Maintaining Information Security while working from home
With the Covid-19 crisis forcing a mass shift to working from home, we caught up with Magda Chelly, Managing Director and Chief Information Security Officer at Responsible Cyber in Singapore, to discuss some of the key information security issues that businesses need to consider.
1. With the mass shift to working from home, what are the main risks SMEs need to think about?
SMEs act as easy targets for malicious cyber agents because they tend to have less sophisticated security infrastructure and fewer trained cybersecurity workers on staff to manage and respond to threats. As many SMEs have not invested in adequate cyber protection, they are easy prey. With Covid-19 declared a worldwide pandemic, we can expect a much-increased proportion of the workforce working remotely from home. These locations typically have less or no preventive layers of cyber security (compared to an office environment) and cyber attackers will surely find more opportunities to attack.
The main risks include insufficient:
- Laptop security – ensure your teams laptops are not infected with a malware
- Network security – ensure passwords for WiFi routers are changed, as most common default credentials are “admin – admin” and are rarely changed by the users
- Data loss prevention – ensure your team do not download all your company’s data on their own laptops
2. Naturally many people will have to work from their home PCs or laptops. What should companies consider in managing exposures this may present?
- Simple multi-factor authentication (MFA). MFA is the simplest way to immediately reduce the risk of being compromised. It is easy and free most of the time. Users however need to implement it by themselves as it is not turned on by default. For the record, an 8-character password can be hacked in less than 1 minute.
- Endpoint (Laptop) security controls. Two immediate quick wins here are private network access and malware prevention. This equates to VPN and antivirus/anti-malware. Note that some of the free tools are not fully efficient and may well cause additional risks. If you are not paying for the product, you probably are the product!
- Mobile device security. In 2018, there were spyware discovered on Google Play that were recording screens and spying on your banking applications. Do not download random applications thinking that someone else will take care of its security.
These are very quick wins and will help you start your journey into maintaining security for company’s assets.
3. You touched on working of mobile. I think most understand the basics for protecting their laptops and PCs – but we’re doing more and more work from our mobiles. What do we need to think about here?
Businesses are vulnerable to data theft, especially if employees are using unsecure mobile devices to share or access company data. As more small businesses make use of bring your own device (BYOD) technology, corporate networks could be at risk from unsecured devices carrying malicious applications which could bypass security and access the network from within the company.
This threat is easily mitigated when there is a comprehensive BYOD policy which educates employees on device expectations and allow companies to better monitor email and documents that are being downloaded to company-owned devices.
4. Phishing, Malware, etc. – these are terms we have all heard of, but many of us don’t understand. Can you help explain what so the most commons threats here are?
Despite constant warnings from the cyber security industry, people still fall victim to phishing every day. As cybercrime has become well-funded and increasingly sophisticated, phishing remains one of the most effective methods used by criminals to introduce malware into businesses. Phishing is a cybercrime in which a target or targets are contacted by email, telephone or text message by someone posing as a legitimate institution to lure individuals into providing sensitive data such as personally identifiable information, banking and credit card details, and passwords.
Spear phishing is a targeted form of phishing in which phishing emails are designed to appear to originate from someone the recipient knows and trusts – like senior management or a valued client. If an employee is tricked by a malicious link in a phishing email, they might unleash a ransomware attack on their small business. Once access is gained, ransomware quickly locks down business computers as it spreads across a network. Until a ransom is paid, businesses will be unable to access critical files and services. This attack has been very popular in the last years.
Therefore, to avoid the risk posed by phishing and ransomware, SMEs must ensure staff are aware of the dangers and know how to spot a phishing email. Businesses must also ensure they have secure – offline – backups of their critical data. Hence, since ransomware locks down files permanently (unless businesses want to cough up the ransom) backups are a crucial safeguard to recover from the hack.
5. Finally, away from work from home topic, more businesses are moving to digital payments, managing more 3rd party data, etc. Based on your expertise and experience, what are some of the key things to consider in managing cyber risks?
Cybersecurity strategies, policies and technologies are entirely worthless if employees lack cybersecurity awareness. Without any kind of drive to ensure employees possess an elementary level of cyber security knowledge, any measure or policy implemented will be undermined.
Many employees do not know (or care enough) to protect themselves online, and this can put businesses at risk. Hold training sessions to help employees manage passwords and identify phishing attempts. Then provide support to ensure employees have the resources they need to be secure. Eventually, a basic level of knowledge and awareness could mean the difference between being hacked or avoiding the risk altogether.
Additionally, security does not come by default. Solutions like Office 365 do not enable security features. You need to do that. It is based on a shared responsibility model, where the customer owns the security of the data.
Have a security concern? Contact Responsible Cyber today to learn more about their cyber security services.
in**@re***************.com OR +65 3157 2141