We all face a period of ongoing certainty as we deal with the fall out from Covid-19. One of the many secondary effects has been the change in how we work. Huge numbers of us are now working remotely from home, and the implications of this change are significant. While many are positive, including the elimination of commuting and increased productivity, those working in IT security are concerned about the increased risk. So what are some of the elements you should be looking at to ensure your company’s security is not compromised with this new working order?
Employees should use work devices to access files, resources and applications rather than use their personal devices. As we all adapt to working at home, numerous devices are going to be required (particularly during lockdown) so it is common for families to share hardware such as Smartphones, laptops or tablets. Despite the temptation to share equipment, any work devices should be used exclusively for work purposes.
Virtual private networks create encrypted tunnels for sending and receiving data, so that sensitive file you’re sending to the office can’t be intercepted by third parties. Where possible you should use a VPN, particularly when working remotely for companies where security needs to be paramount. Also when connecting to a website or application over the internet, check the address bar to ensure the protocol used is HTTPS and not just HTTP.
The popularity of applications like Zoom and House Party has exploded in recent weeks, however, there are concerns with the security of some applications.
“The decision to use Zoom, as millions of others stuck at home during the coronavirus outbreak are doing, comes as concerns are growing about the conferencing app's business model and security practices. Most notably, the company has been forced to admit that although it explicitly gives users the option to hold an “end-to-end encrypted” conversation and touts end-to-end encryption as a key feature of its service, in fact it offers no such thing. Specifically, it uses TLS, which underpins HTTPS website connections and is significantly better than nothing. But it most definitely is not end-to-end encryption (E2E). E2E ensures all communications are encrypted between devices so that not even the organization hosting the service has access to the contents of the connection. With TLS, Zoom can intercept and decrypt video chats and other data.” The Register
It is thus advised to treat any confidential conversations held over Zoom as being vulnerable to being overheard. Of course, the other issue is that unlike face-to-face conversations in an office environment, you have to assume all online conversations are being recorded.
Phishing emails continue to represent the most common sources of cyber fraud, with bad actors impersonating Google Drive, Dropbox, Microsoft email, Zoom, etc. We recommend you treat all links with the utmost care whereby you either protect your mailbox with an email filtering service such as Vade Secure or you type URLs directly into the browser.
Vade Secure is the only product that doesn’t need any MX record updates for Microsoft and the only product that stops spear phishing, which is internal spoofing/phishing from one employee to another (usually again done by a bad actor).
Social engineering relates to the use of deception to manipulate individuals into divulging confidential or personal information that may be used for fraudulent purposes. We are seeing evidence of an increase in calls by bad actors who are capitalising on the current situation by impersonating a bank or other official knowing that people are trapped in their homes. Action Fraud in the UK reported a 400% increase in fraud related to Covid-19 in March.
Adding a second factor to authenticate access to software is a great way to boost your security. Google Authenticator is one good example of a simple app that operates effectively by creating a random set of digits on a time-lapse that you can use to authenticate.
Without having oversight into employees’ work environments, it is increasingly necessary to have confidence in the endpoints that are accessing the company’s infrastructure. Thus when you are away from your laptop it is important to lock it (using a password or Touch ID) to prevent access. While the risk in the home is less than in shared workspaces, for example, it is still good practise to have an auto lockdown when there is no activity on the workstation. Pressing Ctrl + Cmd + Q on your Mac will lock your screen and, on Windows PCs, you can press Windows + L.
All software (including your anti-virus software, browser and operating system) should be updated when the latest versions come out. Many updates include bug fixes related to security vulnerabilities and thus ensuring you have the latest version in place is paramount. Ideally, one dedicated person is responsible for ensuring that all staff capture an image of their updated operating system and share it for audit purposes.
At one time USB keys were very popular - particularly as branded giveaways at tradeshows. Over time it has been recognised that they do introduce risk and are thus best avoided particularly if you are gifted one. Instead, it is securer to use online company storage options like Google Drive, Dropbox, Box etc
It is important to always liaise with your IT team (if you have one) when downloading new software applications or tools. Perhaps they have a corporate licence, or if not, it is still important for them to check that there are no known issues with the software.
In summary, as we adjust to working at home it is important to ensure we are more cognizant of the new security risks we face and that we modify our behaviour accordingly.
About Andrew Tobin
Andrew Tobin is the CEO and Founder of Stryve. Andrew ensures that the company remains at the cutting edge of cybersecurity and that Stryve offers world-class solutions to its clients.
With almost 30 years of combined experience, Stryve offers unparalleled services in the Cyber Security, Business Continuity, Cloud Solutions and Secure Web Development sectors. https://www.stryvesecure.com/