Viruses do not just infect organic lifeforms such as humans. They, and other types of malware, can also affect our digital lives. While the world faces a public health emergency leaving organisations with little choice but urgently to introduce or scale up homeworking arrangements, opportunist cyber criminals are exploiting the crisis by increasingly using the coronavirus (COVID-19) as an attack vector.
So how should organisations stay secure at this time of increased homeworking? The Information Commissioner, in her recent statement, was keen to emphasise that data protection does not prevent staff working from home, either more frequently or using their own equipment, but that “organisations need to consider the same kinds of security measures for homeworking that you’d use in normal circumstances.”
Of course, ‘considering’ does not necessarily equate to ‘implementing’. But we know that the GDPR requires organisations to take a risk-based approach when it comes to working out what ‘appropriate security’ means – including when homeworking (for more on the implications of COVID-19 on data protection compliance, see here). With that in mind, we have highlighted below some risk areas currently heightened by the pandemic, along with some practical recommendations which build on guidance recently issued by the UK’s National Cyber Security Centre (NCSC).
Over the last couple of months, phishing attacks have, like the pandemic, spread to such an extent that a recent threat report issued by the NCSC (and subsequent note for the public) focused specifically on the topic, warning of a surge in the number of phishing emails using COVID-19 as bait. These phishing emails aim to steal money or other sensitive information. Some do so by harvesting credentials or other personal data; others are laden with malware.
Widely reported examples involve reputable entities such as the World Health Organisation or US Centre for Disease Control being mimicked by phishers. Emails purportedly from those organisations offer safety advice but instead infect a user’s device with keylogging software or direct them to a fake Microsoft login page where they are encouraged to enter their email and password.
In another example among many, an email purporting to be from HMRC offers tax refunds as part of the government’s action plan but clicking on ‘Access your funds now’ takes a user to a fake government webpage where they are encouraged to input all their financial and tax information. With the recent announcement of the Chancellor’s package of measures to support business, variations on this theme should be expected.
NCSC recommendations on secure homeworking
But it is not just about phishing. Increased homeworking may put some companies at higher risk of cyberattacks given that home networks – which are largely unmonitored and often unsecure – may have fewer protections in place than corporate ones.
So last week the NCSC published guidance for UK companies which flagged the increased threat of phishing and addressed how to manage the cyber security challenges of working from home. Here is a summary of its recommended steps for organisations:
- Preparing for homeworking – the NCSC recommends these general recommendations to support secure remote working:
- Produce written guides to help remote users who may need to use different software, or familiar software in different ways to when in the office – many (especially newbies) may find the experience daunting; and test that the software works as described.
- Make sure devices encrypt data at rest, and that encryption is turned on and properly configured given that staff are more likely to lose or have their devices stolen when out of the office.
- Although most devices include tools which can be used remotely to lock access, erase data or retrieve backups, consider using mobile device management software to set up devices with a standard configuration.
- Make sure staff know how to report any problems and security issues.
- Have your staff work through the NCSC’s ‘Top Tips For Staff’ e-learning package.
- Helping staff to look after devices – make sure staff understand:
- The risks of leaving devices unattended – whether they are using their own or the organisation’s – and that they keep them somewhere safe when not being used.
- How to report a lost or stolen device and that they are encouraged to report any losses (in a positive, blame free manner) as soon as possible.
- The importance of keeping software and devices up to date, and know how to do this.
- Reducing the risk from removable media – since USB drives can contain lots of sensitive information, are easily misplaced and can introduce malware, reduce the risk by disabling removable media, using antivirus tools, only allowing products supplied by the organisation to be used and encrypting the data. The NCSC also recommends asking staff to transfer files using alternative means such as by using corporate storage or collaboration tools.
- Using personal rather than work devices – where staff are using their own devices to work remotely, organisations should refer to the NCSC’s Bring Your Own Device (BYOD) guidance.
- Setting up new accounts and accesses – set strong passwords for accounts or accesses so staff can work from home. The NCSC also strongly recommends implementing two-factor authentication if available.
- Controlling access to corporate systems – if you are already using a virtual private network, make sure it is fully patched and that you have sufficient additional licences, capacity or bandwidth.
What should I do now?
Since people are invariably the weakest link when it comes to an organisation’s security posture, it is no surprise that many of the NCSC recommendations focus on them. Finding vulnerabilities in people, rather than software, takes moments not months; and at this time where people are fearful for the safety of loved ones, having to manage new ways of working and deal with additional distractions, anxious about job security and therefore more willing to comply with requests, they are especially vulnerable to social engineering attacks such as phishing.
Being off-site can also result in people being more inclined to work around relevant policies, using ‘shadow IT’ such as personal email accounts, unapproved file sharing or collaboration applications. IT helpdesks might also be pressurised to relax restrictions and, in so doing, remove previously effective controls. It is therefore more important than ever to ensure that everyone knows what is expected of them. With that in mind, here are some suggested next steps to help increase resilience during this pandemic:
- Treat with caution all COVID-19 themed emails and attachments and make sure that all your people understand that need for caution, as well as how to report suspected phishing attempts. Consider running an awareness building campaign specifically on COVID-19 phishing at an appropriate juncture which takes into account the NCSC’s guide to spotting and dealing with phishing emails.
- User education and maintaining awareness is key. Perhaps encourage your people to spend the 30 minutes or so needed to work through the NCSC’s ‘Top Tips For Staff’ e-learning package. It is designed for a non-technical audience and covers key areas such as defending yourself against phishing, using strong passwords, securing your devices and reporting incidents (‘if in doubt, call it out’). Note that its key messages are summarised in an infographic produced by the NCSC which you might want to integrate as part of any awareness building campaign.
- If you have not already, assess the risks associated with mobile working and remote access and then create a policy which determines matters such as authorisation processes for off-site working, device provisioning and support, the type of information or services which can be accessed or stored on devices and the minimum procedural security controls. Keep in mind that the policy might overlap with others such as those on information security or BYOD (which should hopefully have been crafted with one eye on the ICO’s outdated but still very relevant BYOD guidance). If you already have a relevant policy, revisit it to ensure that it is appropriate for the current circumstances, and then communicate any updates to your people.
- Train users on the relevant policy, so that they understand matters such as the procedures for securely storing and managing their credentials, reporting incidents and environmental awareness of the risks of being overlooked or overheard etc. Face to face training is generally recognised as being better for conveying responsibility, so consider whether you can leverage video conferencing for that purpose.
- Review your incident response plan and make sure that it is appropriate for the range of security incidents which might occur, including lost or compromised devices. Scenario driven table top exercises, which involve incident response team members meeting (via video conference) to review and discuss the actions they would take in a particular emergency, can help validate plans and readiness.
This post originally appeared on the Lewis Silkin website and is reproduced with permission and thanks