Do we become an easier target by working from home using our personal devices?
by Krasimir Kotsev
There are two different aspects – our own security as a user and the risk we pose for our organization. The end user impact is dependent on the security awareness of the person. If we know and follow the basic cybersecurity principles, including passwords and strong authentication, incident response, awareness of phishing scams (emails, attached files, fake websites), awareness of secure data processing and storage, as well as password securing and encryption of confidential information, then the risk is relatively low.
On the other hand, if the person is an employee in a company who is required to work remotely, then he might be a potential risk for the company.
In that case, it depends on how well the company secured their information.
Let’s take a look at a few scenarios:
Scenario 1: The employee is using a personal laptop or a corporate one, but without the presence of security policies, active directory with specific technical limitations for the systems, encrypted communication, network traffic monitoring, phishing prevention solution, malware protection, up-to-date software, network segmentation, etc. In that case, we consider the risk as high.
Scenario 2: The company has in place some security measures. There is a VPN communication to the office environment, where the information is held in a secure and well segmented place in the network. Employees are using corporate laptops, part of the active directory with the appropriate security measures. Passwords for the VPN communication and other portals are not auto-saved. The risk here is medium due to the lower possibility for the user’s computer to get compromised and the low impact from potential attack, due to the system being disconnected from the VPN when not used. Of course, if you spot something strange, better get disconnected until you figure out if everything is fine.
Scenario 3: If all of the above in Scenario 1 are applied, the risk for both the employee and the employer might be considered low.
If our system is well protected, our security can be considered equal to when we work in the office.
Can we expect an increase in any specific types of attacks?
Unfortunately, during the past few days, there was a pandemic with phishing attacks, together with the one for Corona. Malicious hackers rely on the fact that everybody is opening all kinds of COVID-19 related information without looking in the email headers or at the legitimacy of the website. Panic is catching everybody unprepared. There is even a map providing infection rates among the world, but behind the map, malware is waiting to steal your passwords (www.Corona-Virus-MapDOTcom).
Many phishing emails promise the latest news on the topic but are aiming for your identity instead.
Which are the most critical points for the companies?
Every company has different critical information points, but in general those are:
- Spaces for file sharing (sharepoints, file transfer servers)
- Knowledge bases
- CRM Systems
- ERP Systems
- Payroll and HR Systems
- Financial and Accounting Software
- Databases with corporate and user data
- Email Servers
Each one of those points should be well isolated in the network and well protected by use of secure authentication methods (where possible with Multi-Factor Authentication in place), different user groups with access rights, encryption of the information, presence of logs and more.
The more secure the system is, the lower the risk and the impact for the company.
What measures and technical solutions can an individual take, in order to improve the security? What should the company do?
The user can do a few simple but effective steps:
- Keep all passwords in a Password Management software (KeePass, Password Safe, Keeper, Last Pass and more).
- Protect all sensitive information by use of encrypted storage (hard drive, portable hard drive, USB Flash Drive). This can be achieved with BitLocker or VeraCrypt/TrueCrypt and others.
- To carefully inspect the origin of the emails and analyze if the domain in the hyperlink is correct before visiting the website.
- To be careful when opening attached files, if you’re not sure of the sender’s legitimacy.
- To use 2nd factor authentication where possible.
- To lock the computer when not active.
- To get better awareness by watching the “Security Awareness” trainings in the company, if such are present.
The company on the other hand should often assess the security of the assets and to implement all measures (at least), described in Scenario 1 above. It is the company’s responsibility to make sure the employee is aware of the risks, how to process data in a secure way and what to do in case of an incident. It is the employee’s responsibility to follow the procedures and policies of the company.
Shall we share confidential information and what is the best way to do it?
Working from home doesn’t mean that confidential information should not be shared.
I believe that the case with the Corona virus is providing us with the opportunity to get to know our families better. But it is also teaching us how to be modern and use the technologies from the current century. Nowadays, there are secure means for remote connection and communication over VPN, secure methods to transfer files over SFTP, remote control to the systems through the Active Directory, DLP solutions to prevent data leakage and more. We can also use encrypted containers when data is to be transferred securely (VeraCrypt), we can send encrypted emails using S/MIME, Office 365 Message Encryption and more. It is important for the password to be transferred over alternative communications channel. Many companies might also realize that “working from home” is not so scary and this could lead to optimization of the working time, less expenses in the long run, less Co2 emissions, optimization of office space and more benefits.
By looking in the company structure, which is the riskiest group of employees?
Based on our experience, usually those are:
- Customer Support/Call Center staff – due to the high amount of people they communicate with, the large amount of emails transferred, frequent work with attached files and more.
- Sales Representatives – due to the frequent communication with clients and frequent emails.
- Finance and Accounting – due to the financial information they possess.
- Management – due to the confidential information they have on the systems. CEO Fraud is often used when a malicious user tries to spoof a message so that it appears to be from upper management. In that case, employees are usually in a hurry to provide the necessary information without realizing that there is a malicious hacker behind the email, or they leak their credentials by visiting a link in the email.