Experts from the National Cyber Security Centre have revealed a range of attacks being perpetrated online as cyber criminals seek to exploit COVID-192.
The purpose of this paper is to offer pragmatic advice and solutions to the challenges your company may face whilst your workforce begin to work remotely.
- The security of sensitive data
- Employees operating on protected infrastructure
- Creating an environment to avoid human error
Consider whether your employees need to print and take documents home? If the information in these documents is of a sensitive nature and are lost on the way home what would be the consequence? Consider limiting/avoiding taking paper documents home altogether in physical form. Where possible, try to leave documents and data in the secure infrastructure they currently reside and allow employees to remotely view them. No data should be left unattended in cars, bags or open spaces at any point.
Do employees have the internet at home?
Not everyone has access to the internet and so working from home could be a challenge for some of your workforce. One solution could be to purchase or rent a Wi-Fi dongle from any of the major telecommunications providers allowing connectivity for your employees.
Do employees have data allowances?
For those employees that do have access to the internet, consider whether they have unlimited broadband, or is their data capped at a certain limit? If the data allowance is capped, you may wish to consider if you can cover the cost of any additional data costs that they may incur from their broadband provider.
Agreeing the cost of phone calls
This same thinking needs to be applied to phone contracts. Not all employees are furnished with a company mobile phone so once your workforce is operating remotely you may need to consider covering the cost of their mobile calls both Nationally and Internationally if applicable. Alternative options are available like the use of online video conferencing services, some being free to use, and making use of your company’s video conferencing infrastructure.
Many employees don’t have company provided laptops, is this an issue?
It could be that your employees PC or laptop is running on Windows 7, and it may be that, as a personal device, it may not have had the same rigorous updates that your organisation’s IT equipment has. In this situation it would be prudent to recommend that your employee upgrades to Windows 10.
What about Antivirus, do my employees who own PC’s even have AV?
Every remote PC ‘should’ have a basic level of antivirus/software firewall. Windows Defender can be enabled on any Windows PC. Many AV (antivirus) vendors offer a free version of AV that the user can download to ensure all attachments and websites with malicious links are scanned before opening. As mentioned earlier in this paper, The National Cyber Security Centre has issued a warning for this threat as cyber criminals are taking advantage of individuals who are searching the web for the latest news by embedding malware into website links and attachments3.
It may be prudent to survey your employees to ensure that those remote workers operating on their own device are running a PC with an up to date operating system such as Windows 10 and have anti-virus in place. How could you find that out? There are various asset scanning tools available, but they are not free. The old fashion way would be to go to System Preferences or My Computer and find out the operating system and the version number. Your IT or Operations team could make a manual list of these devices to identify vulnerable assets.
What if the PC is already infected from malware loaded onto it months ago?
Existing malware in the form of keylogging may be a concern to be aware of. With employees potentially now processing masses of sensitive information on a personal PC, how can you be sure that PC is not already infected? The answer is to do a malware scan. Many versions of Anti-Virus software will allow the user to run an intense scan to ensure the PC is clean. If the PC is not clean and the report comes back with found infections, the user needs to clean the PC. There is usually guidance given by the AV software on how to do this.
How will your employees connect to your network (if there is a network to connect to)?
Virtual Private Network or Remote Desktop; Citrix and other Virtual infrastructure; Perhaps you use Office 365 and all a user needs to do is to login. Are the login’s secure? Do your employees use Multi Factor Authentication?
Virtual Private Network with Multi Factor Authentication is recommended as traffic is encrypted and a basic level of security is in place, whereby a Remote Desktop could have vulnerabilities in existence for exploiting port 3389 (Remote Desktop). If Remote Desktop is the only option ensure a strong password is in place at least 12 characters and is not a similar, or used password to any other account in the business.
Why 12 characters?
The diagram at the foot of page two illustrates that 27,000 known Remote Desktop connections are broadcasting to the internet (snapshot taken 13:10, 18 March, 2020)3. Normally these are broadcasted with the usernames in place. Meaning a cyber-criminal only has to guess the password. Where possible, all companies should be making use of the VPN facility normally available on most modern firewalls.
We use Office 365/SharePoint, what about us?
For those organisations that make use of a cloud infrastructure, for example, Office 365, SharePoint etc., it is recommended that they enable Multi Factor Authentication as soon as is possible, so that all users are protected by an additional layer of authentication whilst remote working. This is not as easy as it sounds as complications could occur if employees that do not have a mobile phone. Multi Factor Authentication with Office 365 sends a code to your phone to prove that you are you. If users don’t have a work phone, you can ask them to use their personal mobile phone.
Saving attachments to a personal drive
It is recommended that no company documents or attachments are saved to a personal device. Advise employees to save all company documents or attachments in the company infrastructure; the benefit being twofold. You won’t have a document stored on a personal PC for which the company has no control over. Second the data footprint is minimised and stored within the network compliant to GDPR.
“My printer is not connected to this virtual machine, so I’ll send it to my own account.”
Try and restrict an employee moving a company document to a personal drive or email account to enable printing. If they can’t print within the security of the company’s IT infrastructure, encourage them to share the document with the client, prospect or person in a digital form.
Remaining GDPR compliant. Data in Transit v’s Data Transferred
If company data never leaves the corporate network it was only in transit whilst your employee logs off from their work PC server and logs onto their home PC screen. Data in Transit hasn’t left the organisation. In contrast, data printed onto paper and taken home is data transferred. Files downloaded and stored on personal devices is data transferred. It is recommended that companies, where possible, keep Data in Transit. If your organisation has made efforts to become GDPR compliant, these are testing times to maintain the wall around that data. Keep the data in transit!
How do I know if the website I am visiting is legitimate?
Valuable advice to communicate to your employees; Ask them to right click on the web link to see if it is the web address you think it should be. If they are in doubt, ask them to send the link to the IT Department to check before you visit.
Using WhatsApp to communicate business matters
Do not discuss any client specific details or data records that expose a living individual. Think if your personal phone was lost and a malicious actor accessed your WhatsApp conversations, would this affect the rights and freedoms of individuals?
What about our company’s Microsoft Teams site?
Teams is a good solution for this situation when configured in accordance with the points laid out in the earlier paragraphs in this document. Use it whenever possible.
Keep calm and carry on!
To remain secure whilst your employees are working remotely you may wish to encourage your teams to slow down and think before they click! Many data breaches can be attributed to human error and during these unprecedented times it could be argued that many may not be 100% focused as we try to navigate the ever changing environment. Encourage employees to follow our guidelines.
* https://www.gov.uk/government/speeches/pm-address-to-the-nation-oncoronavirus-23-march-2020
2. https://www.ncsc.gov.uk/news/cyber-experts-step-criminals-exploit-coronavirus
3. Shodan.io - RD Ports
