised by emerging technology and software programs. We watch a two-minute highlight reel of the ‘latest thing,’ whether it’s a new smartphone or social media network, and hop right in — reserving the hard-hitting questions for later.

Historically, that’s never worked out well. When we embrace new technology first and lay the ground rules for it second, we essentially open ourselves to inherent privacy risks. Don’t believe me? Think about Facebook and Instagram, which are both continuously under fire for predatory practices surrounding user data, yet 1.93 billion people use the platforms every day regardless. 

When privacy and security concerns take a backseat, the decisions surrounding new technology are ultimately driven by the technology companies themselves — much like we see with Meta, the Facebook parent company. Even when we do engage with the company, like by deactivating our accounts or signing public petitions, we don’t engage with the same robust financial backing of the organization, and consequently the deep pockets of Big Tech completely drown out our voice. 

Want the government to step in? Well, Congress has passed a few cybersecurity bills; however, the majority focus on emerging malware risks and other data breaches helmed by cybercriminals… not face computers. And as we can see with the media frenzy surrounding the Facebook whistleblower trial, Congress is not currently in a place where they will legislate in a bipartisan way on solutions. 

Potential Implications of a Face Computer 

So, what is the worst thing that could happen if we all strapped into a new face supercomputer with little to no restrictions? Picture it as having an Alexa device that doesn’t just listen to your every conversation, but also tracks your autonomic responses, like pupil dilation, respiratory rate and pulse. Then, your device sells that data to the third-party highest bidder for incredibly targeted advertising, which is then inevitably breached by Russian or Chinese state-sponsored hackers who are paid to gather every detail about every American they can. 

Does your heart rate speed up when you look at the Tesla website? They’ve learned what’s on your gift wishlist. Does your favorite politician make your pupils dilate? Get ready for an onslaught of political advertisements. From a privacy and security lens, these face supercomputers operate more like a biometric movie like the Matrix than they do a helpful media device. 

Prepare for Marketing in the Metaverse 

Face computers are poised to be the entryway into the highly prophesied metaverse. A metaverse is a fully-functioning virtual universe that allows real users to create, sell, own, and invest using personalized digital avatars. These virtual universes are always active and adhere to real-world timing, so the more users are involved, the more the metaverse will expand and evolve.

If you have a child or are partial to ‘sandbox style’ games, like Grand Theft Auto or Roblox, you’re already familiar with a type of metaverse. As virtual and augmented reality technologies become more popular, metaverses are penetrating the internet, with the folks at Meta predicting that the worldwide web will eventually transition into the ‘worldwide metaverse.’ 

As you could predict, advertisers are already hard at work infiltrating various metaverses. For instance, Bidstack, a video game ad tech company, has begun placing company ads on virtual billboards across games like Roblox and Fortnite. Even navigation platforms like Waze have gotten in on the action, delivering ads for brick-and-mortar businesses based on the route a driver takes. 

How to Prepare Now, So We Don’t Suffer Later

None of the above information is meant to intimidate you. In fact, it’s quite the opposite. In the cybersecurity industry, knowledge is power. The more we know and prepare for the introduction of face computers, the more we can implement ground rules that protect our right to privacy. I’m not in any way categorically rejecting the advent of face computers; I’m saying that we need to put limits on how our personal biometric data is collected, analyzed and sold. 

We should not delay educating ourselves and others about the potential impacts of this technology. Here’s how we can prepare for face supercomputers on an individual, company, and societal level.

1. Start with Background Education 

Threat trends are consistently evolving. From ransomware to the Internet of Things, most people are unaware of how privacy and security concerns shift with each type of technology introduced. When it comes to the latest data security threats, you can’t possibly do everything — but you must do the right things, starting with self-education. 

Consider educating your people with a cybersecurity crash course that provides a high-level, non-technical path through the complicated web of technological threats, human decision-making, network security, cloud computing, and more. The right cybersecurity keynote speaker for your event can help navigate emerging mobile technology with strategies grounded in fact, so you can feel more in control moving forward. 

2. Impose Company-Wide Policy 

Though face computers aren’t necessarily ‘workplace technology,’ it’s not a stretch to assume that these devices will soon make their way to boardrooms and break rooms alike. Mark Zuckerberg has already introduced the idea of virtual team meetings on the metaverse, and with remote work still going strong, a face supercomputer can help bridge the gap between dispersed teams.

However, as we learned with the recent shift to remote work, thousands of employees on one remote server can spell disaster for many organizations — and dozens of employees all using face computers to dive into the metaverse can provide a backdoor for cybercriminals. Now is the time to implement a company-wide policy for these types of technologies; start by Bulletproofing Your Business Against Breach  with a cybersecurity keynote speaker who has experienced the devastation of cybercrime. 

3. Make Your Powerful Voice Heard 

Much like we can’t stop the current technological evolution, we cannot prevent the introduction of face computer technology. In truth, that might be a good thing — there are dozens of incredibly valuable uses for this technology that range from public health to even climate control. However, we should encourage societal input to implement boundaries for our privacy. 

Now is the time to remember how much power we as consumers truly have. Society plays a massive role in the political power held by tech giants. We can help shape the media and other politically-relevant information that surrounds emerging technologies by continuing to educate ourselves and speaking amongst others to ensure consumers understand the full concept of face computers and not just the bells and whistles. 

Seek Peace of Mind with a Cybersecurity Keynote Speaker 

If all of this talk about supercomputers and virtual universes makes you feel like you’re living in a Matrix movie, you’re definitely not alone. Though we might not be ‘Jetson level’ futuristic, our society is slowly (but surely) getting there. To ease this latest technological transition, reach out to a trusted cybersecurity keynote speaker for peace of mind and protection. 

For nearly two decades, I have spoken to organizations including the Pentagon, Homeland Security, Pfizer, Charles Schwab, Visa, and the Federal Reserve Bank about how to safeguard their organizations from cybercrime. If you want to gear up for the latest evolution of smart headgear, contact The Sileo Group today to schedule your next cybersecurity keynote. 

New iPhone Setting Stops Apps & Ads from Stalking You (App Tracking Transparency)

Apple App Tracking Transparency is Finally Here!

With the release of iOS 14.5, Apple has given us the most powerful privacy tool for users in many years – it’s called App Tracking Transparency (ATT). The update also includes a lot of features that have Apple product users very excited, like new Siri voices and being able to open your iPhone with Face ID even when wearing a mask—IF AND ONLY IF you have an Apple watch.

But as a privacy advocate, the element that matters the most to me is the App Tracking Transparency (ATT) feature. This means that apps like Facebook, Instagram and Google will no longer be able to track or gather your surfing habits on other apps or websites without getting your permission. For example, if you worked out on the Peloton app this morning, Facebook can buy that information and advertise exercise clothing to you based on your exercise type, size, weight, etc.

This is a serious blow to Facebook and other “free” services that depend on gathering your intimate personal and behavioral data to sell to their advertising clients. Of course, these services have never actually been free, as we have always been paying by giving them our information.

Specifically, the update changes the Identifier for Advertisers (IDFA), which is a unique random number assigned to each iPhone and allows advertisers and developers to track user behavior on that device. This includes not only app usage but also web browsing behavior that is often used to target advertisements to your psychographic profile. Apple says this change will provide transparency and give users an easier way to choose if their data is tracked.

Needless to say, Facebook, Google, and other big tech firms are not happy with the change. Facebook was so upset they placed a full-page ad in The New York Times in December claiming that the change would negatively affect small businesses who will see a drop of over 60% in sales. Facebook was unable to substantiate that claim, but their claim that it will force developers to enable in-app purchases or force subscriptions to make up for lost revenue is most likely true.

What will this look like for you as a consumer?

Basically, whenever you open any app that wants to access the IDFA, you will see a pop-up notification that asks for permission to track you across apps and websites by other companies and you’ll be able to opt in to allow tracking or not by choosing between “Allow Tracking” or “Ask App Not To Track.” Opting into data collection rather than having to opt out finally catches up with data privacy regulations such as the EU’s GDPR. It will be required by all software makers within a few months of the release.

So it comes down to a question of are you willing to pay for the extras provided by apps in order to have a little bit more privacy?

John Sileo is a privacy keynote speaker, award-winning author and media personality as seen all over TV. He keynotes conferences virtually and in person around the world. John is the CEO of The Sileo Group, a business think tank based in Colorado.

Is WhatsApp Privacy a Big Fat Facebook Lie? What You Need to Know.

WhatsApp privacy policy

WhatsApp Privacy: Facebook’s New “Data Use” Policy

I have been getting a ton of questions on the privacy of your personal data that is sent through WhatsApp. Is Facebook, who owns WhatsApp, sharing everything you write, including all of your contacts, messages and behaviors? It’s not quite that simple, but neither is Facebook.

Facebook announced a new WhatsApp privacy policy recently which created A LOT of confusion and user backlash. The changes caused such an uproar that they ultimately have decided to delay release of the new WhatsApp privacy agreement from Feb. 8 to May 15 while they sort themselves out. So let me give you a head start!

Behind all of this, WhatsApp is trying to break into the world of messaging for businesses (to compete with Slack and other programs). That way, when you communicate with a business, Facebook will see what you’re saying and use that information for advertising purposes.

Your Data That Can Be Accessed By Facebook

Facebook contends that your private messages will remain encrypted end-to-end, including to them, but Facebook & WhatsApp will have access to everything they’ve had access to since 2014:

  • Phone numbers being used
  • How often the app is opened
  • The operating system and resolution of the device screen
  • An estimation of your location at time of usage based on your internet connection

Purportedly, Facebook won’t keep records on whom people are contacting in WhatsApp, and WhatsApp contacts aren’t shared with Facebook. Given Facebook’s miserable history with our personal privacy, I don’t actually believe that they will limit information sharing to the degree that they promise. I think that this is one of those cases where they will secretly violate our privacy until it is discovered and then ask forgiveness and lean on the fact that we have no legislation protecting us as consumers. But please be aware that if you utilize Facebook, you are already sharing a massive amount of information about yourself and your contacts. WhatsApp may just add another piece of data into your profile.Watch The Social Dilemma on Netflix if you’d like to learn more about how you are being used to power their profits.

Highly Private Messaging Alternatives to WhatsApp

So, while it is mostly a “cosmetic change” to the WhatsApp privacy policy, if you are uncomfortable using it, you may want to consider the following:

    • There are alternative messaging apps, including Signal and Telegram, both of which have seen huge new user sign-ups since the announcement. I personally use Apple Messages (daily communications) and Signal (highly confidential communications).
    • WhatsApp says it clearly labels conversations with businesses that use Facebook’s hosting services. Be on the lookout for those.
    • The feature that allows your shopping activity to be used to display related ads on Facebook and Instagram is optional and when you use it, WhatsApp “will tell you in the app how your data is being shared with Facebook.” Monitor it and opt out.
    • If you don’t want Facebook to target you with more ads based on your WhatsApp communication with businesses, just don’t use that feature.
    • Trust the WhatsApp messaging app as much as you trust Facebook, because ultimately, they are the same company.

John Sileo is a cybersecurity expert, privacy advocate, award-winning author and media personality as seen on 60 Minutes, Anderson Cooper and Fox & Friends. He keynotes conferences virtually and in person around the world. John is the CEO of The Sileo Group, a business think tank based in Colorado

Telemedicine: Are Virtual Doctor Visits a Cyber & Privacy Risk?

The Trump administration has relaxed privacy requirements for telemedicine, or virtual doctor visits: medical staff treating patients over the phone and using video apps such as FaceTime, Zoom, Skype and Google Hangouts. The move raises the chances that hackers will be able to access patient’s highly sensitive medical data, using it, for example, to blackmail the patient into paying a ransom to keep the personal health information (PHI) private.

This relaxation in privacy regulations about telemedicine is necessary, as treating coronavirus patients in quick, safe, virtual ways is a more critical short-term priority than protecting the data. That may sound contradictory coming out of the keyboard of a cybersecurity expert, and that exposes a misconception about how security works.

Security is not about eliminating all risk, because there is no such thing. Security is about prioritizing risk and controlling the most important operations first. Diagnosing and treating patients affected by Covid-19 is a higher priority than keeping every last transmission private.

Put simply, the life of a patient is more important than the patient’s data. With that in mind, protecting the data during transmission and when recordings are stored on the medical practice’s servers is still important.

  • Doctors should utilize audio/video services that provide full encryption between the patient and the medical office during all telemedicine visits
  • If the doctor’s office keeps a copy of the recording, it should be stored and backed up only on encrypted servers
  • Not all employees of the doctor’s office should have the same level of access to telemedicine recordings; all patient data should be protected with user-level access
  • Employees of the doctor’s office should be trained to repel social engineering attacks (mostly by phone and phishing email) to gain access to telemedicine recordings

Telemedicine and virtual doctor visits is just one way that the government is willing to accept increased risks during the pandemic. Many federal employees are also now working remotely, accessing sensitive data, often on personal computers that haven’t been properly protected by cybersecurity experts. This poses an even greater problem than putting patient data at risk, because nearly every government (and corporate) employee is working remotely for the foreseeable future. I will address those concerns in an upcoming post.

In the meantime, stay safe in all ways possible.

About Cybersecurity Keynote Speaker John Sileo

John Sileo is the founder and CEO of The Sileo Group, a privacy and cybersecurity think tank, in Lakewood, Colorado, and an award-winning author, keynote speaker, and expert on technology, surveillance economy, cybersecurity and tech/life balance.