Security awareness issues for remote workers

Work from home is not a new phenomenon in today’s digital world, but this month it has become a necessity for many more people.
The pandemic situation around the world forced a number of employers to send their employees home. The challenges begin with maintaining our productivity at home conditions to assuring our cybersecurity which is threatened by our remote access. But how do we become an easier target by working from home using our personal devices?
Here are two different aspects – our own security as a user and the risk we pose for our organization, on the other hand. The end-user impact is dependent on the Security Awareness of the person. When we know the basic cybersecurity principles including:

  • Passwords & Strong Authentication
  • Incident Response
  • Awareness of Phishing scams (emails, attached files, fake websites)
  • Awareness of Secure Data Processing and Storage
  • Password securing & encryption of confidential information

 

then the risk is much lower.

On the other hand, in case the person is an employee in a company who is required to work remotely, then he might be a potential risk for the company.

In that case, it’s up to the company how well they secured their information.

SCENARIO 1

The employee is using a personal laptop or a corporate one, but without the presence of Security Policies, Active Directory with specific technical limitations for the systems, Encrypted Communication, Network Traffic Monitoring, Phishing prevention solution, Malware Protection, Up-to-date software, Network Segmentation and etc. In that case, we consider the risk as High.

SCENARIO 2

The company has in place some security measures. There is a VPN communication to the office environment, where the information is held in a secure and well-segmented place in the network. Employees are using corporate laptops, part of the Active Directory with the appropriate security measures. Passwords for VPN communication and other portals are not auto-saved. The risk here is Medium due to the lower possibility for the user’s computer to be compromised and the low impact from potential attack, due to the system being disconnected from the VPN when not used. Of course, if you spot something strange better get disconnected until you figure out if everything is fine.

SCENARIO 3

All of the above in Scenario 1 is applied. The risk for both the employee and the employer might be considered Low.

In case our system is well-protected our security can be considered equal with the one in the office.

Can we expect an increase in specific types of attacks?
Unfortunately during the past days, there was pandemic with Phishing attacks, together with the one for Corona. Malicious hackers rely on the fact that everybody is opening all kinds of COVID-19 related information without looking in the email headers or in the legitimacy of the website. Panic is catching everybody unprepared. There is even a map which is providing infection rates around the world, but behind the map a Malware is waiting to steal your passwords
(www.Corona-Virus-MapDOTcom).

Many phishing emails promise the latest news on the topic but are aiming for your identity instead.

Every company has different critical information points, but in general, those are:

  • Spaces for file sharing (sharepoints, file transfer servers)
  • Knowledge bases
  • CRM Systems
  • ERP Systems
  • Payroll and HR Systems
  • Financial and Accounting Software
  • Databases with corporate and user data
  • Email Servers

Each one of those points should be well isolated in the network and well protected, by use of secure authentication methods (where possible with Multi-Factor Authentication in place), different user groups with access rights, encryption of the information, presence of logs and more.

The more secure the system is, the smaller the risk and the impact on the company.

What measures and technical solutions can an individual take, in order to improve the security? What should the company do?

The user can do a few simple, but effective steps:

  • Keep all passwords in Password Management software (KeePass, Password Safe, Keeper, Last Pass and more).
  • To protect all sensitive information by use of encrypted storage (hard drive, portable hard drive, USB Flash Drive). This can be achieved with BitLocker or VeraCrypt/TrueCrypt and others.
  • To carefully inspect the origin of the emails and to analyze if the domain in the hyperlink is correct, before visiting the website.
  • To be careful when opening attached files, if not sure of the sender’s legitimacy.
  • To use 2nd factor of authentication where possible.
  • To lock his computer when not active.
  • To get better awareness by watching the “Security Awareness” trainings in the company, if such are present.

The company, on the other hand, should often assess the security of the assets and to implement all measures (at least), described in Scenario 1 above. It is a company’s responsibility that the employee is aware of the risks, how to process data in a secure way and what to do in case of an incident. It is the employee’s responsibility to follow the procedures and policies of the company.

Shall we share confidential information and what is the best way to do it?

The situation with the Coronavirus is providing us with the opportunity to get to know our families better. But it is also teaching us how to be modern and use the technologies from the current century.

Working from home doesn’t mean that confidential information should not be shared.

Nowadays there are secure means for remote connection and communication over VPN, secure methods to transfer files over SFTP, remote control to the systems through the Active Directory, DLP solutions to prevent data leakage and more. We can also use encrypted containers when data is to be transferred securely (VeraCrypt), we can send encrypted emails using S/MIME, Office 365 Message Encryption and more.

It is important for the password to be transferred over an alternative communications channel. Many companies might also realize that “working from home” is not so scary and this could lead to optimization of the working time, fewer expenses, in the long run, fewer CO2 emissions, optimization of office space and more benefits.

By looking in the company structure, which is the most risky group of employees?

Based on our experience usually, those are:

  • Customer Support / Call Center staff – due to the high amount of people they communicate with, the large number of emails transferred, frequent work with attached files and more.
  • Sales Representatives – due to the frequent communication with clients and frequent emails.
  • Finance and Accounting – due to the financial information they possess.
  • Management – due to the confidential information they have on the systems. CEO Fraud is often used, when a malicious user tries to spoof a message so that it appears to be from high management. In that case, employees are usually in a hurry to provide the necessary information, without realizing that there is a malicious hacker behind the email, or they leak their credentials, by visiting a link in the email.

Be aware, not scared. Your cybersecurity matters.