Work from Home Outsourcing: The Growing Cybersecurity Crisis

Article Summary:

• Rapid Connectivity Growth: The Philippines saw internet access surge from 37% of the population in 2014 to 74% in 2024, surpassing the global average of 67.1%.
• Inadequate Infrastructure: This rapid increase in Internet connectivity has translated to considerably higher than normal rates of cyber attacks due to unsecured non-commercial infrastructure of work-from-home individuals
• High Cybersecurity Threat: Ranked second globally for cyber threats, 49.8% of threats blocked in the Philippines were connected to cybersecurity, which was directly related to the increase in people working from home.
• Severe Consequences: Inadequate cybersecurity measures can lead to severe penalties, including up to $50 million AUD fines and 10 years of imprisonment in Australia and 12 years and P4 million pesos in the Philippines.
• Costly Personal Data: Full online identities are valued at approximately $1,170 per individual on the dark web, at the average sale of data between 300k to 500k AUD, making home-based setups without basic office-based security standards a lucrative target for cybercriminals.
• Rising Cyber Attacks: Remote work contributed to a 238% increase in cyberattacks since the start of the pandemic, underscoring the urgency of enhancing cybersecurity for home workers.

Ignoring the Cybersecurity Elephant in the Room

Over a decade ago, we started Affordable Staff with just 10 team members in our very first tiny office. Like any new start-up, we had our handful of challenges, especially around reliable Internet connectivity.

This was a pretty constant problem within the Philippines at the time as it was still an establishing country in many ways. 10 years on, the Philippines has great internet connectivity, which makes Australia’s NBN Internet offering quite embarrassing, considering we’re supposed to be a more developed country.

The growth of the Internet within the Philippines has been quite astonishing. Only 37% of the population had Internet access in 2014, and 10 years later, in 2024, 74% had access. This is considerably higher than the current global average of 67.1% and means the Philippines has come a long way in a relatively short period of time with Internet connectivity.

However, this rapid increase in comparison to other countries comes with its own set of challenges.

A report from Kaspersky highlighted that the Philippines ranked second globally for cyber threats, with 49.8% of threats detected and blocked by their products in 2022 (side note: the number one country for web-based cyber threats was Mongolia). The report noted a rise in various cyber threats, including phishing and malware attacks, with the surge attributed to the use of less secure home networks and personal devices by remote workers.

Let’s be honest. This is a pretty big issue, especially when you consider the number of people working from home post-COVID without adequate infrastructure in place to secure sensitive client data.

How Cybersecurity Negligence Can Land You in the Hot Seat

Engaging staff to work within your business comes with significant liabilities and responsibilities. As an employer, you have obligations to ensure the well-being of your employees and the conditions in which they work. Additionally, you are responsible for providing and maintaining the necessary infrastructure—the tools and systems they use to perform their jobs effectively. From a cybersecurity perspective, if your infrastructure is inadequate or vulnerable, you could be held accountable for any malicious activities carried out by external threats targeting your business.

In late 2023, the Australian Government released new Cybersecurity laws as part of a larger Cybersecurity Strategy. Under these laws, company directors can be held personally liable for cyber attacks if their organization's cybersecurity measures are inadequate. Penalties for the directors of an Australian business can be up to $50 million AUD and up to 10 years imprisonment.

On the flip-side, if a Filipino is found to be involved in a cybersecurity incident, they can also be held liable and face up to twelve years in prison and up to four million pesos in fines.

These stringent penalties are in place to ensure that all parties take cybersecurity seriously. During the COVID pandemic, many people had no choice but to work from home, leading some to inadvertently overlook security protocols due to the sudden and challenging circumstances they faced. This focus has now changed, with the Australian Government taking this far more seriously than ever before and introducing new bills that will tighten this even further.

Security of Work from Home Vs. Work from Office

Managed outsourcing is appealing because the provider takes on the responsibility of security for their clients. This ensures access to top-tier commercial infrastructure and adequate insurance coverages, along with dedicated teams that continuously monitor all aspects of security.

In contrast, the typical home setup is a basic residential modem designed for home use. Multiple people are connected to that modem with laptops, phones, and TVs, with no access control and lacking the level of security required to protect the user and the client. For hackers, this is the perfect storm due to the ‘low-hanging fruit’ opportunities it presents to bad people.

Let’s share one of many real-world examples of threats unique to working from home.

Pineapple Attacks - One Example of How Hackers Access to Your Information

Before we continue, it’s important to note Filipinos love social media with 94.6% of people who have access to the Internet using Facebook on a monthly basis, with Filipinos knowing to share all aspects of their lives online, using social media to keep the world updated on their lives.

This is where an emerging attack called Pineapple Attacks come into play. The basic idea of a Pineapple Attack is to target work-from-home users using social media (through a technique called social engineering) to con them into connecting to their fake network to get access to sensitive information.

Pineapple Attack Overview:

1. Social Engineering: The hacker will look at online social profiles where individuals post that they are working from home for XYZ client. They will then find out as much information as possible, with the final intent of targeting the work-from-home location.
2. Initial Setup: A hacker positions themselves in the local residential area of the target, searching for their Wi-Fi network.
3. Creating a Fake Network: They create a fake Wi-Fi network using the same name of the existing legitimate one, but without the same security measures, including password protection.
4. Disruption: The hacker disconnects the target's actual internet connection, causing the user to think there is a problem with their internet connection.
5. User Reconnection: The target, noticing their usual Wi-Fi network name (SSID) appears available, reconnects, not realizing they are connecting to the hacker's fake network.
6. Data Interception: Once connected, the hacker can intercept data, steal credentials, and even redirect users to malicious websites designed to capture sensitive information.

This attack leverages the target’s familiarity with their Wi-Fi network and common reactions to internet disruptions.

As the business owner, once the hacker has access, they can easily steal your clients' information. They will also have access to all of your CRMs and places where your clients' sensitive information is stored, with a lot less work than trying to hack a larger, more secure environment.

The bigger question is why a hacker would be bothered to use this technique?

Full online identities go for $1,170 USD per user, meaning if you have several hundreds of users within your CRM, then it’s $300,000 to $500,000 for an average payday.

Sounds pretty good for a few day's work and is one example of many that are increasing from hackers that are specifically targeting the Philippines.

Due to the rapid growth of Internet connectivity within the Philippines, there still isn’t enough implementation around cyberattacks. As a result, a person working from home is considered at incredibly high risk as they usually don’t have the right infrastructure in place.

The Future Outlook

The Department of Information and Communications Technology (DICT) of the Philippines noted that cyberattacks are expected to continue rising as the digital economy expands. The DICT highlighted that many businesses that employ staff who work from home are particularly vulnerable due to the inadequate cybersecurity measures mentioned earlier.

Additionally, remote workers have contributed to a 238% increase in cyberattacks since the start of the pandemic, as reported by Alliance Virtual Offices. These findings indicate that remote workers, particularly in regions like the Philippines, face heightened cybersecurity risks compared to their global counterparts, essentially placing a business at a much higher level of risk when employing staff that work from home due to severely laxed standards around security.

Best Practices for Enhancing Cybersecurity

Considering the stronger focus and targeting toward work-from-home staff globally and especially within the Philippines, it's critical to implement stringent cybersecurity measures. At Affordable Staff, we are ISO 27001:2022 and ISO 9001:2015 certified, and we adhere to the Essential 8 principles, ensuring robust data security and compliance with legal standards, enhancing customer trust, and minimizing the risk of data breaches.

These standards are more tightly held because of maintaining a work-from-office environment, and offshore workers cannot have the same level of protection in place if they are working from home.

Where to From Here?

We were recently engaged by a new client who had a little over 1000 complete client records leaked in a data breach. Their self-confessed reflection was comparing the breach to going through hell that took months to resolve, and they wouldn’t wish it on their worst enemy.

The reason for this breach? They engaged work-from-home offshore staff from the Philippines whose primary concerns were power outages and consistent Internet and nothing beyond that. As you can imagine, after that pain, they were excited to engage in a more secure solution.

The reality is most business owners think it won’t happen to them or don’t know the steps required to create a secure environment and, as a result, choose to ignore it completely and continue on as normal.

As we wrap up, like many business decisions, I see outsourcing as a risk, yet the appeal outweighs that risk due to the cost savings, the tax deduction if you engage through a registered Australian entity, and most importantly, the ability to find good workers who just want to do the job.

This may come across as fear-mongering, yet it’s about considering the real risks. I’m sharing some of the real facts about the risks of outsourcing, and more specifically, the elevated risks of engaging offshore staff in countries like the Philippines that are working from home.

I think it’s important to consider how much risk you’re prepared to take and can see a severely heightened risk if you are engaging offshore staff that are working from home vs a lower risk of staff that are working from a secure office.

Sources:

https://psa.gov.ph/content/more-50-million-have-access-internet-2020-census-population-and-housing

https://datareportal.com/reports/digital-2024-deep-dive-the-state-of-internet-adoption

https://privacy.gov.ph/data-privacy-act/

https://www.channelnewsasia.com/asia/philippines-cyberattack-security-policy-dialogue-scam-syndicates-pogo-4441931

https://www.meltwater.com/en/blog/social-media-statistics-philippines

https://blog.knowbe4.com/1170-is-how-much-youre-worth-on-the-dark-web

https://gulfnews.com/world/asia/philippines/philippines-wave-of-cyberattacks-spurs-urgent-measures-to-boost-cybersecurity-1.1697450124941