Who’s been sitting at my desk? The unwelcome office visitors who may have been in when you weren’t.

23 July 2020

Work-life as we knew it pre COVID-19 may seem some way off, but many organisations are working hard on plans to re-open offices in a safe and secure way. Anyone involved in return to work strategies knows it’s a complicated process, with both practical and psychological barriers to consider and overcome. While cleanliness and employee wellbeing are likely high up the agenda, it’s likely cyber security isn’t a primary focus. After all, it’s more secure working in an office than from home, right?

The answer is not when they’ve been empty for several months. Indeed, there may be threats in existence now that weren’t there when you left. I’ve talked before about the importance of keeping your guard up when returning to empty properties at the end of lockdown – and this applies just as much to your workspace as your home. But don’t worry – the solutions are simple when you know what to look for

Covid crime

The Covid-19 lockdown has been a productive time for some criminals. The sudden adjustment to working from home created many cyber vulnerabilities - from Zoom-bombing to prying smart speakers and everything in between.

On top of this, scammers have had plenty to take advantage of – from faking NHS track and trace requests to exploiting the rise of online purchases, there’s been plenty to do. It’s not surprising, therefore, that online threat levels have risen by as much as six-times higher than normal during the COVID-19 lockdown.

The pandemic has also presented criminals with a unique opportunity to access office spaces that would traditionally be teeming with employees and security staff. Even if your physical security staff have been ever present, the window of opportunity to physically access unsupervised computers and workstations is greater than it has ever been.

The objective is the same, obtaining information is the name of the game whether the target is a specific individual or the wider organisation.

Below are just a few methods an attacker may consider using if they’ve had access to your offices. It’s not an exhaustive list, but provides useful insight on vectors an attacker may use to exploit their target:

Man in the middle attack (WiFi Spoofing)

Accessing a deserted office presents the opportunity to set up a fake WiFi hotspot. Using this, a criminal can 'spoof' the WiFi and obtain information from your device while connected to it. Any unencrypted information being sent from your device will go through the attackers WiFi.

This information is then susceptible to further analysis which could allow the attacker able to interpret the data coming from the device such as passwords – and gain access to your entire online life.

Key stroke logging

How many times do you walk into the office and check the back of your computer? Hardly ever right? An unsupervised computer may have had a device put in the back which is connected to the keyboard. This may record keystrokes all the way down to how many mouse clicks you make. This device can easily catch information such as usernames and passwords as well as sensitive conversations on instant messenger, and even personal conversations.

Strategically placed USB

A particular favourite of cyber criminals is to strategically place USB sticks around the office. They may further incentivise people to plug these in by marking them up with something intriguing like ‘Confidential’ or ‘Sensitive’. When plugged in the USB invisibly infects a machine, and allows an attacker to gain access to the infrastructure.

Listening devices

Cameras, listening devices or hybrids of both are readily available to purchase online and can easily be deployed in locations where sensitive information is being discussed. Favourite places for criminals to plant these devices are board rooms, or the private offices of a CEO and CFO – criminals in empty offices will have had time to choose their location carefully.

How to keep safe

When you do return to the office, the following steps should flush out anything suspicious:

Eyes wide open

First and foremost check your surroundings – and ask your employees to do the same:

  • If you see any new equipment, find out where it has come from and why.
  • Check the back of your computer desktops to see if there is anything out of the ordinary.
  • Be wary of tailgating as you enter the office.
  • Pay close attention to any physical changes to the office – if anything looks new or different, ask why.
  • Check everything that arrives from an external source.
  • Be wary of accepting gifts or executive desk items – even if they are from a known source.
  • Don’t fall into bad habits – never write down a password.
  • Clear your desk – a clean tidy desk will quickly show up anything that shouldn’t be there.

Ask your IT team to check on the following:

  • Have there been any changes to the WiFi passwords or security mark up i.e.: What type and format of passwords are being used? Is it using a certain type of encryption?
  • Check the IT systems within your comms room, including log files and CCTV to see if there is any unusual activity.
  • Make sure your security policies and procedures are clear, well-communicated and up to date, e.g. your document shredding and retention policy.

Call in the professionals

If you see anything suspicious – or just want true peace of mind, a technical surveillance counter measures inspection (TSCMi) and cyber security audit are the best way of ensuring everything is as it should be.

Receive our monthly newsletter

About the Author

Gurpreet Thathy

Cyber, Associate

Gurpreet has extensive experience in Digital Forensics and Technical Surveillance and Counter Measures (TSCM)

+44 (0)20 7034 9000
Our 24 hour number
+44 (0)20 7034 9000
Legal information

© 2020 Schillings International LLP. SCHILLINGS is a trading name of Schillings International LLP and Schillings International (USA) LLP.

Schillings International LLP is a limited liability partnership registered in England and Wales with registration number OC398731. A list of members of Schillings International LLP is available for inspection at our registered office 12 Arthur Street, London, EC4R 9AB. Schillings International LLP is an Alternative Business Structure regulated and authorised by the Solicitors Regulation Authority.

Schillings International (USA) LLP is a registered limited liability partnership organised and existing under the laws of the State of Delaware, United States of America, whose principal place of business is at One World Trade Center, Suite 8500, New York, NY 10007. Our New York based attorneys are registered as a foreign legal consultant in the State of New York.