While healthcare workers are battling the COVID-19 virus, countries are in lockdown mode, and the global economy hangs in the balance, another war is raging in cyberspace. Risks to systems, data and communications are increasing as cyber-attackers utilise the pandemic to evolve attack techniques by blending technical prowess with sophisticated social engineering. The current challenge with the virus pandemic is a test of nations’ and businesses’ preparedness, expertise, and resilience on all fronts.
As companies and individuals moved to work from home during the lockdown period, it is imperative that the associated risks be acknowledged, evaluated and potential mitigation measures be implemented.
Cyber-attackers thrive in uncertain times as anxiety is a readily exploitable phenomenon. Due to the increasing amount of time employees are spending online, and left to their own devices, it is inevitable that they will use this free time to access obscure or questionable websites and stream pirated audio or visual media, thereby contributing to the infiltration of malware or ransomware attacks.
At the same time, the threat of employees working from home is not only a threat to the employees themselves, but also to their employers. Technology and critical security staff may be stretched to capacity, coupled with increased workloads and concern for personal safety. Staff reductions and distractions may affect monitoring and response times, leaving organisations more susceptible to destructive or debilitating attacks.
Working from home (WFH) Mitigation Measures
A. Be Prepared: Planning is key
Cybercriminals and opportunistic individuals are grasping the opportunity to tailor cyber-attacks on industries and individuals compelled to work from home. Have a proper security plan in place, tailored to the organisation and home environment. Understand the assets, the dataflow between the assets and identify the risks.
Unfortunately, there is no one-size-fits-all-magic cyber solution as each organisation is unique in terms of example, assets, data, sector, size, and technology. Lacking a tailored security plan will only result in wasting money and resources as the next “best solution” is chased.
B. Have a #WFH policy in place
A #WFH policy, with associated implementation procedures and metrics for compliance and evaluation, must provide direction to all workers on how to create and maintain a safe working environment.
Possible sections to include:
● | Information on securing their home environment. |
● | Issuing of company devices, the do’s, and don’ts. Security levels and associated access mechanisms. |
● | Authentication to remote systems, whether internal company networks or cloud services. |
● | Process on how remote workers are to be approved for accessing systems and services. |
● | Use of own devices and the possible legal implications. |
● | Password management and Two-Factor Authentication by default. |
● | Required training programs on cyber security awareness and COVID-19 for all staff. |
● | Incident Response Plan: What to do when for example a ransomware attack is launched. This ties in with the business continuity plan. |
● | Use of Virtual Private Networks (VPN) for accessing remote networks, |
- Education, Understanding & CommunicationThe majority of workers are experiencing apprehension and will experience different levels of anxiety, be it technology or security related. Information (guard against an overload), which is valid, thoroughly researched, and applicable to them, is vital. It will aid in understanding the problems and how to guard against the dangers. Education is key.Establish communication lines and make an effort to understand the differences in home environments in terms of technology, hardware, people and accessibility. For example, the risks imposed by a home consisting of a mature couple with no Wi-Fi access, versus a house with teenagers streaming via a Fibre connection are vastly different.Acknowledge these differing environments and manage the risks accordingly.D. Towards cyber resilience – some quick wins
● | Patch management: Ensure all software on mobiles, tablets, PC’s, and laptops are legal, and updated. |
● | Emails: Guard against the use of private emails for work purposes and vice versa. |
● | Access: Establish authority levels for accessing systems, services, and documentation. Do not provide access to networks and data by default to all workers. |
● | Encryption: Encrypt data at rest (i.e. disk encryption) as well as in transit (i.e. VPN) |
● | Back-ups: Regular back-ups, kept off-site. |
● | Anti-malware software: Yes, the paid options. For all end points, including mobiles. |
Keep in mind that security must ENABLE business. Ease staff into the new environment, especially those who are not familiar with security technology. Don’t allow the security requirements and implementations to frustrate users, as ways around it will be found, making good efforts obsolete.