The UK is in the delay phase of COVID-19 with schools closed and employees asked to work from home where possible. So, how do businesses remain data compliant and cyber secure with staff working remotely, some for the first time?
Firstly, rate the risks that remote working poses through a quick risk and security audit, which can be done whether employees are already working from home or not.
Look at possible insecurities in the network that can arise through remote access. For example, staff working in isolation for a length of time with email as their main source of communications leaves them more vulnerable to phishing and social engineering attacks.
Identify and rate these risks on your most important assets and agree the best approach to deal with them. Getting key stakeholders from all areas of the business involved in these conversations is key as different areas of the business will have unique perspectives, based on their data, systems and way of working. Then, start implementing effective security measures starting with data protection.
Preventing a data leak
Legal and regulatory data protection and compliance worldwide is more stringent than ever, and the mishandling of it can result in severe consequences on finances and reputation – the ICO’s intention to fine British Airways £183.39m and Marriott £99.2m last year demonstrates this.
Whether working remotely or not, data always needs protecting accordingly and the fact the business is forced to set up remotely due to COVID-19 won’t be an excuse.
So, have a remote working policy that’s clearly communicated to all staff, outlining the expected standards that must be followed when connecting in and accessing corporate data remotely. These approved methods of working, communicating and sharing information help avoid accidental and unintentional data loss. Furthermore, ensure data isn’t being kept longer than necessary or used in ways it was never intended under these new remote working practices.
Education and awareness is also key. It’s very easy for even the most well-intended employee to email important documents to personal accounts or save them to personal cloud services.
Encrypt your devices and documents
As more devices are taken out of the office, protecting mobile devices such as laptops with strong disk encryption must also be a priority control. Many data protection laws, including GDPR, call out encryption to be one of the most effective controls we can apply.
However, data is shared with multiple people, often geographically dispersed. Use technology to classify sensitive data and build the protection into the documents. So, even if a document gets in the wrong hands, centralised control over who can open that document remains.
As machine learning technology evolves, it’s even easier to classify large libraries of data, by training the classification engine in what to look for and assisting staff when applying data classification labels – the end result is data is protected at its source for its entire lifecycle.
Set up multi-factor authentication
With adversarial tools testing the resilience of a network and with so much information online about organisations, it’s not long before attackers discover what technology an organisation uses. It’s amazing to see from a quick demonstration using open-source intelligence tools (OSINT), how much information can be scraped online from a business’ environment. Within five minutes it’s possible to identify at least three login interfaces, as well as gather information from social media to build staff email address and username lists. So, single, password-based authentication is no longer enough protection.
A strong second form of authentication is needed to keep cyber criminals out – it could be something you have like a token generating app on your mobile phone, or tied to you, such as your fingerprint. Multi-factor authentication can be enabled so it doesn’t compromise the user experience such as by only prompting you for your second means of authentication when the risk exceeds a certain threshold.
Implement endpoint detection systems
Several malicious COVID-19 campaigns are circulating such as the coronavirus map application which installs the AZORult malware to remotely steal your credentials and web browser data, such as payment card numbers. Many are impersonating global health officials using phishing emails, text/SMS, and social media posts aimed at spreading malware including ransomware. To protect against such threats, defences must extend to all devices that access the network.
But traditional anti-malware solutions are struggling to cope. Next-generation endpoint protection tools can help by providing visibility into all events at every endpoint in the company’s network so threats can be isolated and contained quickly, wherever they are located.
These are unprecedented times with many businesses trying to adapt quickly to ever-changing circumstances. It’s important for businesses to carry out their due diligence and implement effective cyber security measures so we don’t let cyber criminals take advantage of employees when working from home.
Alex Bransome is CISO at Doherty Associates