Cyber security for remote workers: safe connections?

When our lifestyles and ways of working turned upside down within a few short weeks the surge in new homeworkers had an inevitable consequence: criminals spotted new opportunities to profit at the expense of individuals and organisations who hadn’t fully adapted to the risks that homeworking brings.

Soon after the lockdown began, so too did attacks exploiting fears around coronavirus. These included: credential phishing; malicious attachments and links; business email compromise (BEC); fake landing pages; downloaders; spam about coronavirus purporting to be from the government or the NHS; and malware and ransomware attempts.

Business data is gold to cyber criminals and they clearly believe that the pandemic has weakened security over that gold.

So here is a four-point checklist for internal auditors to inform themselves and their organisations about the key controls that should be even more strictly managed if we’re to beat the criminals.

Manage your critical assets

• Communication: Establish communication lines between homeworkers and managers and the IT helpdesk to identify unusual trends in tickets/calls.

• Physical access: Criminals can use this situation as an opportunity to find gaps in physical security and access critical assets. Ensure that physical protections for critical assets are in place and active.

• Remote access: Some employees may need remote access to certain critical data assets. Ensure that these assets have up-to-date access control lists (ACLs) and that security services are monitored.

• Cloud computing: Keeping critical infrastructure in the cloud eases some of your organisation's technical responsibilities, but there are still key risks to watch, including:

• Configuration management: Ensure that cloud configurations are up to date and secure.

• Supplier management: Review your supplier's responsibilities for security over your data assets. These may be fewer than you think. Consider how you can quickly fill in gaps.

Manage network and connectivity security

• Access controls: Ensure that all ACLs are up to date and secured. Make sure that practices such as the principle of least privilege (PoLP) are integrated into these lists. The idea of limiting access (“least privilege”) is simply to provide the minimum authorisations necessary to perform required functions.

• Use a VPN: A virtual private network (VPN) extends a private network across a public network and enables users to send and receive data across shared or public networks as if their laptops were directly connected to the private network. If your organisation is new to homeworking it might not have a VPN. If so, IT should enable wifi protected access (WPA2/WPA3) encryption standards for communication. WPA defines how a router communicates to a device after an initial connection is established. After that, the communication is encrypted.

• Multi-factor authentication: Many laptops are equipped with multi-factor authentication – often a fingerprint reader and/or facial recognition technology. If possible, enable this for homeworkers’ laptops. It adds an extra layer of security to password controls, because it’s based on something you know (your password) together with something unique that you have (your finger).

• Employee guidance: Don’t underestimate softer controls – make sure remote employees are aware of the risks of homeworking and use home network security functions.

Manage your endpoint (device) security

• Full hard-disk encryption: Ensure that this is enabled on all endpoints (where applicable) to prevent data loss from physical theft or loss.

• Patch management: Ensure that the operating systems and applications on endpoints are up to date.

• Virus and malware protection: Confirm that software is updated and enabled on all devices.

• Policy reminders: Remind employees of acceptable use and data protection policies regarding enterprise assets and/or bring your own device (BYOD).

Manage business resilience

• Emergency access: Implement emergency access protocols.

• Resilience: Continually update business continuity and disaster response processes and procedures with lessons learnt.

• Collaboration for productivity and security: Encourage staff to use collaboration tools to maintain or improve productivity. Many online meeting apps are available for free and some vendors have upgraded the service on free versions during the pandemic. These apps also help to boost morale and maintain security.

Covid-19 will pass, but natural disasters, political upheavals and other disrupters will emerge. The coronavirus has shown how many workers can work offsite and these lessons are valuable and may lead to more homeworking. However, good governance is vital to make this safe, and to ensure there is business continuity through unexpected disruptions, and a smooth return to normal service afterwards.

Stephen Watson MBCS CFIIA CISA is director of digital assurance at Watson Hepple Consulting.

This article was first published in May 2020.