Maintaining Cyber Security when transitioning to a remote workforce

As organisations learn to adapt to the new normal, more of them are turning to remote working as a long-term solution to their daily operations.  Businesses all over the world have begun to see the raft of benefits of remote working; from the financial benefits of saving money on an office, and the mental benefits of a happier workforce.

Over the last year, however, we see more stories of organisations being affected by various cyber-attacks – with some notable cases being the likes of SolarWinds appearing in the news. With many industries now opting for a more remote workforce, the window for cyber-attacks is debatably more open now than it ever was before. 

In response to this, many IT and security teams have learned to adapt and mitigate any associated risk with a remote workforce. But is there something more we can do outside of the technical aspect and basic advice such as installing anti-virus software?

Educating employees

Last year, it was reported by The National Cyber Security Awareness System in the US that COVID-19 scams were circulating throughout many organisations. 

Despite the tongue-in-cheek remark about anti-virus software, this is still a pragmatic approach that every business should be taking – unfortunately, however, anti-virus software can not protect against employee negligence. This is why you must educate your colleagues on what to look out for. 

Avoid clicking suspicious links, and this especially goes for e-mails from senders you do not recognise.

More frequently, we hear about phishing e-mails and how this can lead to the downfall of many organisations and their data. In a phishing e-mail, the goal is to convince the recipient to click on the links within the e-mail, usually to extract sensitive information. Thankfully some e-mails do not do a very good job of pretending to be the organisation or person, and are easy to spot, like this example:

Source: https://www.thesslstore.com/

Unfortunately, there are also other examples where it is difficult to tell the difference between the real deal, or a scammer. This is where it might get tricky for a member for a colleague so we have a few tricks to tell apart even the most elaborate of phishing emails:

• The email is sent from a public domain (such as gmail.com or yahoo.com). This is one indicator of a scam email that can sometimes be overlooked. As the user, you should always practice due diligence and check the e-mail of the sender. If the e-mail is not showing automatically (as can be the case in email clients such as outlook), simply click on the sender’s name. 
• The domain name is either misspelled or unknown. The more creative amongst cyber-criminals will try to conceal who they are by disguising themselves as a legitimate domain. If you are unsure we would recommend doing some research and double-checking the name of the domain/business. If you have heard of the business before and the domain name is clearly misspelled, then that is another red flag. This leads us to our next tip…
• The e-mail in general has terrible grammar. Whilst even legitimate e-mails can sometimes contain poor grammar, it is worth paying closer attention to. Correspondence from senders outside of your organisation should be grammatically correct. If you find an e-mail in your inbox that has less filled with grammatical errors, then it is always best practice to double-check the sender.
• The e-mail creates a sense of urgency. This is a common method amongst phishing e-mails, but one that is worth mentioning. You will see many of these types of e-mails using either threatening or urgent language to persuade the end-user to give information or face repercussions. 

Keeping up-to-date with acceptable use policies for employees

Acceptable use policy (AUP) stipulates boundaries and best practices which are then to be signed by the employee to use the company network and any equipment that may also be relevant.

AUP’s have been in use for many organisations before the COVID-19 pandemic, however, with the shift to remote working, your organisation’s AUP must cover acceptable use when using company devices from home. This way you a drawing a clear line in the sand as to what is acceptable to your members of staff. 

An example of an AUP could be that you require your employees working to use a VM (virtual machine) whilst working from home to access the company network. This policy could be in place to minimise any risk of a cyber-threat should the employee be using a personal device.

Should employees use their own devices or company-issued devices?

As discussed, In your AUP you need to establish requirements for employees using company-issued devices to suit your companies needs. But how would an AUP cover personal devices? 

This, unfortunately, is not a straight answer and we would personally recommend that only company-issued devices should be used by members of staff when working from home. 

If you are adopting a BYOD (bring your own device) approach, there are additional risks you might need to consider.

• Higher risk of data loss. This can be user-initiated through copying or backing up data to multiple devices.
• Exposure of multiple threats to the company network as a result of the personal device being used in a personal manner.
• More IT support requirements as there is a higher likelihood of personal devices that are out-of-date or unsupported.

Enabling 2FA (two-factor authentication) 

As an organisation that is making the move from the office to home, you should consider more remote access solutions outside of just using a VPN or VM. 

Two-factor authentication is a great security measure that offers additional security to your username and password. This is especially important now for remote users who may be accessing the company network as this serves as a second layer of protection to your data.

Outside of what we have just discussed, there are other multiple benefits to using 2FA in your company. Even if you have a highly complex password, cyber-criminals can find a way to gain access to this information, this can be through brute-force attacks or phishing e-mails like we had discussed previously. Simply put, if a hacker gains your password but you have 2FA enabled, the likelihood the hacker gains access to your information is greatly reduced. 

There are now multiple ways to can set up 2FA to suit your organisation.

Which is the best?

• SMS. This is considered to possibly be the least secure form 2FA, because if your phone was also stolen the thief would gain access to those 2FA codes.
• Biometrics. Whilst it sounds more secure and more ‘futuristic’ with the method of using your fingerprints, it would be considered easy to be bypassed if the criminal was with you physically and was to hold your finger to the sensor. 
• Authenticator apps. These are a much more popular choice amongst security experts as this method is not vulnerable to sim-swapping attacks. You can install auth apps on more than one device and they do not rely on mobile signals.
• Hardware keys. Considered to be the most secure form of 2FA as it is considered to be one of the most difficult for a third party to hack and because it does not involve having a code sent to you which could also be intercepted. 

Whilst some 2FA solutions offer more security than others it is up to you to decide which method suits your organisation best, and this can be up to several different reasons. As we would say with any of the above advice, everybody is a potential target for cyber-attacks or data theft – but it is entirely within everyone’s capability to minimise that risk.