The power of the internet is the intrinsic link keeping businesses functioning during the Covid-19 crisis. However, cybercriminals are on the prowl and are targeting your staff, warns Brian Honan.
As we all adjust to the new normal resulting from the Covid-19 pandemic many companies are taking advantage of the internet to enable them carry on as near as normal by enabling staff to work from home. The power of the internet allows many businesses this flexibility and they are now able to minimise the disruption caused to their bottom line by Covid-19.
However, just as the internet provides businesses with many opportunities during this crisis, it also provides cyber criminals with opportunities to increase their ability to cause disruption and damage to businesses and individuals.
“While staff may be the primary target of criminals they can also be the best defence an organisation can have”
To add fuel to the fire many people are struggling to come to terms with their new work environments. Many may have never worked from home before, and even for those who regularly work remotely, the current environment adds many previously unknown challenges to the mix. People are now working in an environment where they may have to provide childcare, they may be worried about how other family members outside of their home such as elderly parents will cope, and they may also have to compete with home schooling and their partners all looking to share the same workspace.
On top of the challenge of staff now working remotely, companies looking to support those staff may have opened up their Virtual Private Networks (VPN), provided remote access solutions, and migrated certain systems to the cloud. Inevitably, in the rush to get many of these solutions working and scaled up to support the increase in remote workers they may not have been set up as securely as they should be. The old adage “marry in haste repent at leisure” may be applicable to many of these hurriedly thrown together solutions
This all leads to an environment which criminals thrive in. When people are under stress and pressure it makes them more susceptible to fraud and scams, something criminals will exploit.
Employees at home are on the security front line
One of the principle avenues of attack by criminals will be to target employees and look to solicit their login credentials from them, this is known as a phishing attack. Another avenue will be to compromise their device by fooling them into clicking on a link in an email or other messaging platform, or by tricking them into downloading a virus onto their device by clicking on an attachment.
While staff may be the primary target of criminals they can also be the best defence an organisation can have. So organisations should ensure staff are trained in how to spot and deal with fake emails and what to do should they receive one. This training should also include the IT support desk as criminals could contact them posing as a member of staff looking for help to access their account.
Organisations should also appreciate that many staff are now working remotely who never done so before and may not be familiar on how to use remote access systems, or using new systems that were setup to facilitate remote working. A simple step by step guide outlining to staff how to login securely to systems, how to use the remote access software, and how to use the new systems can reduce the risk of staff making mistakes or being duped by criminals.
Once the rush to enable staff to work remotely is over organisations should take the time to revisit their environments and make sure they are secure and meet the requirements of GDPR. A key step is to develop a remote working policy which outlines how staff can securely work remotely, this policy should outline what systems staff can use and what ones may not be appropriate.
Organisations should implement Multi-Factor Authentication, or MFA, wherever they can. In the event someone’s password becomes compromised, MFA provides an additional layer of protection to prevent the account from being hijacked.
In some cases, staff may have been setup with access to cloud-based file sharing and collaboration tools. While these may have helped the initial wave of getting people to work remotely, the personal versions of these systems are not as secure as the enterprise versions. There may also be GDPR issues with some of these systems. Selecting a business level plan for these services, or migrating to a business level solution, can address some of these concerns.
Security testing of VPN and remote access gateways should be conducted to ensure they are configured securely. A security review of all cloud-based solutions should also be conducted to identify any potential gaps that criminals could exploit to gain access to sensitive data. Any businesses that have moved their business online to enable customers to continue to purchase products or services should have those systems tested to make sure they are secure.
Organisations should also examine solutions to ensure devices employed by staff remain secure, such as keeping anti-virus software updated and systems and applications patched to the right software levels.
Finally, organisations need to review how they detect and respond to potential intrusions. This review should take into account any amendments needed to their procedures on how to respond to a cyber-attack in order to support the response team working remotely, and how the security monitoring solutions need to be configured to support the new work environment.
There are some excellent resources available for free for organisations to help them deal with these challenges. Europol have published a guide on how Safe Teleworking and the Data Protection Commission has a guide on protection personal data when remote working. Finally, the Irish National Cyber Security Centre (NCSC) has a 12-step guide for Irish businesses to secure their systems.
Brian Honan CEO of BH Consulting, a world leading consulting firm in the areas of cybersecurity and data protection, and he is a recognised internationally as an expert on cybersecurity. He has acted as a special advisor to Europol’s Cybercrime Centre (EC3), he is founder of Ireland’s first CERT, and sits on the advisory board for several innovative security companies. Brian is the author of several books and regularly contributes to various publications. For his contribution to the cybersecurity industry Brian has been awarded the “SC Magazine Information Security Person of the Year” and was also inducted into the Infosecurity Hall of Fame