Currently, 3.9 million Americans work remotely, which marks a 115% increase from 2005. Estimates indicate that more than one-third of employees will work remotely in the next ten years. The desire for greater flexibility and work/life balance is partially responsible for this trend, in addition to an ever-increasing number of businesses that are based entirely online. With cloud and mobile technologies making it easier than ever before to communicate and collaborate regardless of location, organizations are embracing remote work as a way to cut costs and satisfy employee demand.

Despite the productivity and cost-saving benefits of remote work, the concept introduces serious cybersecurity risks that have the potential to devastate entire businesses. For example, if an employee logs on to their email via a coffee shop’s public Wi-Fi, that individual runs the risk of sending their work emails, customer information and other business data directly to hackers rather than to the Wi-Fi connection point.
Small and medium businesses (SMBs) are particularly vulnerable to remote work security risks, as they usually have fewer resources to prevent or recover from cyber-attacks proactively.

Here are five best practices that will help establish the proper level of control over cybersecurity threats.

Enforce Basic Cybersecurity Hygiene.An organization's cybersecurity is only as strong as its weakest link, and all it takes is one employee – even a well-intentioned one – to cause that chain to break. Enforce cybersecurity best practices such as using strong passwords, not sharing passwords across multiple accounts, implementing two-factor authentication (often free) and accessing sensitive files only from trusted devices and VPNs. Also, some simple and inexpensive employee cybersecurity awareness training can ensure employees are familiar with the most common and current attack schemes and educated on how to handle a situation if they think a cybersecurity incident has occurred.

Reign in 'Shadow IT.'Shadow IT refers to computer systems, applications or devices being used without explicit organizational knowledge or approval. For example, do any of your employees access their work email from their personal cell phone? Attempting to completely shut down Shadow IT isn't realistic, nor is it necessarily helpful to your business. However, it's essential to identify any apps or devices that could pose the highest risk. Clearly communicate which products or services are forbidden and explain why so your employees don't feel unjustly blocked and circumvent the rules. Also, consider putting processes into place that allow your IT team to quickly approve or disapprove new applications in which employees express interest.

Organize Back-End Technologies. Cloud-based apps can be a godsend for ensuring a seamless work environment for remote employees, and many also provide the invaluable service of backing up all of the data being generated outside an office's walls. Services such as G Suite or Microsoft Office 365, for instance, can allow employees to create, edit, organize, share and automatically back up documents, spreadsheets, presentations and more, no matter their location or device. Consider migrating some or even all of your file storage to a trusted cloud provider to optimize flexibility and more efficiently manage, secure and backup your business data.

Duplicate Storage.With its infinite scalability and relative affordability, cloud technology can be an ideal data storage resource. However, rather than relying entirely on the cloud or trusting your employees to only use secure cloud services with automatic backup capabilities, duplicate your most critical business data, so at least one copy is kept separate from cloud data centers and stored offline via encrypted backup tapes. This is an essential action to protect your business from the impact of a ransom attack, where a hacker blocks access to your systems or data until a ransom is paid.
​
Get Cyber Insurance.Cyber insurance is an important, final step for protecting your business against the dangers of employees working remotely. Considering the significant financial demands many SMBs face as a result of a security incident, look for plans that cover immediate business costs (e.g., lost revenue due to the interruption of business, ransom, regulatory or legal fines). Also, be sure to implement coverage that includes such crisis response services such as coaching and guidance on how to respond to a breach.

Networks today are subject to many threats including ransomware, cryptocurrency-miner threats, or state-sponsored hackers.

In line with other security industry pros, Microsoft has confirmed in its 24th annual security intelligence report that ransomware has taken a backseat to pesky cryptocurrency miners. 

But the company also warns that supply-chain attacks are on the rise. These are where an attacker uses a supplier or business partner to spread an infection. 

Past examples include the NotPetya not-ransomware outbreakthat caused over a billion dollars in losses for global firms and the Dofoil BitTorrent attacks. 
    
"Supply-chain attacks are insidious because they take advantage of the trust that users and IT departments place in the software they use," Microsoft warns in the report. 

"The compromised software is often signed and certified by the vendor, and may give no indication that anything is wrong, which makes it significantly more difficult to detect the infection. They can damage the relationship between supply chains and their customers, whether the latter are corporate or home users.

"By poisoning software and undermining delivery or update infrastructures, supply-chain attacks can affect the integrity and security of goods and services that organizations provide."

While attacks are changing and Windows 10 built-in security is improving, the company's advice to customers remains the same. However, there are conflicting data about the best approach to staying secure.  
Microsoft recommends only using software from trusted sources, though this 'security hygiene' measure could be undermined in a supply-chain attack. 

The company also recommends "rapidly applying the latest updates to your operating systems and applications, and immediately deploying critical security updates for OS, browsers, and email."

Deploying patches quickly is generally a good idea. However, Microsoft recently revealed that vulnerabilities in its software are most likely to be exploited as a zero-daybefore the company has even had a chance to release a patch. 

However, its other tips don't present obvious security conflicts.  

"Deploy a secure email gateway that has advanced threat protection capabilities for defending against modern phishing variants," Microsoft warns, adding that businesses should "Enable host anti-malware and network defenses to get near real-time blocking responses from the cloud (if available in your solution)." 

The other important measures organizations should take include implementing access controls, and teaching employees to be suspect of messages that ask them to divulge sensitive information. 

Microsoft also recommends keeping "destruction-resistant backups of your critical systems and data" and using cloud storage services for online backups. 
​
"For data that is on premises, regularly back up important data using the 3-2-1 rule. Keep three backups of your data, on two different storage types, and at least one backup offsite," says Microsoft.

Every month, thousands of retail websites are targeted by cybercriminals, who insert a small piece of malicious code that allows them to snatch customers’ credit card information. The hacking technique is called formjacking, and it’s the virtual equivalent of putting a device on an ATM to skim debit card numbers.
Affecting an average of 4,800 websites per month, formjacking is one of the newest favorite ways for hackers to steal personal data, according to security company Symantec’s annual Internet Security Threat Report.

Small and medium-sized businesses are still the most prominent targets of formjacking, according to Symantec, but in recent months, high profile brands including British Airways and Ticketmaster have also fallen victim to attacks. Symantec said it blocked more than 3.7 million formjacking attacks on websites in 2018, with one-third of those happening during the holiday shopping season.

“Formjacking represents a serious threat for both businesses and consumers,” Greg Clark, CEO of Symantec, said in a statement. “Consumers have no way to know if they are visiting an infected online retailer without using a comprehensive security solution, leaving their valuable personal and financial information vulnerable to potentially devastating identity theft.”

As returns diminish on older hacking techniques, formjacking has become a lucrative choice for cyber crooks, though it’s impossible to quantify the amount stolen from every formjacking attack in 2018. Symantec estimates criminals were able to steal “tens of millions of dollars” by using credit card information or selling the numbers on the dark web for around $45 each.

Meanwhile, instances of ransomware declined 20% overall for the first time since 2013, according to Symantec. One primary reason for this is the decreased value of cryptocurrency, which hackers use to demand payments.

Of course, hackers are expert shape-shifters and are always looking for new, sophisticated ways to sneak up and steal private information. Security experts recommend staying on top of threats by using antivirus software and by checking to make sure any website where you enter your credit card information has a lock icon next to the domain, indicating it’s a secure server.
​
Hackers have also been known to go old school, too, by sending targets phishing emails as a way to socially engineer them into sending personal information. But companies are increasingly on the lookout for these dangerous messages. Google even developed a phishing quizto help web users better identify potentially dangerous emails.

Artificial intelligence has the potential to bring a select set of advanced techniques to the table when it comes to cyber offense, researchers say.

Last week, researchers from Darktracesaid that the current threat landscape is full of everything from opportunistic attacks from teen hackers to advanced, state-sponsored assaults, and in the latter sense, attacks continue to evolve.

However, for each sophisticated attack currently in use, there is the potential for further development through the future use of AI.

Within the report, the cybersecurity firm documented three active threats in the wild which have been detected within the past 12 months. Analysis of these attacks – and a little imagination – has led the team to create scenarios using AI which could one day become reality.

"We expect AI-driven malware to start mimicking behavior that is usually attributed to human operators by leveraging contextualization," said Max Heinemeyer, Director of Threat Hunting at Darktrace. "But we also anticipate the opposite; advanced human attacker groups utilizing AI-driven implants to improve their attacks and enable them to scale better."

Trickbot. The first attack relates to an employee at a law firm who fell victim to a phishing campaign leading to a Trickbot infection.

Trickbot is a financial Trojan which uses the Windows vulnerability EternalBluein order to target banks and other institutions. The malware continues to evolve and is currently equipped with injectors, obfuscation, data-stealing modules, and locking mechanisms.

In this example, Trickbot was able to infect a further 20 devices on the network, leading to a costly clean-up process. Empire Powershell modules were also uncovered which are typically used in remote, keyboard-based infiltration post-infection.

AI's Future Role.Darktrace believes that in the future, malware bolstered through artificial intelligence will be able to self-propagate and use every vulnerability on offer to compromise a network.

"Imagine a worm-style attack, like WannaCry, which, instead of relying on one form of lateral movement (e.g., the EternalBlue exploit), could understand the target environment and choose lateral movement techniques accordingly," the company says.

If chosen vulnerabilities are patched, for example, the malware could then switch to brute-force attacks, keylogging, and other techniques which have proven to be successful in the past in similar target environments.

As the AI could sit, learn, and 'decide' on an attack technique, no traditional command-and-control (C2) servers would be necessary.

AI's Future Role.It is possible that AI could be used to further adapt to its environment. In the same manner, as before, contextualization can be used to blend in, but AI could also be used to mimic trusted system elements, improving stealth.

"Instead of guessing during which times normal business operations are conducted, it will learn it," the report suggests. "Rather than guessing if an environment is using mostly Windows machines or Linux machines, or if Twitter or Instagram would be a better channel, it will be able to gain an understanding of what communication is dominant in the target's network and blend in with it."

Take It Slow. In the final example, Darktrace uncovered malware from a medical technology company. What made the findings special was that data was being stolen at such a slow pace and in tiny packages that it avoided triggering data volume thresholds in security tools.

Multiple connections were made to an external IP address, but each connection contained less than 1MB. Despite the small packets, it did not take long before over 15GB of information was stolen.

By fading into the background of daily network activity, the attackers behind the data breach were able to steal patient names, addresses, and medical histories.

AI's Future Role. AI could not only provide a conduit for incredibly fast attacks but also "low and slow" assaults. It can also be used as a tool to learn what data transfer rates would flag suspicion to security solutions.

Instead of relying on a hard-coded threshold, for example, AI-driven malware would be able to dynamically adapt data theft rates and times to exfiltrate information without detection.
​
"Defensive cyber AI is the only chance to prepare for the next paradigm shift in the threat landscape when AI-driven malware becomes a reality," the company added. "Once the genie is out of the bottle, it cannot be put back in again."

You may have recently gotten a message from your bank that, yes, you should read and act upon.
The message being sent by many banks involves a small, but crucial change affecting check deposits made using bank mobile apps on smartphones and other devices.

Depositors must now include the phrase “For Mobile Deposit Only” underneath their signature on all checks deposited using mobile apps. Some banks are also suggesting you add "For Mobile Deposit Only at (Bank Name)" or "For (BANK NAME) Mobile Deposit Only."

This new endorsement requirement, instituted by the Federal Reserve, officially went into effect July 1. It applies to all mobile deposits at all financial institutions, such as PNC Bank, Capital Oneand Legend Bankin Texas.

Without the inclusion of the new phrase, banks say the check may be returned with the notification that your “deposit was rejected due to restrictive endorsement."

The change is meant to protect banks from fraud, which can occur when a check is accidentally, or intentionally, presented at a bank after it already has been deposited via mobile. 

"It’s not like there was rampant fraud, but it was just an area they wanted to tighten up," said Michael Diamond, senior vice president of payments at Mitek Systems, which has digital transaction technology used by more than 6,100 banks.

"This is the banks taking care of themselves," Diamond said. "The channel is very, very, very safe, and the growth is great. More and more people are using it." 
​
Case in point: Bank of America CEO Brian Moynihan said last month that during the April to June period, more customers deposited checks using the bank’s mobile app than in person at bank branches. Overall, 76% of all deposits come through ATMs and mobile deposits, he said.

Google might have just made itself the most significant example of how security keyscan work better than other forms of multi-factor authentication. According to Krebs on Security,ever since Google required over 85,000 of its employees to use physical security keys instead of one-time codes in 2017, it hasn't had a single case of account takeover from phishing. "We have had no reported or confirmed account takeovers since implementing security keys at Google," a company spokesperson said. "Users might be asked to authenticate using their security key for many different apps/reasons. It all depends on the sensitivity of the app and the risk of the user at that point in time."

Security keys like the one made by Yubikey give you a way to log into a website by merely plugging it in and pressing a button. You don't even need to type in your password anymore, much less generate a one-time code. While the method has its weakness, considering it relies on a physical item you can lose, it's considered safer than two-factor authentication, especially the type that sends you codes via SMS. Hackers could intercept messages sent to your device, after all, and gain entry to your account that way.
​
Unfortunately, Universal 2nd Factor (U2F) – that's what you call the type of multi-factor authentication that uses physical keys – support is pretty limited at the moment. You can already depend on it for protection on Chrome, but you'd have to manually activate it on Firefox by going to "about:config" first. Microsoft won't be rolling out U2F compatibility for Edgeuntil later this year, and Apple has yet to reveal whether Safari will ever support the standard. Further, only a few websites and services can use it, including Facebook and password managers such as Keepass and LastPass. It remains to be seen if Google's positive experience with the standard can help it become more widespread, but it's the kind of meaningful testimonial that could give it a massive boost.

Tokenization is the process of replacing sensitive data with unique identification symbols that retain all the essential information about the data without compromising its security. Tokenization, which seeks to minimize the amount of data a business needs to keep on hand, has become a popular way for small and mid-sized businesses to bolster the security of credit card and e-commerce transactions while minimizing the cost and complexity of compliance with industry standards and government regulations.

Payment card industry (PCI) standardsdo not allow credit card numbers to be stored on a retailer's point-of-sale terminal or in its databases after a transaction. To be PCI compliant, merchants must install expensive end-to-end encryption systems or outsource their payment processing to a service provider who provides a "tokenization option." The service provider handles the issuance of the token value and bears the responsibility for keeping the cardholder data locked down. 

In such a scenario, the service provider issues the merchant a driver for the POS system that converts credit card numbers into randomly-generated values or tokens. Since the token is not a primary account number, it can't be used outside the context of a specific unique transaction with that particular merchant. In a credit card transaction, for example, the token typically contains only the last four digits of the actual card number. The rest of the token consists of alphanumeric characters that represent cardholder information and data specific to the transaction underway. 
​
Tokenization makes it more difficult for hackers to gain access to cardholder data, as compared with older systems in which credit card numbers were stored directly in databases and exchanged freely over networks. Tokenization technology can, in theory, be used with sensitive data of all kinds including bank transactions, medical records, criminal records, vehicle driver information, loan applications, stock trading and voter registration.

No doorman? No problem. Amazon introduced a new delivery solution for apartment complexes that promises to deliver both convenience and safety (alongside your actual package, of course). Meet Hub by Amazon, a container that allows for the storage of packages so that they’re not just strewn about a lobby, or worse yet, potentially stolen. The Hubs look just like traditional Amazon lockers, but instead of being installed in public spaces and businesses, they’re instead located in apartment and condominium complexes.

Best of all, the Hub isn’t just for Amazon deliveries – instead, if your mother wants to FedEx a care package to you while you live your big city dreams, the package can reside safely in Hub until you have finished with your 12-hour workday. Neither senders nor recipients have to make any specifications when it comes to getting their packages delivered – you still input your regular shipping address, and the Hub merely serves as a temporary stopover until you return home. When you’re ready to pick up, use a personalized pickup code to open the corresponding door and access your delivery.

“We’re always striving to make things easier for our customers. Building on Amazon’s expertise in locker solutions, the Hub addresses frustrations from property owners, carriers, and residents concerning package delivery,” Patrick Supanc, director, Amazon Worldwide Lockers and Pickup, said in a statement. “Now half a million residents in some of the premier properties in the country have access to the Hub, Amazon’s latest delivery solution. The Hub simplifies delivery for residents, offering quick and secure access to packages, day or night. For delivery providers, it offers a single, convenient location for package drop-off and gives property managers time and resources back to focus on other priorities.”

This could serve as a huge help to folks who live in buildings with tricky delivery schedules. You will no longer have to worry about staying home to wait on a package to arrive, nor will you have to remember to ask your building staff about that delivery that was supposed to come last week. Building managers will likely also appreciate the convenience offered by Hub – rather than requiring property staff to declutter a lobby or send packages to the proper apartment unit; everything can be centralized in Hub.
​
Already, Amazon says that several of the largest residential property owners in the U.S. have signed up for Hub and that more than 500,000 apartment dwellers already have access to the amenity. If you’re interested in petitioning your building to include one of these handy lockers, you can request Hub by Amazon at the newly dedicated homepage.

Remember that Russian router malware warningfrom last week? The situation is even worse than we originally thought, and a whole lot more router owners are going to have to factory-reset their devices and install firmware updates.

Not only are many more Linksys, MicroTik, Netgear and TP-Link routers vulnerable to the VPNFilter malware, according a recent report from Cisco Talos labs, but several Asus and D-Link models are now also thought to be vulnerable, as well as a couple of Ubiquiti routers and individual Huawei, Upvel and ZTE devices. In all, nearly 70 devices are impacted, including QNAP network-attached-storage drives.

The malware itself has a previously unnoticed capability: It can stage a man-in-the-middle attackon your web traffic, altering what you see online and possibly hiding other nefarious deeds.

"They can manipulate everything going through the compromised device," a Cisco Talos researcher told Ars Technica. "They can modify your bank-account balance so that it looks normal while at the same time they're siphoning off money."

How to Protect Yourself. To really be protected from VPNFilter, you need to first fully update your router's firmware, then write down all your Wi-Fi network names and passwords, and finally factory-reset your router.
Once you've done all that, change the router's administrative username and password, then recreate the original network names and access passwords so that your Wi-Fi-enabled devices can reconnect without trouble.

To be safe, ALL routers should be updated and factory-reset because of the VPNFilter malware, despite that being an arduous process, because we don't know where this is going to end.

The malware seems to infect only devices that are known to have had security flaws, all of which have fixes available. If you've kept up on your router patches, or your router patches itself automatically, you probably haven't been infected. Unfortunately, there's no way of knowing for sure.

Only a factory reset will remove the malware, which contains a beachhead module that survives regular reboots; only firmware patches will prevent you from being infected again. Ten days ago, the FBI took down a server from which the beachhead module got instructions to download additional malware components, but it appears that a fallback mechanism lets the beachhead module use other sources.

Visa and Mastercard have chips embedded in hundreds of millions of credit and debit cards around the world. They're used in more than 200 countries and process billions of payments each year. And they both intend to create bank cards that use your fingerprint instead of a PIN. 

Early trials of cards with fingerprint scanners built-in are underway, and success could eventually result in the death of the humble PIN. "A four-digit PIN is pretty good security – obviously, six, seven or eight digits are better, but it is very hard for people to remember," says Bob Reany, an executive vice president at Mastercard, who is working on the firm's biometric cards. "[This] security is going to be better than a PIN."

In April 2017, Mastercard started testing a biometric card in South Africa. The new card looks the same as any other bank card but has a small biometric scanner in the top right-hand corner. When a finger is placed on the sensor, it can recognize if it is a match with stored data and then authorize the payment.

Mastercard now has more trials running in Bulgaria, and Reany says thousands of fingerprint-detecting cards will be tested elsewhere in the world later this year. "We've gotten the algorithms in great shape, now we're doing matching on the native device where the template is captured, and we're ready to go to market at some scale," he says. Crucially, in the coming months, banks will be issuing them to regular customers for the first time. Reany won't reveal exactly where the cards will be given to people, but he says more announcements are coming. "I think you're going to see pockets of Europe go pretty quickly," Reany says of potential adoption. 

Rival Visa is also testing biometric cards in Cyprus with the country's national bank and security company Gemalto, which has been creating the cards for both of the major payment companies, says it has produced "tens of thousands" of biometric cards for tests. 
​
Ultimately, payment companies are continuing to develop biometric bank cards, and trials are getting bigger. At their very least, biometric cards will offer a slightly more convenient way to pay, but they may also evolve with increasing use of fingerprint technology in other areas of people's lives. As Berg says: "People forget their PINs but very rarely do you go out without your fingers."