Working from home securely

28 April 2020

iGB’s technology columnist Vigne Kozacek interrupts his series on DDoS attacks to provide readers with a run-down of how to maintain the highest cybersecurity standards when working remotely

Novel coronavirus (Covid-19) has impacted every one of us in some way shape or form. Not least of all by forcing many people to work from home instead of traveling to the office and to practise social distancing when you do venture out for your daily exercise, to do some shopping or to collect medicines.

While there are a vast number of things that need to be considered when working from home, I am going to focus on maintaining a secure working environment and protecting yourself (and your employer) while working remotely.

Let’s face it, many companies and employees are struggling to adjust to this new way of life, even if it is only temporary, many companies are being forced to make some tough decisions.

Cyber criminals, however, are accustomed to working like this and have thrived in these conditions for many years.

In addition, they have stepped up their activities since this all started, simply because there are so many more targets out there now with all these employees working from home and they are by their very nature “opportunists”.

Having staff work from home isn’t a new concept and most companies will have policies and procedures in place for staff whom already worked from home either part time or on a full-time basis before the outbreak.

However, not all staff are fully trained on the dangers, and far too often these policies are reliant on well-developed systems being in place and adequately managed usually by staff who are in the office.

What we are left with is a large proportion, if not all staff, now trying to carry out their usual day to day duties from outside of your organisation.

As a result many companies have put the safety and security of their digital infrastructure in the hands of a personal computer.

Potentially one with an expired antivirus and poor, if any, security software installed on it as well as a £50 ISP-provided router which has very little security capabilities.

These generally highly insecure computers, and staff with little or no security training now have direct access to the heart of your organisation, resulting in digital assets being vulnerable and the risk of a breach increases exponentially.

I have no doubt that you have heard the saying “you are only as strong as your weakest link” this is more relevant than ever.

Okay, so there is a higher risk! How do we address these issues?

The ideal scenario, if there can be one in this situation, is for staff to use company supplied equipment that is restricted to only use company authorised systems which the company has control.

Yes, that means no Facebook, no personal email or unfiltered web browsing through corporate systems via a virtual private network (VPN).

While this is the ideal scenario, we of course understand that the lockdown blindsided many businesses and most would not have been prepared for this despite having disaster recovery and business continuity plans in place.

Having a few remote workers and having a majority, if not all of your workforce working remotely is something else entirely.

The capital and manpower required to acquire laptops and set up the infrastructure would have been heavily restricted by the lockdown.

Many suppliers, being in the very same situation have themselves, struggled to keep up with demand, meaning the knock-on effects have been immense.

As a result, many critical parts of your remote working security policies are likely to have been overlooked in the scramble to maintain business continuity and productivity.

Now would be a good time to conduct a review of your disaster recovery and business continuity plans
Contact your usual suppliers and have them conduct a thorough penetration test on all the exposed areas of your network.

Even if you have had one done recently, more holes could have been opened up while setting up remote access for your staff. According to IBM, the average amount of time it took for an organisation to discover that they had been compromised is 206 days.

Conduct a full suite of penetration tests on all the exposed areas of your network
According to a recent report published by Symantec, 48% of malicious email attachments were Microsoft Office files.

As attacks become more and more sophisticated and legitimate communications are easily disguised to appear as though they have originated from a legitimate source, it is critical that staff know how to recognise the difference.

It is not beyond would-be attackers to use LinkedIn or even your own company website to construct an organisation chart of your company complete with reporting lines.

They could then send spoofed emails to subordinates with malicious attachments and/or content used for phishing purposes.

This could well be more effective, especially now while it is no longer possible to just pop over to someone’s desk and verify that they have sent a questionable email or message.

Security awareness training for all staff is critical at the best of times and now it is extremely important that staff are given updated security awareness training.

This can be done online and there are many reputable companies out there that can facilitate this.

I would highly recommend that you conduct surveys of your staff before and after the training to measure the impact and to ensure you are achieving the appropriate standards which can be easily achieved by your IT security team using a platform like Survey Monkey.

Update and ensure staff undergo security awareness training

Vigne Kozacek has more than 25 years’ experience of managing information technology operations and business activities, predominantly in the gaming industry. With a career base including Camelot, Boylesports and William Hill, he has successfully delivered and managed positive change programmes including merger support and solution acquisitions.