Working (Cyber) Safely From Home During COVID-19
Amid the Coronavirus (COVID-19) pandemic, more people than ever before are working remotely from home. This raises new cyber security challenges for businesses but there are ways to mitigate the risk.
This sudden shift to working from home significantly increases cyber risks to businesses. The United States Department of Homeland Security and Cybersecurity and Infrastructure Security Agency, together with the United Kingdom’s National Cyber Security Centre, issued a joint alert on how COVID-19 is being exploited by malicious cyber actors. The French National Information Security Agency, the ANSSI, has also noted an increase in fraud related to the public health emergency and attempts to exploit COVID-19 for phishing or scams. There are, however, steps individuals and organisations can take to help reduce cybersecurity risks.
SECURE AND HARDEN VIRTUAL PRIVATE NETWORKS
The virtual private network (VPN) must now support an entire workforce working from home, around the clock, and on sensitive matters. VPNs need to be able to scale expected and excess or “overflow” traffic. Scalability can be handled via a software or appliance solution. Certain solutions require user companies to maintain software licenses, which can generally be purchased on an individual basis. Multi-factor authentication (MFA) should be used for all VPN access. If MFA is already deployed, businesses should expand it to additional staff and endpoints. Although an MFA rollout is potentially disruptive, requiring MFA for VPN access is an important step in warding off unauthorised access. Servers running VPNs should be updated and vulnerabilities patched promptly. Vulnerabilities should be prioritised according to severity and the likelihood that they will be exploited. Administrative access to a network should be restricted and “least privileged access”, the concept of restricting access rights to only those who absolutely need it, should be practised religiously. An attacker who obtains those credentials could access the VPN and move laterally through company systems. Of course, default and administrative passwords should be changed regularly and made more complex. Now is the time to consider changing a password policy to require lengthier and more complex passwords. Companies should prevent employees from disabling security features and remote access precautions, or creating security workarounds.
“Bring Your Own Device” (BYOD) rules and standards should be updated to securely manage employee devices using mobile device management (MDM) software in order to allow secure access to internal resources. Endpoints with VPN access must be equipped with adequate endpoint security software and meet system security configuration guidelines, including items such as Split Tunneling, least privilege and host-based firewalls. Employee devices with access to internal applications should be managed by MDM software in order to ensure compliance with security requirements.
To ensure the implementation of new or strengthened security measures, there should be executive- and chief information security officer (CISO)-level oversight of any change management, including to the network baseline or devices.
STRENGTHEN EMAIL AND PHISHING ATTACK PRECAUTIONS
It is worth reminding employees to stay vigilant and follow cybersecurity best practices, as they may be less alert to corporate policies when working from home. As a precaution, companies should set up or strengthen email filters to guard against phishing and spoofing attacks.
Email filters generally work by blocking potential spam email or malicious content, or through specifically configured rules-based approaches, which may be bolstered by machine learning. A comprehensive email solution protects against all threats, including phishing, impersonation and spam. Employee training regarding phishing techniques and frequent updates on common COVID-19 spam email campaigns can help keep a network safe. The following are broad but useful tips to send to employees:
• Treat emails that appear to come from health authorities, such as the World Health Organization (WHO), with caution as threat actors are impersonating high profile organisations.
Trust only well-known sources for information on COVID-19. Fake donation websites and email addresses are being used to steal passwords and financial information.
Exercise caution when opening attachments or clicking links from unfamiliar senders or websites.
Be wary of attempts by threat actors to reach out by telephone (vishing) or text (smishing).
Stay alert for indications of an attack, e.g., a false sense of urgency or pressure to ignore security procedures.
Ensure the Wi-Fi router and all devices are protected by a strong password and the latest encryptions.
Promptly install updates.
Don’t let family members use work equipment.
Prohibit “shoulder surfing”, photographs and “snapshots”, and otherwise secure physical locations at home.
Notify the helpdesk or information security team immediately when you receive suspicious communications.
The following helpful resources address these threats:
• The European Union Agency for Cybersecurity’s Tips for cybersecurity when working from home.
STAY ON TOP OF PATCHING AND BACKUPS
Organisations should ensure they continue to deploy security patches for infrastructure and software. Bad actors may take advantage of lax patching practices, so it is important to be mindful of the availability of patches to address vulnerabilities. Backups ensure that data can be recovered in the event of data security incidents, such as ransomware, system failures and other data integrity issues. Having a reliable, recent backup that has been tested can help a business avoid paying a ransom to malicious actors. In addition, enhanced logging enables the identification of errors and course correcting.
ENSURE IT AND SECURITY STAFF RESILIENCY
The exceptionally wide reach of COVID-19 may necessitate cross-training, teaming and collaboration between IT and information security in the event that a number of key employees are affected at the same time. At the very least, organisations should appoint a backup CISO who takes the helm when the CISO is traveling or out sick, and the incident response plan should designate a backup to the backup leader, in case personnel are unavailable.
REVIEW THE INCIDENT RESPONSE PLAN
In addition to being required by certain regulators, a good incident response plan (IRP) is like the coach’s playbook for an entire game. It should tell the incident response team how to respond to an cyberattack, such as credential harvesting attacks, ransomware attacks or a network intrusion. All organisations should review their existing IRPs to ensure they account for a remote workforce scenario and comply with the following: • Key personnel should have access to the latest version of the IRP from home. • The IRP must be accessible if company systems are encrypted in a ransomware attack or otherwise disabled. • There must be a hard copy of the IRP, easily located in a secure home workspace. • Ideally, all critical team members should have hard copies. • The IRP should include updated cellphone contact information and alternate email addresses for all incident response team members, and a plan for offline or out-of-band communications, in the event that connectivity is disabled or the threat actor is inside the network.
MANAGED SECURITY SERVICE PROVIDERS
When healthcare organisations are inundated with seriously ill patients, they can’t afford downtime caused by data security incidents. When security teams are shorthanded or personally affected by the virus, oversight of IT systems may be impaired. Both situations make organisations extremely vulnerable to cyber criminals. Organisations should consider engaging a trusted cybersecurity firm to provide managed security services. They can help the in-house security team augment managed detection and response in order to identify threats early and reduce the consequences of a breach. A Security Operations Center can provide remote monitoring of IT systems to detect intrusions and anomalous activity. Implementing 24/7 managed detection and response can allow internal teams to focus on building resilience.