At present, no one really knows how long social distancing measures will last or when people will be able to return to their offices. Here at Gallagher, our Cyber Insurance team understands the added disruption and anxiety that could result from a successful cyberattack or loss of sensitive data during a time when business operations and defences are already fragile.
We have therefore prepared the following guidance to help people to protect their company’s network resources and its sensitive information while working remotely.
The key points covered are:
- A summary of threats to systems and data to help you remain aware of potential issues and recognise potential attacks, especially when working remotely.
- Simple steps you can take to minimise risk to systems and data, which will help to ensure that systems remain operational and you protect both your client’s and your own data from loss or exposure.
Know the risks: increased chance of cyberattacks and data loss
The pandemic and the unprecedented shift to remote working will present new and evolving security challenges.
Phishing and “watering-hole” attacks
Just days after the crisis took hold, episodes have been reported of attacks being launched using pandemic-related phishing emails and watering-hole attacks.
Phishing emails use a lure – typically a message about an urgent or inviting issue – to trick users into taking some immediate detrimental action. Those actions might include opening a malicious email attachment, clicking a malicious link within an email, or taking some other action that may reveal sensitive credentials or information. Phishing emails tied to disasters and crises are common, and the pandemic has been no exception.
Attackers use watering-hole attacks to compromise users’ systems when they visit a site configured with malicious code. The code runs in the background and compromises vulnerable systems, often with no other action required by the user beyond visiting the site. Attack sites may be malicious sites set up to lure victims (such as the malicious COVID-19 tracking maps that recently appeared online) or legitimate sites, such as a popular news site, that an attacker has compromised and added malicious code too.
Both attacks could cause data loss or a network-crippling attack such as ransomware, which would be catastrophic for any company during this crisis.
Remote work leads to data sprawl
Employees working from remote locations are more likely to take risky actions that place data outside the firm’s defences and control. For example:
- An employee trying to print or share a sensitive file may send the file to his or her personal email address, exposing the data to loss.
- An employee may transfer files to an insecure portable storage device, such as a USB stick, that is easily lost, misplaced, or forgotten.
- An employee may transfer or share files through unapproved cloud-storage or file-sharing solutions, exposing the data to loss and discovery.
All these actions lead to unmanageable data sprawl that places data outside the firm’s defences and retention practices.
Increased risk of attacks on remote access
Although you may take steps to secure your network from unauthorised remote access, the unprecedented level of remote work increases the risk that attackers will gain entry to the network. Attackers may try to collect user credentials for email, virtual private network (VPN), and other remote access systems through phishing emails designed to harvest users’ credentials. They may also try to bypass multifactor authentication controls by tricking users into approving an authorisation request. Many attackers have successfully bypassed multifactor authentication by repeatedly trying to log in to a system until a distracted or confused user approves the access by mistake.
Increased risk from connections to insecure networks or work in shared spaces
Connections to insecure networks (whether at home or in public locations) can expose systems and data to attack. This can occur, for example, when using home routers with insecure settings or open public networks.
Steps to Minimise Risk
To help minimise risk to your firm’s network and data, we suggest taking these actions while working remotely.
Phishing, watering-hole, and other “social engineering” attacks
- Remember that technical defences, while good, cannot fully protect you or your organisation. Attackers know that employees are often a weak link in security and will most often target you to get what they want. You and your actions remain the best defence against these attacks.
- Beware of unexpected multifactor authentication requests if you use this form of security. If you receive a request to approve a connection you did not start, do not approve the request. Report the unexpected request in the usual way to your IT helpdesk or other resource performing that role.
- Do not click on untrusted links or open attachments. These links and attachments can be very convincing. If unsure, confirm with the sender or ask the helpdesk for assistance.
- Beware of emails and other messages that relate to some breaking news, surprising information, or other urgent message – especially related to COVID-19 – to entice you to act now.
- Visit only trusted websites for information on the pandemic. Beware of sites advertised in social media posts or sites luring visitors through urgent or inflammatory messages.
- Because even legitimate sites may become compromised and used to distribute malicious software, limit unnecessary browsing on company assets. Do not allow family members to use your company equipment for personal use, which can expose the system to unexpected browsing activity.
Controlling data sprawl and loss
- Use only approved solutions to transfer data:
- For internal and external collaboration, conferencing and file sharing, only use company approved file-sharing and collaboration tools.
- Do not use unauthorised file-sharing sites (for example Box, Dropbox).
- Do not email data to personal email accounts or transfer data to unapproved portable storage devices (for example USB memory stick)
- Do not email unencrypted sensitive data to external parties. If you send an individually encrypted file, secure it with a strong password, and do not send the password by email. Better still, use a company approved transfer solution.
Protecting data on remote networks
- Use secure, known networks. Use a company-provided VPN wherever possible – the VPN offers an added layer of protection for possible insecure networks.
- If you or a family member has the technical ability to do so, ensure your home Wi-Fi router is protected with the WPA2 or WPA3 encryption setting; ensure your router/modem and internet service provider (ISP) portal are configured with a strong, unique password; and enable software updates for all routers and modems.
Editor’s note: This article has been written to provide clients with guidance. You should refer to your own cyber insurance cover when considering this.