PornHub malware: Work devices could be compromised

Companies should have a very clear acceptable use policy for all of their devices. Photo / 123rf

An industry expert says the PornHub malware "definitely" could affect New Zealand businesses.

Tom Moore of Aura Information Security said there are no borders on the internet, and hackers are becoming more advanced in their techniques.

"This is just one example of a potential cyber risk that could occur should employees use business devices for personal use," Moore said.

As digital devices blur the lines between workers' office and home lives, businesses increasingly run the risk of company devices being used for activities which they don't condone or want to be associated with.

"As businesses become increasingly flexible and offer options such as 'bring your own device', the risk becomes greater if clear boundaries around work and personal use are not put in place," Moore said.

Businesses need to establish clear guidelines and boundaries around the use of work devices and networks, Moore said.

"As an employee, if your employer has provided a device for business use, it should be treated strictly as a business device. You should read, understand and follow your organisation's acceptable use policy."

Last week it was reported that those who visit PornHub may be exposed to the Kotver malware, which generates revenue by clicking on ads in the background, with users left oblivious.

New Zealand's computer emergency response team - known as CERT - has received no reports of New Zealanders being affected and says anyone worried about it should run an antivirus scan.

Microsoft New Zealand's national technology officer Russell Craig said the PornHub malware brings public attention to the risks associated with visiting any website on either a work or personal device.

If companies allow staff to use work devices for personal matters, Craig said they're potentially exposed to embarrassment through an attack.

"So your reputation may suffer," he said.

"But this type of risk could come from any website your staff may access or any online application or service," he said.

"My advice to an organisation is: first and foremost you need a policy telling your staff what is okay and what is not because ultimately you need some sanctions for behaviour which you're not comfortable with. That's not going to extinguish your risk so you really need to be thinking about what technical measures you need to be implementing to reduce or eliminate the risk of your organisation being attacked through the devices your staff are using and the way they're using them," he said.

Craig said companies could also blacklist certain websites they think might pose a high risk or, at the more sophisticated end of the spectrum, set up technology that separates personal use on devices from those associated with the business.