Crossword Cybersecurity PLC (LON:CCS) has issued a helpful step-by-step guide that will help mitigate the security risks for companies whose employees are working from home during the COVID-19 lockdown.
It is based on the advice it is providing FTSE-100-listed clients. Here, as a service to Proactive’s readers, are the main points:
1. Run audio and video calls securely - What is visible in the background of your screen during video calls and is someone monitoring who is on the call? The same is true for audio-only calls. A team member should be responsible for ensuring only invited guests are present, and calls should be locked once started, so other participants cannot join.
2. Educate employees on Phishing attacks - The NCSC mentions COVID-19 related Phishing attacks that use the current crisis to trick employees into clicking on fake links, downloading malware, and revealing passwords - so educate them. These could be fake HR notifications or corporate communications; fake tax credits; fake emails from mortgage providers; free meals and mechanisms for registering for them. The list is endless and cybercriminals are very news savvy and quick to adapt. Employees are likely to be more vulnerable to phishing attacks due to people rushing, fear, panic, and urgency; all the behavioural traits that result in successful phishing attacks.
3. Automate Virtual Personal Network configurations (VPNs) - IT and Security teams may have a backlog of users to set up on VPNs, to provide secure connections to corporate networks. Do not allow employees to send data insecurely, use automation to make accelerated deployments and guarantee correct configuration. Even IT staff are fallible, and the combination of pressure of work volume and working fast, may leave a gaping hole in your infrastructure.
4. Control the use of personal devices for corporate work - Due to the rapid increase in home workers, many employees may be using their own devices to access emails and data, which may not be covered by Bring Your Own Device (BYOD) policies. What this means in practicality, is that employee's personal devices may not be securely configured, nor managed properly and be more vulnerable. IT and Security teams again, may need to retrospectively ensure that employees are complying with BYOD policies, have appropriate endpoint security software installed etc.
5. Stop personal email and unauthorised cloud storage use - When companies are experiencing IT difficulties in setting up employees working from home, people may be tempted to use personal emails or their personal cloud to send and store data, as a workaround. These are a risk and can be easy for cybercriminals to target to gain company information or distribute malware, as they are not protected by the corporate security infrastructure.
6. Keep collaboration tools up to date - Tools such as Microsoft Teams, Zoom and Google Hangouts are great, but it is important to ensure all call participants are using the latest versions of the software, and that includes partners and customers that may be on calls. Employees should also only use the corporate-approved tools and versions as they will have been tested by security teams for vulnerabilities, that could be exploited by cybercriminals.