Ben Aung, Global Chief Information Security Officer at Sage, describes how businesses with staff working from home should be protecting themselves from cyber-threats during the pandemic.
Businesses of all sizes have been forced to adapt to new ways of working during the COVID-19 pandemic. Where once the majority of IT resources were situated in a controlled environment, quarantine and lockdown conditions have mandated widespread remote working across the economy.
For employees, that means the immediate office network is no longer there to turn to if they have a concern or encounter a problem. For businesses, remote working poses a complex exercise with old and new security hurdles to overcome.
We may be in this situation, or a version of it, for some time to come. As a consequence, businesses must understand how attackers are exploiting that fact, and ensure their employees have the knowledge, capabilities and support to prevent business risk.
Sadly, in my experience, where there is a lack of clarity, there is an increased threat to the cyber security of organisations.
Working from home: best security practices
Businesses acted fast to introduce new processes, technologies and services to facilitate easier remote working. However, it’s critical these are carefully explained to staff. Many employees are already anxious, so it’s not an ideal time for them to be inundated with complex new tools. The objective should be to make life as easy as possible for staff with straightforward ‘how to’ guides and easily contactable support.
Companies should also educate employees on keeping their physical surroundings secure. This means drawing attention to the basics which could otherwise be forgotten; locking screens if left unattended, especially if other people are present; locking devices away when not in use; and knowing which virtual meetings require privacy.
Devices should also be encrypted while turned off or locked. Most modern devices have encryption as standard, but this might need to be enabled. The majority of devices also include tools that remotely lock access, erase data, or retrieve a backup. If lacking, they are a worthwhile investment. Encryption and device management are also important controls for many data privacy regulations, such as GDPR.
As it’s more likely that devices will be lost or stolen while everyone is working away from the office, businesses should employ a ‘blame free’ policy. Early reporting can minimise the risk to data, but staff who fear repercussions are less likely to report quickly.
New and familiar cyber threats
Beyond ensuring staff follow good remote-working practices, organisations should take steps to audit and secure the new tools and systems they’ve implemented. Times of crisis are fertile hunting ground for cyber-criminals. It’s safe to assume hackers can make an educated guess about changes to your IT estate and are actively trying to exploit them.
Businesses should review the applications and new services – including VPNs and other remote working tools – employees will be using, and ensure they are patched to the latest software version. In particular, they should prioritise the installation of any security updates. Multi-factor authentication (MFA) should be enabled for every service, or as many as possible. If not, then ensure staff use strong passwords and MFA for the most important services such as connecting to a network via VPN.
Hackers will also continue using tried and tested methods of attack, like ransomware to encrypt an organisation’s data and hold it hostage for payment. Companies should beware social engineering and phishing emails. Malicious emails with subject lines like ‘2020 Coronavirus Update’ and ‘2019-nCov: New confirmed cases in your City’, are intended to steal login details and infect systems.
If employees haven’t received training on how to spot suspicious emails for some time, then now is the ideal time to have a refresher, using an online security awareness course. Processes and channels should also be in place allowing staff to quickly report suspicious emails and potential attacks. A false alarm is better than an unreported issue, businesses should emphasize this to prevent staff self-censoring on what they do and don’t report.
When anti-virus tools, MFA, regular patching and training are combined, it can stem the ability of an attacker to make headway in reaching a business’s data or money.
Keep it simple
A strong cyber security defence requires input from all levels. Most people are just trying to do their jobs in difficult circumstances. If employees choose an easier but less secure route, it’s a reliable sign that business leaders need to communicate their remote working expectations more clearly or improve the technical solutions they have provided.
To work from home safely, businesses must provide the right support channels, make sure business users are informed enough to confidently play their part, and ensure IT is delivering patched and configured remote working tools.
Don’t over-complicate things or expect employees to work things out for themselves. When times are uncertain, simple messages, repeated often go far. The measures and precautions taken today will be worth their weight in gold for organisational security once return to the office.