4 CRITICAL RISKS FOR A COMPANY TO MANAGE
Coronavirus poses a risk to humanity, possibly the greatest risk to our physical health that many of us have faced in our lifetime, and at the same time, unethical cybercriminals are using the pandemic as an opportunity to increase hacking attempts and phishing attacks. In order to reduce the spread of the virus, most countries and companies have asked their staff to work from home.
Experts at the NCSC (National Cyber Security Centre)have noted a rise in the number of phishing attacks in the last few weeks as criminals exploit the need for information and to stay updated, for their own malicious means. Phishing, identity theft, financial fraud and ransomware are only a few of the threats that face your staff, your network and your business.
Unfortunately, companies have been caught unprepared with the remote working demands and are being pressured to open up company applications in order to carry on the company operations. Sometimes the security around these applications is inadequate for remote working purposes, which raises cyber security and data privacy risks.
Mobius Consulting is a firm that specialises in Information Security, Cyber security and Information Privacy. Patrick Ryan, Managing Director of Mobius Consulting along with Senior Managing Consultant Raymond du Plessis who is a cyber security specialist and Senior Managing Consultant Amanda Hechter who is an Information Security and Identity and Access Governance specialist, advises companies and business to urgently manage these four risks which have been escalated by the increased need for remote working.
1. USER RISK
Staff members can pose the greatest risk for companies when it comes to cyber security, because they are susceptible to phishing and malware attacks, rarely intentionally, exposing the business to numerous cyber threats. Staff are also the first line of defense – if they have the necessary awareness to avoid becoming victims of these attacks.
“Some viruses, called drive-by malware or drive-by viruses, infect your device or laptop just by browsing the malicious websites,” says Patrick Ryan. He goes on to state that in some cases, you don’t even have to download anything to get infected by the malware.
“Users are no longer behind the security of their corporate network which usually checks and filters emails received and sites being visited and reduces the risk of malware attacks,” says Raymond du Plessis. “But with staff at home, they are able to navigate the web with little or no protection.” Increasing awareness and guidelines for safe web browsing is critical.
Users also are responsible for setting strong passwords, for both corporate and personal applications, and managing and maintaining them. Patrick Ryan recommends using passphrases instead of passwords wherever possible. “Passphrases are very long sentences that are more than 15 characters long and difficult to crack, for example, “Myfavouriterestaurantis….”, and because phrases are easier to remember than complex passwords”.
“We dissuade users from reusing the same password on multiple sites because if one of these sites is breached, their password is then saved to hacker websites and can be used to try hack into other applications or even corporate systems,” says Patrick Ryan. “We also recommend using a password manager app like LastPass, these apps which help to manage passwords and enforce password strength if the users have a lot of passwords to remember.”
2. HOME NETWORK RISK
Most companies have stringent external penetration tests to make sure the corporate network is secure and have security expertise, systems and tools guard against and check for suspicious network traffic. However many home networks are set up by the end-users themselves, using the router supplied by their Internet Service Provider and without any advanced security systems. This means that the home network is typically not securely configured and that most of the safeguards that are on the corporate network are not available.
Below are a few things that staff should do to increase home security:
- Change the admin name and password on your router, and don’t use the default ones provided by your service provider or router manufacturer.
- Make the password on your home WiFi network as strong as possible by using long passwords.
- Handing out your private WiFi password to your friends, nanny and workers or your robotic vacuum cleaner is also a risk. Rather create a guest WiFi for friends or visitors, whereby they can’t access the full home network. If their device or laptop is compromised, at least there is a wall between the guest network and the home network used for remote working purposes.
- Create a new SSID (the broadcast name for your home WiFi), and presume that the old one is compromised. You should configure your WiFi network used for remote working to only allow your devices to connect. Guests can connect to the guests WiFi network.
To implement these security settings users will need to read the manual for their home router. Companies could consider having the IT team available to assist users with this.
3. COMPUTER OR DEVICE RISK
With staff working from home, the laptop or desktop they use can play a huge factor in the cyber security of the business.
Company issued devices are generally set up to be very secure and when staff work remotely using company computers, the risk is lower than using their own devices, as long as all security settings remaining place and software continues to be updated regularly.
“Work devices come with strict security settings, good antivirus and safe software that is approved and pre-installed,” says Amanda Hechter.
Most companies were not prepared for all their staff having to work from home, and as a result, there are many home devices being used, as not everyone has access to a company laptop, forcing them to work on their home machines.
Home users are no longer connected to the protected corporate network, plus using their own devices means these machines and company data are at risk.
The company usually has no control over how personal devices are used or maintained. It’s difficult to enforce security, but a company can make users aware, and issue guidance for staff to follow. A few things to put in place:
- Home devices must have an anti-virus installed and both anti-virus and all computer software must be regularly updated (If bandwidth is an issue then users can enable updates to run after hours. ). “Any time an update is released, it’s usually to fix a security issue,” says Amanda Hechter. “Updates are critical and shouldn’t be paused, put off or ignored.”
- No personal application like private email should be used for company purposes and no sensitive information should be sent via personal email, as this should be considered insecure and risk to data and information security.
- Do not save sensitive documents to home machines, rather use the company cloud service or online repository like Box, Drive or Dropbox.
Corporates need to think of ways to assist their staff to configure home computers such as not running unnecessary or risky applications, enabling firewall software and general security configurations. Once again corporates could consider providing users with guidelines or using IT support staff to assist remote workers telephonically, or through secure remote access solutions.
4. DATA AND CONNECTIVITY RISK
The recommended way for staff to work remotely should be that users:
- Connect via the corporate VPN (Virtual Private Network) that requires a login using two-factor authentication (login plus a pin PIN sent to the phone or software-based pin system.
- Connect via the internet but only to corporate cloud-based applications and platforms, or to reputable and company authorised productivity systems such as Office 365 or Google Enterprise Suite.
Companies might have backup generators at the office and top-of-the-range fibre, but when staff work from home, they might not be able to work and fulfil their duties without decent connectivity.
“If staff have uncapped fibre or ADSL, then there shouldn’t be a problem with connectivity, but many users are data challenged and might be connecting via their phone’s hotspot or using 3G routers with data limits,” says Patrick Ryan. “Companies should consider a survey of their staff to identify which staff members have no or limited internet data, and then businesses can put plans in place, like rolling out mobile data plans, because connecting staff to fibre won’t happen quickly.”
REMOTE WORKING POLICY
“Using the guidelines above, companies should create a remote working policy,” says Amanda Hechter. “This will assist companies in guiding staff through these challenging times, to reduce risk and ensure a limited impact on productivity.”
Amanda Hechter advises that the remote working policy should include:
- General Use and Ownership
- Access to Information Resources
- Physical Security
- Password Management
- Software Management
- Computer Security
- Protection of Information
- Mobile Computing
- Remote Working/ Tele-working
- Email Usage
- Ethical Use
- Social Media Usage
- Security Incidents
- Usage on Cloud Computing and Services
“It’s important for companies to actively manage their cyber security during a time of risk,” says Patrick Ryan. “While there are a million things that seem to be going on at the moment within the business, security should never be compromised, and may, in fact, need more attention as we bed down our new ways of working. These tough times are making us stronger, as we close the gaps and holes in our company security, which is a good thing.”
Here at Mobius Consulting we collaborate, innovate, share knowledge and transfer skills wherever possible. Our goal, always, is to create practical and sustainable solutions that are geared perfectly for our clients. This is how we measure our success