Many businesses are now working from home on a scale which is entirely new to them and which may involve a steep learning curve. As businesses move to new working models, criminals are already seeking to take advantage, and there has been a significant increase in sophisticated phishing emails and messages. Added to this, there are concerns over levels of security of free-to-use conferencing services, as well as the amount of personal data they collect.
In the rush to keep businesses up and running at a distance, it's vital that cybersecurity doesn't suffer as a result, so here are some key issues you should take into account.
The obligation to take appropriate technological and organisational measures to protect against the unlawful access to personal data remains. You should consider what that looks like with what is now likely to be a highly distributed IT network (large numbers of employees working from home) with a significant number of unknown risks (employee home network security – or lack of it).
Security researchers are already reporting very significant volumes of phishing emails trying to take advantage of the new environment (for example, attaching documents claiming to have updated guidance relating to COVID-19 which contain malware, or emails with links to updates or information on how to claim financial support). Clients should be reminding employees of the risks around phishing, and carrying out additional training if they have any concerns. Employees working in an environment in which they do not normally work also increases the risk of mistakes, and may make them more likely to fall for phishing emails.
Remember that IT security teams are also working remotely. In some cases that can create additional risk and difficulty in dealing with attacks. There is already an increase in activity by hackers trying to take advantage of the current situation. Consider whether you have sufficient internal capability, and if you are using outsourced InfoSec providers, can they provide their contracted level of support in the current environment?
Remind employees and consultants of relevant requirements in IT security and acceptable use policies, such as not forwarding work documents to personal email – there is an increased risk of this because, for example, it may be easier to print from personal email) – not printing documents unless essential etc. Working from home creates risks around confidentiality, as employees print documents which they may not be able to destroy as securely as they would in an office environment.
Employees should also be reminded that if they do click on phishing emails linked to coronavirus, they should contact the IT department immediately and follow their instructions. If an employee realises that they have clicked on a phishing link and then given away a password, they should change that password on all relevant logins and websites immediately.
Pushing out security patches (and similar) is more difficult with employees working entirely from home, so consider whether your patching mechanisms are still appropriate, and put in place additional steps and testing if you have concerns.
If you don't have IT and security policies which are adequate for working from home, or the information monitoring and risk management structures in place to identify and remediate risks created by the current situation, we can help draft or revise policies and procedures.
Employees may have insecure home Wi-Fi networks, or may connect on unsecured public Wi-Fi. While this will not be an issue if you have proper VPN arrangements in place, for some, it creates a significant risk; we have helped clients with a number of data breaches arising from senior employees connecting to unsecured networks. Home networks contain a number of potential compromise points which InfoSec function may not be able to manage/mitigate, so ensuring the security of connections to work systems from home is crucial.
Working from own devices (rather than a corporate laptop/phone) can create security issues such as auto-syncing with cloud providers resulting in confidential information being uploaded to the cloud, possibly being inadequately secured. Employees should be disabling such auto-sync functions. They should also be reminded about prohibitions/limitations on use of personal email – standard corporate policies should still apply.
A more esoteric risk is that many homes now contain connected devices which are capable of listening to and recording conversations. While more sophisticated devices have wake-word requirements that should minimise risk, other connected devices capable of listening and recording (such as home CCTV or baby monitors) may pose a security risk.
Work devices should preferably be encrypted with whole disk encryption. This is included in most modern operating systems, but may need to be activated. Employees should also be reminded, in a blame-free way, about how to report lost or stolen devices, as it is more common for devices to be stolen or lost when working outside the office.
Difficulties with working remotely mean that employees are more likely to use USB drives or other removable media at home. Removable media should be disabled using MDM settings, with only devices supplied by the business being enabled for use. This limits the risk of cross-infection via removable media. Tools to remotely lock and/or erase data stored on devices should also be enabled.
Businesses should also look at the NCSC guidance to help reduce the risk of cyberattack when employees and consultants are working from home and on home devices during the coronavirus pandemic. The guidance covers cyberattack, cyber threat, devices, mobile devices and phishing.
Please contact us if you would like further advice on maintaining cybersecurity during the COVID-19 pandemic.
Sally Annereau provides a dos and don'ts checklist to help with data protection compliance during the COVID-19 outbreak.
1 of 3 Insights
Jo Joyce looks at considerations around sharing personal data needed to fight the coronavirus pandemic.
2 of 3 Insights