With the spread of the novel coronavirus (COVID-19), many businesses are requiring or permitting employees to work remotely. This is intended to remind all businesses and your employees that in the haste to implement widespread work-from-home strategies, data security concerns cannot be forgotten.
All employees should remain vigilant of increased cybersecurity threats, some of which specifically target remote access strategies. Unfortunately, cybercriminals will not be curtailing their efforts to access valuable data during the outbreak, and in fact, will likely take advantage of some of the confusion and communication issues that might arise under the circumstances to perpetrate their schemes.
Employees working from home may be accessing or transmitting company data as well as personal information of individuals. Inappropriate exposure of either type of data can lead to significant adverse consequences for a business. Exposure of company data or confidential business information can potentially cause significant business damage or loss. Exposure of personal information can potentially trigger data breach notification laws, and result in significant liabilities for a company as well as expanded identity theft issues for individuals. The threat is not only an online concern – physical security is at issue as well. Unauthorized access to printed copies of sensitive documents could lead to additional exposures.
Increased Risk with Personal Devices
Employees working from home may take shortcuts, such as downloading or saving sensitive company materials to their personal devices, desktops, USB drives, hard drives and file hosting services in the cloud (e.g., Dropbox). We would like to advise all businesses and their employees that saving company materials to personal devices that have not been appropriately configured with security systems (e.g., company-sanctioned level of anti-virus software, password protection technologies, or secure network connections) increases the risk of exposure to cybercriminals. Moreover, personal devices may be more susceptible to “physical breaches,” as employees may leave laptops or devices unguarded in places without the physical security of an office setting.
To guard against these threats, businesses should consider when allowing personal devices to be used:
• Requiring all employee devices to be equipped with the employer-provided security software and the latest manufacturer software updates prior to permitting access to any remote systems;
• Requiring multifactor authentication upon each login to a company portal;
• Only allowing remote access through a virtual private network (VPN) with strong end-to-end encryption;
• Prohibiting working from public places, such as coffee shops or on public transportation, where third parties can view screens and printed documents;
• Prohibiting use of public WiFi, and requiring the use of secure, password-protected home WiFi or hotspots.
• Imposing additional credentialing with respect to the ability to download certain sensitive data.
• Naturally, given the urgency behind the “work from home” transition, it may not be practical to implement all of these steps immediately.
Coronavirus-related Phishing Attempts
You are likely to receive an increased number of phishing emails as more and more users are working from home. All employees should recognise that phishing emails disguised as coronavirus updates or as updated company policies may deceive. For example, the World Health Organization (WHO) specifically warned that, in connection with COVID-19, cyber criminals are sending phishing emails with malicious links and are impersonating WHO officials to steal money and sensitive information.
Many companies already include warning banners on emails that originate outside of the company, but ensuring that such banners continue to attach to email addresses outside the company will help employees parse out which coronavirus updates are legitimate.
Off-Network Communications
With more employees working from home, groups and teams will become increasingly reliant on phone, email, and instant messaging communication systems instead of in-person meetings. Businesses should ensure that their email and messaging systems remain encrypted and secured. Additionally, some employees may be tempted to communicate outside of normal company communication systems, such as text messaging on personal devices or private chatting on social media. Communicating on platforms outside of the enterprise-wide security systems poses a far greater security risk than communications on company platforms. Businesses should remind employees of these risks and should encourage employees to use good judgment about when, where, and how they discuss work-related matters.
Incident Response
While businesses are working hard to protect the health and safety of their employees, incident response requirements remain in effect. Employees should be reminded that if they become aware of a possible data security breach while out of the office, they should inform their incident response team immediately for such notifications.
* * *
Although businesses may be wary of sending out additional communications on top of daily coronavirus updates, it is critical to remind employees of these security risks. Even though employees may feel more comfortable working from home, they should maintain good cyber hygiene practices and not get too comfortable at such a critical time.
Every company is dealing with significant human resource, health and business issues associated with the coronavirus. With a little extra care on security at this strenuous time, hopefully, companies can avoid having to deal with additional issues associated with data breaches or loss of valuable business information.
If you have any questions or queries regarding your devices or have any questions regarding working from home, please contact our cyber security team on 01277 523133 or security@jtechnical.net and they will gladly assist you.
Matt Blackmore
Co-Founder
Johnson Technical Security Limited