Call me back

The ongoing COVID-19 pandemic has suddenly presented organisations with a set of cybersecurity challenges that, whilst not unique, are being experienced on a significantly larger scale than ever before.

The security threats to organisation’s during the response to COVID-19 include Phishing, the spread of malware from personally owned devices, and the escape of sensitive data from your organisation’s data to unapproved storage e.g. Dropbox. These are not new threats, but with large numbers of staff working from home, there may be additional vulnerabilities where existing IT security services do not extend to remote devices, and where remote working was implemented under time pressure.

There a number of protections in place as staff work from their traditional office, so what happens when staff has to now work from home for prolonged period of time?

From an Information Security perspective, the basic principle is that the security of the data you are protecting needs to be maintained whether your staff is working in the office or from home.

To assist organisation’s with these challenges the following guidelines have been put together by Unity to prevent these security-related issues as their staff work from home more frequently.

The top 10 tips for secure remote working:-

1. Authentication is your 1st line of defense
The message for organisation’s is to promote good password practices and the use of multi-factor authentication as a standard across corporate and personal accounts.

Password – Strength, Reuse, and Sharing: Password strength is enforced by most platforms but should be at a minimum of 10 characters long. Users should consider using a passphrase to facilitate greater length and frequent password changes. Substituting certain letters in the phrase with numbers and characters will increase the security of the passphrase.

It is as important that password/passphrase reuse is avoided, including using similar passwords. Password reuse is the most common way for hackers to escalate access during an attack. 92% of users reuse their passwords. The hacker will typically crack a social media account password and then gain access to corporate data due to an employee’s password reuse.

Never share your passwords with others or write them down!

Multi-factor authentication as standard across corporate and personal accounts. If multi-factor authentication is not enabled, it is entirely possible for an attacker to ‘brute force’ access to an account by simply guessing a password. This remains an extremely common tactic and enabling multi-factor authentication is the single most important step that individuals and organisations should take to protect services, personal data, and infrastructure. This is particularly important for privileges accounts (e.g. administrator) and senior management teams they will be the first to be targeted as part of targeted phishing attacks (i.e. spear-phishing attacks).

2. Security awareness comes a close 2nd
Your second line of defence is an engaged, curious, and well-trained workforce acting as a human firewall spotting unusual activity to prevent a breach e.g. spoofed email coming from the CEO with an instruction to transfer funds urgently.

This can be in the form of webinars to staff, email communications, targeted videos right through to automated training security awareness material including test phishing emails.

The following topics can form part of your secure remote working training material:

1. Secure your home Wi-Fi access points: Verify your wireless routers uses WPA2 and that they are protected with strong passwords
2. Control + Alt + Delete when you leave your seat – Never leave your devices unattended. If you need to leave your computer/phone / tablet device —lock it so no one can use it while you’re not at your desk.
3. Watch out for Wi-Fi – Personal browsing, such as banking or shopping and all work-related online activities should only be carried out on a device and network that you trust. Whether it’s a friend’s phone, a public computer, or a free public WiFi—your data could be compromised, copied or stolen.
4. Be aware of COVID-19 phishing attacks: It is easy to forget cybersecurity best practices when away from the office. During the pandemic, organised crime groups have been exploiting our concerns over COVID-19 to target us for a range of scams. If you think you have received a phishing email don’t respond, delete the message and report the incident to your IT support team.

In short, if you spot deceit, hit delete.

5. Passwords always protect – Strong passwords are important in protecting information. Use a passphrase consisting of a strong mix of alphanumeric and special characters and don’t share your passwords with others or write them down!
6. Secure your environment: Try to designate a room as your Home Office. Ensure private conversations remain private by turning off Alexia and Google assistant.
7. Be aware of privacy: Be mindful of what’s in the background of your webcam, confirm you know who’s attending your conference calls.

3. Secure connections to your network
Use a secure connection to connect to the organisation’s network. The connection from the client device to your on-premise or cloud resources needs to be protected from unauthorised access. The secure connection ensures the data traversing the connection is encrypted.

Depending on your organisation’s information security and compliance requirements the options can include the following:

a. Staff securely connect to cloud-based resources e.g. Teams, OneDrive…etc via secure connection. When accessing resources using a browser staff should always ensure the connection is safe by checking for a digital certificate. This is indicated by a HTTPS rather than a HTTP reference in the website address e.g. Always lookout for the ‘S’ – if it doesn’t exist, it’s not secure.
b. Provide employees with a secure client VPN connection, commonly using the organisation’s on-premise firewall as the VPN termination point.
c. Use a Virtual Desktop or Virtual App environment to provide a secure, standardised connection into your organisation’s applications and data.
In line with tip #1, ensure the organisation’s chosen secure connection is configured to use multi-factor authentication.

4. Remote Working Policy
Provide your staff with clear guidance when they are working from home. They should be reminded that when working at home their device and access to work systems or data is authorised for staff use only. Care should be taken to protect work-issued equipment both from inadvertent and deliberate unauthorised access.

Develop a remote working policy to include:

  1. The remote connection to your organisations internal networks is for your use only; do not allow friends or family access to the organisation’s networks.
  2. Don’t allow family members to use your work devices.
  3. A firewall-protected connection or personal firewall is mandatory for remote working.
  4. Save your work to secure network folders e.g. organisation’s OneDrive, keep locally stored information to a minimum and never store company information on non-company-owned devices.
  5. Make sure paper copies of sensitive information are stored out of sight and secure when not in use and disposed of in a secure manner (e.g. using a shredder)
  6. Ensure that company-issued equipment is securely stored when not in use, protect it in the same way you protect your personal belongings at home.

Include these controls in security awareness training highlighted in Tip #2.

5. Secure end-user devices connecting to your network

If staff are using personal devices while working remotely, they most likely will not have the same safeguards in place to protect the organisation.

The advice is to set your minimum-security standards for devices connecting to the network and accessing data belonging to the organisation. This can include device enrollment, device configuration compliance, device wipe, enterprise data protection capabilities, user authentication strength, and user identity.

Types of devices connecting can include removable media (e.g. USB, Cameras), laptops, desktops, and mobile phones, and organisation’s want the peace of mind to know that these devices have been approved to connect the network and the devices are secured to protect the corporate applications and data being accessed.

At following minimum protections should be in place prior to the device connecting to the organisation’s network:

• Device enrollment to ensure only approved devices are permitted to connect to the corporate network

• Make sure up-to-date endpoint protections are installed and active on any devices that will be used for work. A standard level of protection applied to these devices prior to connecting to the network include:

– The operating system is patched (using an automated toolset, highlighted in Tip#7).
– Disk encryption, Pin number, and auto-lock enforcement.
– Endpoint AV and malware protection.
– A local firewall is enabled.
– Additional web filtering software installed.

6. Phishing

Email is a common attack vector for such crimes with over 90% of cyber-attacks beginning with an email. Email is so widely used with almost 4 billion global users it is a perfect attack platform. Phishing email have now changed their focus to COVID-19 related lures. The ultimate goal of this activity remains the same as before: stealing credentials for access or resale, installing malware to damage infrastructure or allow remote access.

Please consider the following when processing emails in the current climate:

  • Many phishing emails have poor grammar, punctuation, and spelling.
  • Ensure employees are aware of this type of threat and how to avoid it.
  • Always check email addresses carefully, particularly if there is any financial implications to requested actions.
  • Please be wary of any emails referencing Coronavirus from an unrecognised source.
  • Criminals will use the fear and uncertainty surrounding Coronavirus to scam users.
  • Manually type in URLs to sites you want to visit rather than clicking on links.
  • Verify the mail – Do not contact the supplier of the invoice through links or the phone number supplied within the mail. Do not reply directly to the email. Contact a known supplier through pre-existing channels.

If you suspect deceit, hit delete!

Enhanced vigilance should be practiced when receiving emails from vendors/clients notifying of a change of bank account and requesting payments made into the new account. Users should verify the change using established forms of communication and not through contact details within the suspicious email. If in doubt, make a phone call to confirm the request.

7. Ongoing device and systems maintenance

While the physical office is left behind when employees work from home, the network and infrastructure must be maintained and operational. Routine patch management, backup management, and preventive maintenance still need to be performed on all devices critical to day-to-day business. In addition, capacity management has never been more important for new workloads being requested by the business e.g. increase usage of VPN or virtual desktop services.

Automation is key to ensure that company-owned devices are proactively patched to prevent OS vulnerabilities from being exploited and are also closely monitored to identify if device security compliance levels are as expected e.g. patching and AV protections are up to date.

8. Protect email services

Email is still the number one attack vector for cyber-attacks and the COVID-19 crisis is an ideal lure for such attacks. Organisations should enhance their current email protections as much as possible. During the COVID-19 pandemic disinformation is being spread by an email impersonating credible organisations in order to sow distrust and confusion. Some suggestions, outside of the usual scanning for malicious content would be:

• Email filtering services to quarantine or reject emails from untrusted sources.
• Email threat detection services to highlight unusual activity.
• Email banner to advise when an email is from an external source.
• Implement DMARC – Email validation tool designed to detect and prevent email spoofing.

9. Ongoing Monitoring and Threat detection

Know your network and know what normal network activity looks like so unauthorised or abnormal activity can be identified. Effective monitoring solutions in place to detect unusual network and user account behaviour so you can react but also adapt your network to make it more difficult for future attempted hacks or data breaches.

10. Incident Management Procedures

The changing workplace environment may create unforeseen issues for an organisation’s IT incident response. IT teams may not have access to tools or physical access to staff, devices, or infrastructure. Incident response procedures should be tested to identify areas that need review. It may be necessary to provide instructions to staff on immediate actions that they should take in event of an incident and be provided with contact details for the IT support team.

Colm Lennon, Head of Security & Operations