As the ongoing Covid-19 pandemic continues to affect numerous aspects of daily life, workers and employers are adapting to new ways of working.
Yesterday, Prime Minister Boris Johnson announced new stricter measures designed at limiting social contact, including travelling to work only when “absolutely necessary and cannot be done from home”. Although such measures are important for delaying the spread of the virus, they have tested organisations’ infrastructure and remote working practices.
“Remote working on a scale we’ve never seen before has now become a fact of life; doing this without compromising security will be more important than ever,” says Jeremy Hendy, CEO at cybersecurity firm Skurio.
In light of this, Verdict has compiled key pieces of advice from experts from the cybersecurity industry to help organisations maintain robust security during this unprecedented situation.
Avoid unsecured wifi networks and routers
“Hundreds of thousands of employees are now working from home, and for many of them, these are uncharted waters. They need to understand that using an unsecured Wi-Fi network makes them vulnerable to hackers, and take precautions against unauthorised users. Wi-Fi routers need to be configured correctly in order to maximize security and protect sensitive data. We encourage everyone to follow their corporate IT policies, including use of VPN networks, and check their settings to safeguard their connections.”
Ashish Sharma, president of IoT & Mobile Solutions at Inseego
Keep work and personal separate
“Many employees have been thrown into a new work-life reality. Some are working from home for the first time. Aside from the regular stress, they have family and household concerns, not to mention a global pandemic to worry about. While working remotely, don’t let security slip through the cracks. It’s going to be tempting to read the latest news, check personal email, and see how your friends and relatives are doing on social media. But all this activity on a work device makes it more likely employees will fall prey to a cyberattack. If just one employee becomes infected and VPNs into the corporate network, they may unknowingly open the entire company up for exploitation.
“Organisations may have stringent measures in place, but employees must be cyber aware when working. Employees must only access websites that they’d usually visit and take extra time to observe emails and text messages. If something seems strange, or a request seems unusual, verify it by calling or messaging them on a different collaboration tool like Slack or Microsoft Teams. It is the lesser of two evils if you miss an email from a colleague or client compared to clicking on a malicious link that opens your company up to a cyberattack.
“Two-factor authentication is hailed as the Holy Grail when it comes to protecting from malicious actors who target remote workers as it acts as a second layer of security. While two-factor authentication is important and reduces risk, it is not a bulletproof solution. Since text messages are often used for two-factor authentication, security can potentially be bypassed if the phone is accessible or compromised.”
Matt Lock, Technical Director at Varonis
Ensure employees have sufficient cybersecurity awareness
“Advise your employees to avoid using their Wifi connection at home and rather connect their laptop or workstation to the router with a network cable. Not only does this provide a more secure connection but also enhances speed as it will be quicker than Wireless.
“Make sure employees are using a VPN with appropriate encapsulation and authentication to the data they are accessing. If possible, use IPSEC or SSTP (Secure Socket Tunnelling Protocol) as a connection. You can suggest split tunnelling, which allows a user to establish a secure VPN for work-related connections but use their own Internet Connect to do ‘non-work’ related activities.
“The most important thing is to ensure your staff have sufficient cybersecurity awareness. At this time there should be no reason why a user is connecting to corporate resources in public spaces as they should be at home.
“But, they still must be aware that other people can still access their screens – although the risk is smaller at home, users should lock their devices when not in use. They should behave as if they were in the office, applying the same security mechanisms as they would do at work. Acceptable Usage Policies (for corporate and BYOD devices) should be robust and apply at home equally as at work. This also includes in regards to telephone calls and online meetings.”
Phil Chapman, Senior Cybersecurity Instructor at Firebrand Training
Get a VPN
“In these trying times of setting up and working from home can be frightening, but you can make it easier on yourself by following a few simple but easy to set up items. 1st with your in-home router/wifi immediately change your password to a 12 character password for security. Second, make sure your virus scan software is up to date to protect you from cyber garbage and 3rd get a VPN, a Virtual Private Network, this item will hide you behind a “Private Network”. All these in singularity and even greater, combined is going to keep you safer.”
Christopher Carter CEO of Approyo
Use a password manager
“For many working from home means documents and conversations are more open to access from others, even if it is just family. So it is more important than ever to ensure that all programmes have long, randomly generation passwords to protect access.
“This is where password managers come in, killing two birds with one stone by generating and storing unique passwords for every login. The username and passwords are then stored within a secure vault, where they’re organised and encrypted for safekeeping and ease of access.
“Using a password manager and turning on multi-factor authentication, where available, will help users improve their password hygiene, limit the risk of being hacked – and of accidental sharing while remote working – ultimately keeping our work safe and secure.”
Gerald Beuchelt, CISO at LogMeIn
Double check bank payment details
“Be suspicious of every email and check links. Look out for misspelled domains, a clear sign of a suspicious email known as ‘typo-squatting’.
“Secondly, when making payments, make sure to compare the bank details with previous transactions and put in place processes for them to be authorised by more than one person. Hackers hate dealing with the real-world, so call the bank before any payment is authorised.”
Jeremy Hendy, CEO of Skurio
Watch out for a rise in phishing scams
“A global pandemic has not dissuaded cybercriminals from preying on the vulnerable. Make sure that all of your passwords are unique and complex, and that you change compromised passwords as soon as possible. Using a password manager to generate and store unique passwords for every website or app is just basic internet hygiene. Phishing scams, in particular, are rampant in these sort of situations. Never click a link in an email that you weren’t expecting. And if you accidentally do: change your password on the site you meant to visit immediately, after confirming you’re on the site by typing its URL manually in your browser.”
Emmanuel Schalit, CEO of Dashlane
Ensure IoT devices are protected
“Firstly, set passwords on all of your IoT connected devices. Whether it’s your connected front door camera, a connected plug or another smart home device, most people leave their devices with easily guessed default passwords, making devices highly vulnerable to large scale attacks. Secondly, maintain the software and operating systems running on the devices you use within your home network. It’s easy to ignore updates, but they’re necessary if you want to protect yourself from the ever-evolving nature of cyberthreats. Finally, invest in a router which has the ability to understand your network and take care of your device security for you.”
Steeve Huin, VP Business Development at Irdeto
Check devices are patched
“Check that you are still patching your devices. You are now possibly the remote IT department, so it is vital to make sure you are up to date. With the increase in conference calls it may be tempting to leave your webcam open, so remember to keep covering it up when not in use. VPNs do make your connection slower, but they are invaluable when working from home, so don’t be tempted to turn them off. Lastly, it goes without saying that you should make sure you have antivirus installed.”
Jake Moore, Cybersecurity Specialist at ESET
Watch out for social engineering attacks
“With so many people now forced to use their home broadband to work from home, one of the biggest threats they face is social-engineering attacks – victims being tricked into making a mistake. These incidents take many forms, including email-based phishing and via social media. The key is to educate everyone about what social engineering is, the most common indicators of such an attack, and what to do when they spot one. Weak passwords continue to be one of the primary drivers for breaches on a global scale. Anyone working at home should be reminded about the need for strong passwords such as passphrases, as well as the use of password managers and multi-factor authentication. It’s also important to ensure you are using technology running the latest version of the operating system and applications.”
Lance Spitzner, Security Awareness Director at the SANS Institute