What guidelines should your organization be concerned with regarding information security when working from home? The world has entered “uncharted territory”. This was a statement from the World Health Organization (WHO) about the current COVID-19 pandemic. In reaction to this, companies across the world have fallen in line with health guidance on social distancing and self-isolation by allowing employees to work remotely. So, we find ourselves in unprecedented times in terms of work life.
Whilst this move is welcomed by those who are most at risk of becoming seriously ill and from healthcare professionals, companies must take stock of the security implications.
Here we look at some of the key security issues that affect remote workers and how to minimize their impact.
Cybercriminals are great at taking advantage of any situation and the COVID-19 or Coronavirus pandemic is like honey to a wasp in terms of attracting fraudsters. As expected, cybercriminals are setting the stage for cyber-attacks based on COVID-19. There are already multiple Coronavirus-related cybersecurity scams, many of which may affect remote workers out of reach of an internal IT team. A recent warning from the National Fraud Intelligence Bureau (NFIB) talks about increasing numbers of such scams.
Just a few examples:
Security vendor, Checkpoint, recently discovered that Coronavirus-related domains were twice as likely to be malicious than other domains. The company also saw that cybercriminals were encouraging wannabe hackers on the dark web, by offering cheap phishing kits and other hacking tools using a COVID-19 discount code.
Several Coronavirus scams have been targeting users. One example is an email phishing campaign that uses the World Health Organization branding. The email uses social engineering in the form of fear and uncertainty to encourage the recipient to click a link that goes to a malicious website.
As well as targeted COVID-19 scams, other more general remote working security issues exist. These will continue to require serious consideration, even after the current pandemic settles. Security considerations include:
Both malicious and accidental insider threats should be anticipated because of remote working. Out of sight out of mind should be a consideration expressed in your remote working security policy. Much of this threat can be attributed to accidental data exposure from lost devices or insecure data sharing.
Secure connectivity outside of the corporate firewall can be an issue. Many home routers are potential sources of risk. The malware known as VPNFilter infected over 500,000 home office routers in 2019. Once infected, the malware is used to intercept data and steal personal information and login credentials, a so-called Man-in-the-Middle attack (MitM).
Mobile apps are renowned for being a risk to data. And the remote worker, outside of corporate control, may turn to a preferred app to work from. Many mobile apps are specifically designed for the remote worker; however, apps should be security assessed by your organization for compliance and data security.
In addition to the issues around compliance, mobile apps can also carry malware. In 2019, there was a 50% increase in smartphone and app-related cyber-attacks
Low tech issues are also a concern for remote workers. From shoulder surfing by housemates to shared passwords and devices, critical and sensitive data can be at risk.
The challenge of COVID-19 may have changed our working practices but it does not need to negatively impact our security hygiene. Whilst working from home, employees should be supported and encouraged to work safely. These 5 ways to do that can help to create a security culture, even outside the office:
Begin as you mean to go on by covering remote working in existing security policies. This is your chance to document the entire cycle of remote work needs. Typical items included in remote working security policy are:
Remote working policies should also include any compliance considerations for home working. For example, you may need to extend a Data Privacy Impact Assessment (DPIA) to cover home working.
Remote workers are at risk of social engineering by cybercriminals. Phishing awareness, in particular, is an important aspect of security awareness for the home worker. Remote security awareness training programs can be used for remote workers, to help them to spot the tricks of phishing and prevent malware infections on home as well as work devices.
In addition, security awareness training can ensure that staff understands the importance of security hygiene. This provides employees with an understanding of issues such as shoulder surfing, data exposure, and good password hygiene within a home and office environment.
Whilst staff are working from home you should consider providing them with tools to help secure their devices and prevent data leaks. Some of the most useful for remote working include:
If you need extra security for especially critical work, you could consider setting up a virtual environment for an employee. Whilst more work is required to set this up, a virtual machine (VM) is useful for creating a controlled environment and can reduce the exposure of the company network/data to the vagaries of a home environment.
Make lists of tools that are accepted for use by home workers. This should include tools that are used to generate and share data. For example, mobile apps and collaboration portals. Whilst you may potentially get some staff who flaunt this rule, you can incorporate it into your company security policy to help enforce it.
Having robust authentication to access company resources is always a best practice. However, in a home working situation, it is essential. Wherever possible, ensure that second-factor authentication is used for any corporate resource access.
In addition, the use of the principles of least privilege, if not already used in your company, should be seriously considered. From this, an application of Zero Trust identity policies can be used to control access and ensure that data is accessed on a need to know basis. This will reduce the risk of data leaks.
While this pandemic plays out across the world, we must all pull together to minimize its impact on our health. This may mean using methods of social distancing, including remote working. Once the virus has reduced in scale and scope, we may be able to go back into our offices and settle back down to ‘normal life’. However, this taste for working from home may well continue. We may be forced to take stock of our cybersecurity during COVID-19, but this is likely to stand us in good stead for the future too.