Our top tips for working from home securely
The recent COVID-19 situation has suddenly presented IT personnel and users all over the world with a set of cyber security challenges that, whilst not unique, are being experienced on a significantly larger scale than ever before. Over the past few weeks we have been sharing with you our tips for working from home, its security and policies necessary – via email and on our blog. Here’s another, more comprehensive article that we wrote based on our experience and the National Cyber Security Centre’s guidelines for remote working. Here are some of the most popular threats and cybersecurity measures to be considered.
CYBER SECURITY THREATS
You may remember our article about coronavirus-related scams and how to recognize a dangerous email. You can read it again here. In short, some things that you should consider when processing emails in current climate are:
- Many phishing emails have poor grammar, punctuation and spelling
- They come from public domains (e.g. “@gmail.com”)
- Emails asking you to share sensitive information are most likely not to be genuine – why would a vendor that you’re currently using ask you to confirm your password?
- Ensure employees are aware of this type of threat and how to avoid it
- Always check email addresses carefully, particularly if there is any financial implications to requested actions
- Please be wary of any emails referencing Coronavirus from an unrecognised source
- Criminals will use the fear and uncertainty surrounding Coronavirus to scam users
- Manually type in URLs to sites you want to visit rather than clicking on links
- Verify the email – do not contact the supplier of the invoice through links or the phone number supplied within the email. Do not reply directly to the email. Contact a known supplier through pre-existing channels. Look up their phone number online. Check your CRM
“Vishing” stands for “voice phishing” – the fraudulent practice of making phone calls or leaving voice messages purporting to be from reputable companies in order to induce individuals to reveal personal information, such as bank details and credit card numbers.
Be wary of unsolicited phone calls claiming to be from banks, internet providers or any other entity requesting passwords, usernames or money for any service. If necessary contact the site or service through an established contact method and not through any links or numbers provided within the communication received.
SOCIAL ENGINEERING & BUSINESS EMAIL COMPROMISE (BEC)
In normal operations, companies may have processes and standards to permit remote working for their employees. These processes could include an approval process, a health and safety survey on the users proposed workspace, an evaluation on personal devices used for work, and other tests to ensure business continuity. All these can be opportunities for criminal social engineers to deceive your staff, pretending to be a creditor, debtor, a member of senior management or IT administration and sending emails attempting to obtain some form of payment or sensitive information from unsuspecting employees.
These operations may result in funds being transferred from your organisation to criminal-run accounts (invoice fraud) or passwords, bank details, and other credentials being passed to criminals pretending to be an associate or employee of an organisation.
You should be wary of BEC and be very careful when receiving emails from vendors/clients notifying of a change of bank account and requesting payments made into the new account. Always verify the change using previously established forms of communication. If in doubt make a phone call to confirm the request (remember to use a phone number already existing in your system, rather than the one included in the email).
REMOTE ACCESS THREAT
Another threat to your business could be Remote Access Trojans (RATs). Large numbers of staff working remotely create more opportunities for such attacks, as there are more existing vulnerabilities. Criminals may attempt to brute force VPN credentials so as to gain access to the company network; they could also attack home routers (that often aren’t very secure) or simply send a malicious email. When a RAT gains unauthorised access, it is deployed on the victim’s machine and it has remote control over the device.
KEEPING YOUR WORK ENVIRONMENT CYBER SECURE
SECURE PASSWORD POLICY
For more detailed explanation, you can read our blog post on secure passwords, MFA and password managers. Here’s NCSC’s passwords advice:
- Passwords should be at least 12 characters in length
– Consider using “passphrases”; these are easier to remember and help in creating longer, more complex passwords
– Use random and unrelated words
– Use words that do not appear in the dictionary
– Use words from different languages
– Use a combination of random numbers and special characters throughout the passphrase
– Do not use common phrases or quotes
– Do not use personal words like family names, pets, local football club or anything associated with your personal life (you know best how much you share on social media)
– Do not use words or abbreviations associated with your organisation or industry
- Enable Multi-Factor Authentication (MFA) – it means that apart from using your username and password, you’d have to use one other piece of information. This other piece of information can come in various forms. It may be:
– A one time dynamically issued token
– A physical object in the possession of the user
– A physical characteristic of the user (biometrics)
– An additional piece of information that is only known to the user
- Consider using password managers as an easy way to manage (or even suggest) multiple complex passwords (we recommend and use LastPass)
- Do not reuse passwords across multiple accounts
- Explain to your employees the importance of secure password hygiene, not just with their work accounts but also with their personal accounts
You can use this website to see how much time it would take a computer to crack an easy password (try something like “password1234”) and how that time changes as your password becomes more and more complex (we think that 25 quintillion years is a pretty safe bet, considering that Earth has only up to 7.5 billion years left).
HOME ROUTER HARDENING
Hide home wireless network SSID name: This step will prevent your network name from being seen by those in proximity to your home router. It prevents your network appearing on “available networks list”. Your network could be still detected by using a WiFi scanning tool, but an opportunistic attacker is more likely to choose a non-hidden network.
Change your wireless network name: Internet Service Providers provide routers to customers with a default SSID name and password. Many manufacturers have their own particular naming convention. Revealing your network’s default name will facilitate criminals identifying the make and model of your home router, which would allow them to determine if a vulnerability exists for that particular device. When renaming your router never use a name that might give away the identity of your home or family.
Disable WPS (Wi-Fi Protected Setup): Even though found to have a vulnerability, this feature is still enabled by default on many routers. While meant to provide a simplified mechanism for setting up WiFi, the PIN authentication can be easily brute-forced.
Turn off Guest Networking: In certain circumstances home routers have a Guest access feature enabled by default, that obviates the need for a security key when accessing a WiFi network.
Choose Strong Security Protocol (“WPA2” or the newer “WPA3”) and make sure your password is hard to guess. Consider using a wired connection (Ethernet/RJ45 cable) to connect to your router if possible.
As remote working became our new reality, the use of video conferencing technologies such as Zoom, MS Teams or Google Hangouts has grown suddenly. Conference calls are by their nature not fully secure as you are never entirely sure of whom you are speaking to (particularly in bigger meetings). We recommend not discussing any confidential information over these means and suggest careful management of remote conferences (identify verification, PIN access).
Our top tips for secure video conferencing:
- Keep the applications updated at all times
- Prioritise using the Web Browser to access your web conferencing application, rather than using a desktop or mobile app
- Enable Multi-Factor Authentication (MFA) on your Web-Conferencing account
- Protect your meetings with a password or PIN and only share them with those scheduled to attend the meeting
- Send passwords or PIN via out-of-band means e.g. text message
- Make sure to enable features that alert of newly joined participants to ensure spotting intruders
- The host should restrict who is allowed to use their camera and microphone
- Minimise the use of the chat and file sharing functions or disable entirely if not required. Remember than any private chat messages sent to participants of the meeting, will be included in the conference transcript
- Do not give control of your screen
- Consider making registration a requirement
- Select “Lock Meeting” function or similar once all expected guests have joined the meeting
- Before starting a meeting, check participants menu to see who exactly is on the call
For more tips on how to keep your video calls productive and professional, download our guide to video calls and conferencing.
USE OF WORK-ISSUES DEVICES
If you’re working on a work-issued device, make sure you use it to access your work systems and data only. Take extra care to protect the device from unauthorised access. Here are some tips from us and the NCSC:
- Don’t allow anyone else to use your devices (desktops, laptops, phones, tablets). We know it can be hard to entertain your children during this time, but you must not allow them to access your work-issued device.
- Don’t use family electronics for storage or processing of work data. Any kind of shared device can increase the risk of compromise to the security of the data, as well as undermine the integrity and management of that data.
- Always store your company device or hard copies of documents in secure locations, to avoid loss, damage or theft.
- Make sure all the devices are secured with a password or PIN (and that you don’t write it down anywhere, or store electronically in any other form than in a company password manager)
- All the devices should be encrypted.
- Ensure there’s a solid antivirus and antimalware protection on all your and your staff’s devices.
- All devices must be set to lock automatically after a short period of non-use.
- When leaving a work-issued device unattended (e.g. on the table in your study, even if just for 2 minutes), make sure the device is locked (a password/PIN is needed to log back in).
- Be aware that your device may have an IT policy applied that results in the device being completely wiped (factory reset) if the password/PIN is entered a certain number of times incorrectly. If struggling to get in, get in touch with your IT department.
- Be mindful of the physical security of the devices lent to you (don’t place glasses of liquid directly next to your laptop, don’t use your phone on the toilet… we’re sure you can use your common sense to figure this out).
- At the end of each day desktops/laptops should be powered off.
You can download our guide for BYOD (Bring Your Own Device) for best practice for your private device being used for work purposes.
It is also worth noticing that if you handle hard copies of documents and printouts, you should treat them as carefully as you would in an office environment. Don’t allow any non-staff to access them. Don’t put any confidential material in your recycling bin, if you think it qualifies for an office shredder. It’s probably best if you avoid printing materials outside of the office altogether.
Ensure that all your staff read this, are aware of the potential threats and know how to stay secure while working from home. A silly mistake may cost you a lot of money and business continuity.
Let your employees know what to do in case they think their company data or device has been compromised – what’s your company policy for such a scenario?
Make sure you let your IT team (internal and external) know of any potential breach, as the faster they act, the better they can mitigate the risks and ensure safety of your business. You can report a cybercrime to National Cyber Security Centre by following this link.
And if you’re an existing Dial A Geek customer, do all your employees know that they can call or email us as always?
Dial A Geek on 0117 369 4335
Open a ticket by emailing [email protected]