The COVID-19 pandemic has forced new rules on all of us, and for many organisations whose employees are able to work from home, it means having to take a whole new look at their cybersecurity measures.
Even when employees are working in the office, it is challenging to deal with all the risks brought about by cyberthreats.
But with the widespread increase in the number of people working at home, hacker criminals have been quick to target them with ever more sophisticated scams.
In addition to all the other issues raised by the crisis, employers with home-based workers should all be asking “What should we be doing to secure our home-based workers?”.
In this short guide, we shed light on the IT and security tools and options you have at your disposal, as well as the measures you should definitely be taking.
The first point is to understand what cybercriminals are looking to do when targeting home workers. It may be one or all of the
1. Ransomware: by far the most common, enticing unsuspecting computer users with links in phishing emails which, when clicked, take them to a bogus website from where malware code then encrypts the machine and locks out the user.
2. Data theft: cybercriminals want data. This may include databases of personal details, credit card or bank account details, passwords, or even intellectual property.
3. Bot infection: the aim here is to ‘enslave’ target computers, making them part of a botnet. Microsoft warns that the Trickbot botnet has infected over 1 million computer devices, providing criminals with a ready-made ‘delivery network’ for their malware.
Homeworkers are at far greater risk of targeted attacks during the COVID-19 crisis.
Businesses need to be aware of this and ensure their employees:
- Are part of a planned strategy and approach to home-based secure working
- Can set up their home-environment for secure working
- Are using up-to-date software on their laptops and other devices
- Have endpoint security software installed on their devices
- Are using secure access methods such as 2-factor authentication and strong passwords to access cloud-based systems and networks
- Have back-up systems in place, including for email
- Are supported by remote monitoring and management systems
- Know about and are following policies, procedures and guidelines on security
1. Cybersecurity planning
In the early part of 2020, it wasn’t possible for employers to do much planning. As a result, many organisations had to act quickly to put whatever measures they could in place.
Naturally, to begin with, there was more emphasis on enabling employees than securing them and this knowledge led to a massive increase in cyberattacks targeted at-home workers. Proper planning enables a balanced approach, based around on enabling the employee to be as productive as possible whilst also maximising security measures.
Part of planning is setting priorities: do your teams need to collaborate on projects? How will they communicate with each other, clients or suppliers? How will their endpoint devices (normally laptop, but other devices including smartphones and desktops) be secured?
2. Securing home equipment for secure working
If they have not done it already, home-based employees should be asked to – or shown how to – reset their Wi-Fi router password.
Most routers come with very simple and commonly used default passwords, making it easy for unwanted individuals to hop on to the Wi-Fi – and potentially then access computers using ‘sniffing’ techniques. Not every employee will have changed this default password.
At the same time, employees should be asked to lock computers when not using them (in case of break-in and theft, and to avoid storing data on portable media such as USB sticks.
3. Enabling and forcing software updates
Software updates or ‘patches’ are critically important in the fight against cybercrime.
Your home-based workers should be instructed to allow software updates to run on their computers, even though for some this may slow down the computer’s operation occasionally. You may also wish to ask for computers to be left turned on so that software updates can either be pushed to them overnight, or automatic updates can run out of work hours.
4. Implementing endpoint security measures
Endpoints are the computers and other devices – including servers and smartphones – connected to your network which potentially face the most threats.
They represent a security risk because they interface with the internet. Solutions such as Fortify’s endpoint protection provide a complete suite of applications that detect, prevent and remediate online threats targeted at these devices.
It does this by monitoring all endpoints on a network in real time.
Other endpoint security measures that should be put in place include antispam software that can operate both in the cloud and at the individual computer level. See our Endpoint Security article for more on this. DNS protection is also important in ensuring that any outgoing web requests from your home-based worker’s computer go only to legitimate websites.
5. Secure cloud-based productivity and collaborations applications
Microsoft 365 comes with secure online storage called OneDrive, but also integrates with 3rd party cloud storage solutions such as Dropbox.
6. Fully managed cloud-based backup
In case the worst happens and one or more home-worker’s computers are compromised, for instance by a malware attack, it is important that the data from that person’s profile can be recovered and restored.
The easier and faster it is to do this, the less damaging downtime there will be.
Automated backups of data including email backups are therefore important. Fully managed cloud-based multi-storage backup solutions are available for as little as £15.00 per server per month for backup software licensing and management.
7. Secure passwords, and password management
A survey for CPO Magazine found that the number of unique logins required by employees for daily use ranged from 25 in larger organisations with over 1000 users, to 85 at the smallest companies.
Clearly very few people can remember this many passwords, and in many cases the solution employees choose is to write them down or use just one or two passwords for everything.
For access to critical software and systems, organisations should use a strong password management tool such as LastPass, implement password refresh routines regularly and also consider using secure access technology such as multi-factor authentication.
8. Remote monitoring and management
For organisations with larger numbers of remote home-based workers, it may be advantageous to implement a remote monitoring solution that is constantly on the lookout for emerging threats, spotting and acting on intrusions and attacks in real time.
Typically remote monitoring solutions operate from a centralised Network Operations Centre, and include human cybersecurity expertise as well as automated endpoint and network security monitoring, threat detection, response, remediation and rollback.
Remote monitoring systems can even take systems offline and shut down user accounts when a cyberthreat is identified, before implementing a fix and, if necessary, rolling systems back to a previous state.
9. Security awareness
Arming employees with the tools they need to be alert and on the look out for the endless stream of cyberthreats is an important link in the chain of defence.
Employees need to know that they should be vigilant to these threats, and be educated as to how they look and can be delivered.
Security awareness training can show home-based workers what phishing emails look like, as well as demonstrating what the consequences of clicking on a rogue link could be.
As we wrote in a recent security awareness training blog “It only needs a 0.000001 success rate to 1 million emails sent for a hacker to gain access to password credentials, infiltrate into a network and locate and steal personal or financial data.”
The COVID-19 pandemic and its ensuing lockdowns are proving to be a testing and very trying time for all home-based workers.
Some suffer badly from cabin fever, don’t have the ideal surroundings or environment for home-based workers and so have little choice other than to ‘make the best’ of working in a bedroom or at the kitchen table.
With the number of cases of mental illness on the increase, it may be of help for home-based employees to know that their organisations are doing whatever is necessary to help them be secure.
Put another way, organisations that are failing to alleviate the burden of security responsibility from the shoulders of already pressured home-based employees may be doing them and their employees a big disservice.
Use collaboration tools such as Microsoft Teams to foster regular communication, face to face online meetings and group chats.
Encouraging teams to interact in this way, keeping up conversations and discussions and fostering virtual interaction can go a long way in helping to ease personal stresses of home-based workers that may be facing difficulties in other areas.
Contact Alliance Solutions to discuss any aspect of enabling home-based workers with productivity, communications and collaboration tools.
We offer a wide range of solutions – as well as VPN phone networks and handsets to enable telephony regardless of location.
Contact us for more information on 0800 292 2100 or email firstname.lastname@example.org