All companies are encouraging their staff to stay home and to work remotely. For highly digitilized companies, the organization structure, management systems, communication infrastructure and policy needed for remote working are already in place and rapid shift to remote work is possible from day one.
For majority of companies and organizations of all sizes, however, the situation is likely to be very different. And they are simply not ready for the shift to remote work from home. And once they shifted to home office, these changes in working however, involve serious cybersecurity risks that companies and organization of all types and sizes should be aware of and work to mitigate.
With increased remote work there is an increased risk of employees accessing data through unsecured and unsafe Wi-Fi networks, using personal devices to perform work, and not following general security protocols established by the company. This reveals the need for new and improved effective cybersecurity measures that should be implemented by every responsible organization.
We believe that in this challenging times we have to help and support each other. This is why we would like to share general guidelines, prepared by our cybersecurity expert instructors from Amatas, how to deal with the COVID-19 cyber risks and protect our digital lives.
Secure company devices
- Implementing full disk encryption and use of TPM.
- Using strong passwords for each stage of authentication - not only for logging-in the operating system, but pre-boot authentication as well.
- Implement auto locking-out mechanism and encourage such routines. The employees should be advised not to leave company property unattended.
- Employees may take sensitive or confidential materials offsite that they would not otherwise. They may also print documents containing sensitive nonpublic information in public locations or on network printers with unsecured connections. We think employees should be advised not to take critical materials off-site unless unavoidable and never to print corporate documents at home unless absolutely necessary.
- Employees should be advised to return all printed materials once they return to the office for proper destruction and to avoid disposing of documents at home without proper cross-cut shredding.
Securing remote connections
Use of VPN
- Where possible remote access to company networks should be established through a virtual private network (VPN), which routes the connections through the company's private network, or another encrypted connection mechanism.
- In case employees are remotely accessing sensitive information on the network, VPNs should be configured with multi-factor authentication (MFA) as an added security layer. With MFA enabled, even if an employee's VPN credentials are compromised, an unauthorized actor will be unable to connect through the VPN without a second factor (i.e., a code sent to an individual's smartphone, token, biometric verification, etc.).
- Firewalls must be properly configured and monitored to identify attempted or successful connections from unauthorized or suspicious Internet Protocol (IP) addresses.
BYOD (Bring Your Own Device)
Use of personal devices
- Personal devices are more likely to be used when employees are working remotely, and such use presents additional cybersecurity risks given the lack of corporate control over the devices.
- Where mobile devices (i.e., mobile phones, tablets, laptops, etc.) are permitted to connect to the corporate network, ideally such devices should be controlled using mobile device management (MDM) software.
- The personal mobile devices should be encrypted and protected using strong alphanumeric passcodes.
- The device must lock itself with a password or PIN or Biometric recognition if idle. The lock time must be set to the lowest available time.
- Employees should be advised to install antivirus protection on their devices.
- Rooted (Android) or jailbroken (iOS) devices or similar should be strictly forbidden from accessing the company network.
Use of Wi-Fi networks
Access through unsafe Wi-Fi networks
- Employees working from home may access sensitive business data through home Wi-Fi networks that will not have the same security controls — such as firewalls — used in traditional offices. More connectivity will be happening from remote locations, which will require a greater focus on data privacy and hunting for intrusions from a greater number of entry points.
- Employees should be advised to secure their home Wi-Fi networks with a robust password with minimum WPA2 encryption mechanism put in place.
- Prior to authorizing remote connection to the corporate network, employees should be instructed about the logistics of connecting to the network, appropriate use of Wi-Fi, and steps to take if a security incident or other compromise is suspected or identified. While these subjects are often covered in annual employee trainings, now is a good opportunity to provide a training update or informal security reminders. Regardless of the efforts and the sophisticated security measures put in place to create a safe environment for remote workers, the risk of human error will always exist.
Susceptibility to phishing campaigns
- Cybercriminals are always searching for security vulnerabilities to exploit, and many employ sophisticated attacks tailored to a specific company and its employees. A malicious hacker could target employees working from home by creating a fake coronavirus notice or phony request for charitable contributions.
- In an effort to keep employees informed about company policies regarding the coronavirus, many employers are creating new email accounts that send out daily email updates. These emails often contain several links to forms or company briefings and updates. Given the sensitivity of such emails, employees may be quick to open these emails or to click the links, even from previously unknown company email addresses.
- Employers should be informed about phishing emails disguised as coronavirus updates or as updated company policies may deceive employees. For example, the World Health Organization (WHO) specifically warned that, in connection with COVID-19, cyber criminals are sending phishing emails with malicious links and are impersonating WHO officials to steal money and sensitive information.
- Many companies already include warning banners on emails that originate outside of the company but ensuring that such banners continue to attach to email addresses outside the company will help employees parse out which coronavirus updates are legitimate. An additional solution is to create a coronavirus portal on the company website that employees can access for live company policy updates when they are not confident that an email communication from the company is legitimate.
- New Horizons of Prague is ready to provide your company with complementary advice on how to deliver and manage cyber training and awareness program to your employees to aid them against these social engineering attacks and rise their cyber security awareness.
Unsecure conference call lines
- An increased need for conference call or video services may exceed the capacity of the company’s existing accounts. A free or online-based service may seem like a sensible temporary alternative, but employees should be advised against using these for work-related calls without consulting with the company. Some services may not be secure or may even record your employees’ conversations by default.
- That is why we suggest employers to be advised to proactively work with your existing conference call provider to accommodate the temporary need or identify a secure alternative for employees to use.
- We advise using trusted platforms like Microsoft Teams, Google Hangouts and Cisco WebEx for secured conference call lines.
Dealing with cyber incidents
- While employers are working hard to protect the health and safety of their employees, incident response requirements remain in effect. Employees should be reminded that if they become aware of a possible data security breach while out of the office, they should inform the organization’s designated recipient for such notifications. Moreover, each company’s data breach response team should be reminded that due to the possibility of increased risk during this period of time, their attention and resources may be called upon.
- The Amatas Security Operations Centre operates 24/7 and we are ready to provide you with complementary advice during the period of COVID-19 restrictions on how to deal with cyber incidents.
The COVID-19 crisis is likely to be with us for a while. Our companies and employees will be forced to make tough decisions rapidly. We will face new risks and challenges, but we need to ensure the security of our networks, devices and data in order to ensure our digital future.
At New Horizons of Prague, we know every company is dealing with significant human resources, health and business issues associated with the coronavirus outbreake. With a little extra care about security at this strenuous time, hopefully we can avoid having to deal with additional issues associated with data breaches or loss of valuable business information.
Training for Every Cybersecurity Career Path with New Horizons of Prague
There are endless paths your cybersecurity career can lead you down. As the world’s largest IT training company, New Horizons of Prague offers expert-led IT training to help you master sought-after skills and prepare you for the top cybersecurity certification exams.
Whether you’re just getting your feet wet in the IT industry or preparing to submit your résumé for a management position, New Horizons of Prague offers the hands-on cybersecurity training courses you need to accelerate your career.
Unsure which training course to take first? Contact us, or discover the best certification path for your career and goals using the New Horizons Cybersecurity Roadmap.
(adapted by New Horizons of Prague‘s CyberSec team of instructors from AMATAS COVID-19 Cyber Risks: Mitigation Best Practices)