The novel coronavirus outbreak is having a major impact on businesses this quarter and, by all accounts, is set to be a major challenge for enterprises throughout the rest of the financial year. The US CDC (Centre for Disease Control) hinted that it may be necessary to implement “social distancing measures”. At present, its official advice is that employees with symptoms should be encouraged to telework where possible and companies should prepare to have “the information technology and infrastructure needed to support multiple employees [working from home]”. Some large enterprises, IBM, Goldman Sachs, PwC, and Twitter among them have already gone a step further and preemptively instructed all employees to work remotely where possible.
In providing the infrastructure and support for large-scale teleworking, organisations need to prepare themselves and their employees for the increased cyber security risks such a shift can bring. In this post, we outline some of the challenges and best practices for staff suddenly faced with a transition from office-based work to remote work.
Physical security of company devices
First of all, it’s important to note that just because employees won’t be working from the office doesn’t mean they won’t travel or work in public places. When doing so, employees are exposing themselves to a greater risk of losing their laptops and all the data that resides locally.
Do – Ensure all devices that support it use full disk encryption. If a machine is lost, the data on the device should not be accessible to thieves.
Do – Implement robust password management for laptop access. All accounts on the device should require unique login credentials, and where practical user accounts should be restricted to non-Admin privileges.
Do – Remind employees to log out whenever the system is not in use, even at home. Screensavers should also require a password. Encourage employees to remember and use handy keyboard shortcuts like Win-L (Windows) and Ctl-Cmd-Q (Mac) to quickly lock the screen whenever they step away from the computer.
Do – Remind staff of the necessity of basic security practices, such as ensuring that they don’t leave company property unattended in public places. Remind your employees not to be that Starbucks customer who goes to the counter for a refill while leaving an open laptop on the table. When working on the laptop in a public place, staff always need to be aware of those around them.
Access to company networks
When accessing corporate networks remotely, there is a higher risk of unauthorised access and data leakage. Employees may engage in behaviour they never would do at the office, such as sharing a device with other family members or using the same device for both personal and work activities. In addition, the use of Home ISPs and public Wifi services present an attack surface that is outside of your IT or security team’s control.
Do – Use a VPN to connect remote workers to enterprise networks and servers. A virtual private network provides a direct connection as if the remote device were connected to the organisation’s LAN. The encrypted communications cannot be spied upon by the user’s home ISP and can prevent a ‘man-in-the-middle’ type attack.
Do – Implement a 2FA or MFA mechanism for logging in to the company network. Short-time code generators like Google and Microsoft Authenticator should be in use wherever possible to minimise the risk of compromise through credential theft or phishing.
Do – Remind staff that a laptop used at home is still company property and should only be used by authorised personnel for company business. Any non-work related activity should be conducted on the employee’s own devices.
Authorising financial transactions
The biggest financial losses due to cyber crime occur through Business Email Compromise (BEC/EAC), where attackers take over or spoof the account of a senior manager or executive, and use that account to instruct another member of staff via email to make a wire transfer to an overseas account, usually on the pretext of paying a phoney invoice. An increased number of staff working remotely presents an opportunity for BEC fraud, as the whole scam relies on communications that are never confirmed in person.
Do – Restrict the number of people authorised to conduct new, overseas wire transfers, and ensure that all new requests are subject to secondary confirmation.
Do – Make use of teleconferencing technology (Skype, Zoom, and similar) to ensure that financial transactions are actually coming from a legitimate, senior member of staff.
Susceptibility to phishing campaigns
Phishing campaigns are a threat for all employees whether they are based in-house or remote, but for workers who are unused to working ‘home alone’ and are now dealing with an increase in email and other text-based communications, it can be easier for them to lose perspective on what is genuine and what is a scam. In particular, with a rise in malspam playing exactly on fears of coronavirus from the “usual suspects” like Emotet and TrickBot, remote workers need to be extra-vigilant.
Do – Train staff to habitually inspect links before clicking by hovering over them with the pointer to see the actual URL destination.
Do – Train staff to deny requests to enable Macros when opening email attachments. Ideally, use an advanced EPP/EDR security solution that can enforce a policy to prevent Macro execution or block malicious content if it is executed by the user. CDR (Content Disarm and Reconstruction) software can also help protect against exploits and weaponised content in emails and other external sources.
Protecting endpoints from malware
Do – Ensure you have visibility across your entire network so that you can detect unprotected devices and receive notifications of anomalous behaviour.
Unlike the desktop computers in your office, which likely never connect to any other network than the company intranet, portable devices like laptops and smartphones used by remote workers can have a history of network promiscuity. If such devices are unprotected, you never really know where they have been, what they have been connected to, what peripheral devices have been plugged into them or what processes they are running. All the measures mentioned above won’t prevent a network breach if a user with an infected device logs on to the corporate network.
Do – Protect all your endpoints with a trusted, next-gen security solution that acts locally on the device itself and does not require cloud connectivity.
Do – Protect your endpoints by enforcing device control that gives you the capability to manage the use of USB and other peripheral devices across all your endpoints.
Telework or telecommuting need not impact employee productivity or security, and many organisations will have some experience of supporting remote work at some scale. The challenge presented by the ongoing Covid-19 outbreak is that your organisation could have to support a rapid, large-scale shift to remote work, involving employees who are typically office-based and not used to the different demands that working from home can bring. When routines get upset, security is often an early casualty. Make sure your employees understand and are prepared for the additional security challenges of remote work if they are requested or required to work from home during the current health emergency.
David Erel is the Senior Director, SaaS Platform at SentinelOne