Posted: Tuesday, May 12, 2020
As we all settle into new and, in some cases, relatively unknown ways of working from home, it is worth reflecting on just how much has changed and how we can ensure that we keep ourselves and our businesses as safe and secure as possible by upholding security and privacy.
Pre-isolation, many experts were already in agreement that engaging with end-users to promote user education constituted an important piece of the security puzzle. Indeed, many of you may already have rolled out your own programmes or invested in products to help test the mettle of your users. Now in lockdown, it is more important than ever to re-consider why user education is needed and how it can best be delivered.
The landscape is changing – are your users aware?
The threat landscape is evolving, and cyber-crime is big business. That much you already know. But do users understand the full extent of the threats?
In the 30 years since ransomware has been around, much has changed and with the emergence of the Dark Web, cyber-criminals now have a ready marketplace for your data. Personal identifiable information (name, address, bank details, date of birth) is available to buy in order to carry out identity fraud or help enable a larger social engineering exploit. Your business may already have been compromised months ago leaving your company vulnerable, effectively for sale on the Dark Web, enabled by malware and exploit kits designed to bleed your business dry of confidential data and cash.
In many cases, it has been all too easy for criminals to hack a legitimate server to host their malware – taking with them the HTTPS certificate and domain – or replicate a legitimate site with a single changed character in the address bar, which can be very hard to spot if you are unaware, unsuspecting or browsing on a mobile phone.
New ways cyber-criminals are gaining access
The main attack vectors are no longer malicious software. Today, the human element is equally important with criminals often spending days gathering information on your business in various forms, such as targeted Phishing attacks, emails and social media. They can harvest or buy personal information on your users, exploit vulnerabilities on remote servers and unsecured WIFI connections – even brazenly use the legitimate tools you employ within your business to negotiate your network.
How safe are your users’ home networks?
Security was challenging before when your employees used to work from the office, using your own approved infrastructure. Now, with most of us working from home, these challenges have become greater still. Many of your disaster recovery plans will not have catered for pandemics or perhaps there was not enough time to roll one out at all. Most likely, many of you have staff or are an employee using their own tech – PCs, laptops and mobile devices. These devices, which combine business and personal use, may even be outside the control of your IT team.
As we all explore new methods of remote collaboration, there are myriad considerations surrounding employees who are using their own devices as well as the locations in which they are storing and sharing company data. If you are not running O365 with SharePoint, OneDrive or Teams, then it is possible other shadow IT applications are being used to share information. Some apps may have been downloaded – mobile applications especially – which enable communications with colleagues. These may seem like fun at first glance, but amongst the T&C’s that users rarely read, you may find they have agreed to share more than they realised.
Ways to lock down security during lockdown
With many of us growing comfortable with our new working arrangements, committed to home working for some time to come, now is the perfect time to increase our security posture. Some methods are cost free, whilst others require an investment of time or money, but all will help foster a more security conscious environment, keep data and privacy secure and make the bad guys’ lives more difficult.
- Education – there are a number of software programs that can roll out ‘test emails’, training videos and reporting. Speak to your Utilize account manager about this. Also, worth considering are team chats or ‘security911’ emails for your employees to report suspicious activity. A good example of a training solution would be consistent and use ‘real-life’ examples of phishing emails. Bear in mind that the days of phishing emails that can be easily spotted through poor grammar and spelling mistakes are fading fast. Instead fake emails and phishing attacks are increasingly refined and play on emotional triggers. Look next at something that will provide easy and accessible training that follows on from a test – something that users can easily understand and more importantly relate to and learn. It is helpful to be able to report on users that may need more support and to create a supportive culture where there is no blame, and where users will take what they have learned into their everyday internet use.
- DarkWeb scanning – employing a service that is constantly monitoring the DarkWeb for your business domain and/or the personal addresses of your C-Level employees is a significantly powerful tool. Choosing one that uncovers the full password/email address and personal identifiable information being sold in real-time on the DarkWeb is what you should be aiming for. This can also help you to remove employees who are no longer with your company who may still have password details to applications in your network, or worse, they may be reusing those passwords elsewhere. If these were to be breached, it could provide an easy entry to your network.
- Password managers – consider rolling this out to all employees as a standard. Password managers not only ensure that passwords are strong and that every password is unique, but passwords can also be bound to the website address. So, if a user stumbles upon an illegitimate site (remember it might look legitimate but contain one additional character in the address) a password manager will not connect as these sites are typically laden with malware. They also allow you to follow good practice and review all the websites you connect to, which you should be reviewing regularly to ensure you know where your data and personal information is being kept.
- Mobile security – a reputable mobile AV product should be used and there are several solutions which provide ‘containerisation’. This allows personal and business data to be kept separately, so that if a user opens an application known to enable malware/data harvesting, your business data will be locked down.
- Patch! – this is always on my list of ‘things every business should do’ and for homeworkers/personal devices this just is as important. Keeping personal device operating systems patched to the latest versions is of vital importance as this ensures all your applications receive maximum security protection – setting this to automatic will help.
- Seek expert guidance – there are numerous tools designed to help us collaborate securely but, whichever you choose, they need to be configured correctly. Paying a little more for consultation and expert advice will be worth its weight in gold.
- VPN’s – with your users working remotely, it is worth remembering that sensitive data may be accessed via unsafe Wi-Fi connections, so a VPN (virtual private connection) might be an advisable option. As we look forward to easing ourselves out of isolation, remote users may also be connecting from coffee shops and other public places, so seek advice on VPNs today.
With cyber-criminals looking to steal and resell your company data for an easy profit, there has never been a more appropriate time than the Coronavirus lockdown to reassess how this information is being accessed and shared by users and the steps your business can take to prevent falling victim to cyber attack.
If you have any questions arising from this blog, please contact firstname.lastname@example.org