The recent COVID-19 situation has suddenly presented IT personnel and users all over the world with a set of cyber security challenges that, whilst not unique, are being experienced on a significantly larger scale than ever before. Over the past few weeks we have been sharing with you our tips for working from home, its security and policies necessary – via email and on our blog. Here’s another, more comprehensive article that we wrote based on our experience and the National Cyber Security Centre’s guidelines for remote working. Here are some of the most popular threats and cybersecurity measures to be considered.
You may remember our article about coronavirus-related scams and how to recognize a dangerous email. You can read it again here. In short, some things that you should consider when processing emails in current climate are:
“Vishing” stands for “voice phishing” – the fraudulent practice of making phone calls or leaving voice messages purporting to be from reputable companies in order to induce individuals to reveal personal information, such as bank details and credit card numbers.
Be wary of unsolicited phone calls claiming to be from banks, internet providers or any other entity requesting passwords, usernames or money for any service. If necessary contact the site or service through an established contact method and not through any links or numbers provided within the communication received.
In normal operations, companies may have processes and standards to permit remote working for their employees. These processes could include an approval process, a health and safety survey on the users proposed workspace, an evaluation on personal devices used for work, and other tests to ensure business continuity. All these can be opportunities for criminal social engineers to deceive your staff, pretending to be a creditor, debtor, a member of senior management or IT administration and sending emails attempting to obtain some form of payment or sensitive information from unsuspecting employees.
These operations may result in funds being transferred from your organisation to criminal-run accounts (invoice fraud) or passwords, bank details, and other credentials being passed to criminals pretending to be an associate or employee of an organisation.
You should be wary of BEC and be very careful when receiving emails from vendors/clients notifying of a change of bank account and requesting payments made into the new account. Always verify the change using previously established forms of communication. If in doubt make a phone call to confirm the request (remember to use a phone number already existing in your system, rather than the one included in the email).
Another threat to your business could be Remote Access Trojans (RATs). Large numbers of staff working remotely create more opportunities for such attacks, as there are more existing vulnerabilities. Criminals may attempt to brute force VPN credentials so as to gain access to the company network; they could also attack home routers (that often aren’t very secure) or simply send a malicious email. When a RAT gains unauthorised access, it is deployed on the victim’s machine and it has remote control over the device.
For more detailed explanation, you can read our blog post on secure passwords, MFA and password managers. Here’s NCSC’s passwords advice:
You can use this website to see how much time it would take a computer to crack an easy password (try something like “password1234”) and how that time changes as your password becomes more and more complex (we think that 25 quintillion years is a pretty safe bet, considering that Earth has only up to 7.5 billion years left).
Hide home wireless network SSID name: This step will prevent your network name from being seen by those in proximity to your home router. It prevents your network appearing on “available networks list”. Your network could be still detected by using a WiFi scanning tool, but an opportunistic attacker is more likely to choose a non-hidden network.
Change your wireless network name: Internet Service Providers provide routers to customers with a default SSID name and password. Many manufacturers have their own particular naming convention. Revealing your network’s default name will facilitate criminals identifying the make and model of your home router, which would allow them to determine if a vulnerability exists for that particular device. When renaming your router never use a name that might give away the identity of your home or family.
Disable WPS (Wi-Fi Protected Setup): Even though found to have a vulnerability, this feature is still enabled by default on many routers. While meant to provide a simplified mechanism for setting up WiFi, the PIN authentication can be easily brute-forced.
Turn off Guest Networking: In certain circumstances home routers have a Guest access feature enabled by default, that obviates the need for a security key when accessing a WiFi network.
Choose Strong Security Protocol (“WPA2” or the newer “WPA3”) and make sure your password is hard to guess. Consider using a wired connection (Ethernet/RJ45 cable) to connect to your router if possible.
As remote working became our new reality, the use of video conferencing technologies such as Zoom, MS Teams or Google Hangouts has grown suddenly. Conference calls are by their nature not fully secure as you are never entirely sure of whom you are speaking to (particularly in bigger meetings). We recommend not discussing any confidential information over these means and suggest careful management of remote conferences (identify verification, PIN access).
Our top tips for secure video conferencing:
For more tips on how to keep your video calls productive and professional, download our guide to video calls and conferencing.
If you’re working on a work-issued device, make sure you use it to access your work systems and data only. Take extra care to protect the device from unauthorised access. Here are some tips from us and the NCSC:
You can download our guide for BYOD (Bring Your Own Device) for best practice for your private device being used for work purposes.
It is also worth noticing that if you handle hard copies of documents and printouts, you should treat them as carefully as you would in an office environment. Don’t allow any non-staff to access them. Don’t put any confidential material in your recycling bin, if you think it qualifies for an office shredder. It’s probably best if you avoid printing materials outside of the office altogether.
Ensure that all your staff read this, are aware of the potential threats and know how to stay secure while working from home. A silly mistake may cost you a lot of money and business continuity.
Let your employees know what to do in case they think their company data or device has been compromised – what’s your company policy for such a scenario?
Make sure you let your IT team (internal and external) know of any potential breach, as the faster they act, the better they can mitigate the risks and ensure safety of your business. You can report a cybercrime to National Cyber Security Centre by following this link.
And if you’re an existing Dial A Geek customer, do all your employees know that they can call or email us as always?
Dial A Geek on 0117 369 4335
Open a ticket by emailing [email protected]