Sign up to receive updates for the latest tech thought leadership insights, videos, and podcasts.
Uplifting and inspiring stories of human kindness have gained far more traction in major publications recently. Owing, no doubt, to the otherwise persistently macabre reports concerning COVID-19, the news media have diversified their offerings and more optimistic narratives have become more commonplace. Sadly, though, the webpages of the industry publications I frequent have also already begun to circulate reports exemplifying how there will always be those from society’s darkest recesses that look to exploit such tragedies for personal gain.
Within days of the outbreak gaining a foothold in Europe, reports of cyber criminals and the ways in which they were leveraging fear and uncertainty served as a prominent reminder of how merciless such individuals are. Cyber crime has increased following spates of new infections and fear that cyber criminals could target healthcare providers during this pandemic are prominent. So much so that several hundred cyber security experts have convened from competing companies to prevent such an occurrence.1
Just as they will exploit individual’s worries and the distractions present within hospitals and clinics, felons operating within the digital sphere are certain to target organisations left vulnerable by the crisis. In particular, the practice of home working, now essential within so many companies, is one that such actors can manipulate – but there are ways organisations can protect themselves. Here they are:
Whilst it may be regularly assumed that the cyber criminal finds technical deficiencies in defences and uses these to access confidential information, install malware, etc. 80% of cyber security incidents are attributable to mistakes made by employees.2 Make staff aware of how these nefarious individuals operate and you’ll close resultant loopholes. Go one step further and teach employees how they can counter cyber crime, and you’ll transform security liabilities into assets.
Online programmes are widely available, but I’d advocate a more personable and involving approach. Find examples of phishing emails and distribute screenshots of them along with notes highlighting telltale signs such as misspellings, bizarre email addresses being used by senders, unusual URLs, etc. Then, send out a mocked-up version of malicious correspondence and request that recipients locate evidence that the communication is not official. Splitting various recipients into teams can result in this exercise fulfilling multiple functions simultaneously. It will serve as a means of both improving morale and encouraging employees to use collaboration software as well as educating them on their cyber security responsibilities.
Developing and distributing documentation that provides succinct overviews of other cyber security measures is also advisable. This should also state that users should not click on links in emails, as well as forward any correspondence they believe to be malicious to their administrator if no such policies are already in place. In the event that they are concerned that a piece of communication requires some form of action, they should refrain from clicking on links within the email or using the contact details featured within it and, instead, visit the relevant organisation’s website directly.
Whilst it would be reasonable to state that this rule should be placed in the section above, it’s almost certain that revised working practices will see cyber criminals target consumer Wi-Fi networks. As a result, it’s imperative that employees know how they can secure their personal networks – and why I’ve elected to dedicate a portion of this article to it exclusively.
I’d strongly advocate IT administrators create a document that outlines the key steps that individuals will need to take in order to secure the networks they’ll be using whilst working from home. This should make it abundantly clear that changing the name of their network is of the utmost importance. It may seem unimportant but, as the manufacturer/ISP's name is typically included in a Wi-Fi network’s default name, this provides criminals with vital information that they can exploit. The network’s password should also be alphanumeric and, preferably, include some symbols, too.
Advising employees to locate their router near to the centre rather than near the peripheries of their homes is also something I’d recommend. It means that the signal will not carry too far outside of the property and will also ensure better signal within it, resulting in improved productivity.
Finally, the guide should make it clear that WPA, WPA2 or WPA3 encryption must be enabled.
Your employees are likely to feel safe at home. In all likelihood, they have every reason to; most of us live with people that we love and trust, after all. Nevertheless, it’s worth reminding them that their home environments are likely to contain threats they simply wouldn’t encounter in the workplace, particularly if they are now working from more communal locations such as shared housing or buildings. Many employees will also be sharing updates on their experiences of working from home, often including images on social media.
I appreciate that this may sound over-cautious but employees need to be aware of what people nearby may be able to hear, what they can see on their devices and anything that may be present in any media they share that could compromise their or their employer’s security. The solutions, fortunately, are straightforward: close doors, lock devices that aren’t in use and try not to include devices like laptops, routers, etc. in any material shared to online platforms.
Cyber criminals frequently find flaws in operating systems and applications that they can leverage to their advantage. So regularly do they find loopholes generated by software that large companies such as Microsoft typically release several patches per month; in November of last year, they unveiled 74 simultaneously.3 Unpatched resources generate considerable risks, too: 18% of network vulnerabilities can be traced back to apps that haven’t been updated and 20% of the vulnerabilities attributable to a lack of patching are typically deemed to be high-risk.4
With the majority of devices attached to organisations’ networks now decentralised, managing patches across them all is likely to seem, at best, daunting and, at worst, impossible. Fortunately, mobile device management tools make such a task eminently achievable. By adding new devices to such apparatus, they can be directed from single consoles, with updates pushed remotely.
It’s worth noting that patching is typically used to solve other issues that affect application performance so pushing updates will also allow a remote workforce to work as efficiently as possible.
Remotely accessing a network involves the exchange of data packets. Whenever such exchanges take place, criminals can hijack them and, in the process, obtain potentially sensitive information. Encouraging users to harness a Virtual Private Network (VPN) will result in these packets being encrypted and obfuscated. In the event that any is intercepted during transmission, any party that receives the data will find that it is unreadable and cannot be leveraged or sold meaning that an afflicted organisations’ finances and hard-earned reputations will remain intact.
The use of a VPN is absolutely essential for maintaining security, but it’s also vital that implementation is handled correctly. All remote users should be assigned the right permissions and appropriate authentication methodologies should be put in place. Also, consider the potential ramifications of a user operating a VPN connection from a home device with inadequate protection and multiple local user accounts. Remember that there is a need to compromise between security and productivity, too. If they’re over-zealous, admins can throttle connections and generate considerable latency so I’d advise against over-optimising a VPN and, instead, teaming one with an educated workforce.
Finally, it’s important that organisations consider their needs before selecting a provider. Those with employees working across more diversified locations will, for example, need to ensure their provider has servers based in relevant countries to deliver sufficient connection speeds. Other businesses will need logging to be enabled and for records to be auditable. Some will need to retain control of their encryption keys. Choosing the right options is dependent upon careful planning and, whilst circumstances dictate the need for a decision to be made as quickly as possible, determining the right VPN is still worthy of a few hours research.
Advising employees to observe best practices concerning their credentials is vital, but even the most vigilant individual’s concentration can lapse. This is particularly true when people who have never done so previously find themselves working from home where distractions that one would never find in the office become inescapable. Just as using a VPN and keeping things up-to-date add extra layers of protection to a cyber security strategy largely reliant on informed and proactive employees, enabling multi-factor authentication prevents revealed credentials from causing severe or fatal issues.
Whilst a seemingly straightforward, some might even argue unsophisticated, cyber security measure, adding a further step to authentication protocols will, according to research by Microsoft, prevent 99.9% of account takeover attacks from succeeding.5
I know from personal experience that many key decision-makers within the world of business will view cyber security as non-essential. A recent survey may have shown that 79% now believe that cyber crime is one of their five biggest organisational concerns, but fewer than half (47%) of the organisations that took part were insured for cyber crime.6 Even I, though, as an individual that has seen how devastating the actions of digital felons can be with alarming regularity, cannot bring myself to criticise any business owner or stakeholder that has not considered the changes they will need to implement to secure infrastructure in the current climate.
Now, attentions are focused on cash flow and shoring financial reserves; on keeping organisations afloat whilst navigating through uncharted seas littered with flotsam; on keeping people employed and livelihoods maintained. Such responsibility is greater than most could bear – why would cyber security be at the forefront of anyone’s mind under such circumstances?
Whilst I accept that any criticism levelled in these circumstances would be unwarranted, however, I cannot, in all good consciousness, refrain from informing them of the severity of the situation. The threat of cyber crime is in no way lesser as a result of current events. Rather, it is more pronounced.
Fail to secure infrastructure in these changing times and even the most herculean of efforts will amount to little. Longevity will always be outside of the grasp of organisations that fail to give the threat of cyber crime the credence it deserves. Today, they will be unlikely to survive the next quarter.