The business landscape as we know it is drastically different to what it was a couple of years ago. Since the introduction of the COVID-19 pandemic, none of us could have known the impact it would have had. Cyber related crime is at an all-time high due to a surge in staff working remotely - businesses now face more challenges than ever.

As cybersecurity experts, we at JC Cyber Security feel it is our responsibility to ensure that businesses understand the advantages, disadvantages and risks regarding staff working remotely. If you are unsure about your organisation’s cybersecurity practices and would like some advice, feel free to speak to us today.

Top 5 Cyber Security Risks when Working Remotely

With the increase of employees having to work from home, there has been a rise in the number of vulnerabilities businesses face daily. This is because the policies and regulations your business would have specific to working in-house is no longer applicable in many remote environments. One employee set-up will be different to another as the applications, systems and software required may differ depending on their role and network connection.

1. Phishing

We have already discussed a lot concerning phishing due to the Covid-19 pandemic. Phishing attacks are becoming a bigger issue for businesses. If you would like to read our previous phishing blogs, you can find them by the following links:

• What is Phishing
• Eleven Types of Phishing
• Protecting your Email against Phishing Attacks

From the above resources, we know that phishing attacks are a social engineering attack where attackers will try to resemble a trusted source to gain the trust of an individual or business through mediums such as email, text, or phone – the primary goal of gaining access to confidential data.

Defending against Phishing attacks

One of the biggest threats to remote staff is phishing schemes. Phishing campaigns are now extremely sophisticated and effective as they are not always easy to detect, especially if your staff have not had any prior training.

Phishing Simulation training is of the best measures in cybersecurity being used to help stop phishing incidents. All an attacker is hoping for is to exploit one weak point within your organisation which can result in huge setbacks such as

• Fraud
• Data breaches
• Damage to your business’s finances and reputation.

As part of your organisations DiD (Defence in Depth) strategy, you are responsible for ensuring that you have several safeguards and countermeasures in place for protecting both your own and your customer's personal data. Staff having the knowledge and training to detect a phishing attack supports your DiD strategy and ensures ongoing compliance.

A phishing simulation would usually entail creating a phishing attack vector and targeting certain employees with non-destructive results – the purpose of highlighting the strengths and weaknesses of your employees when it comes to their ability to identify fake communication.

2. Weak Passwords

Such as phishing campaigns, passwords are always vulnerable to threats due to the human factor. The reason attackers aim to exploit humans is because cybersecurity software is often so much harder to beat. Hackers have many methods of cracking passwords such as:

• Brute Force
• Phishing attacks
• Social Engineering
• Malware
• Guessing

Another error organisations make is repeating their passwords over many different accounts. If an attacker were to crack the password, they would have access to every single account that that password is also used with. Ensuring that your staff understand the errors of weak and repeated passwords reduce the risk of successful attacks.

How to ensure good password management

               Password management software

Password management tools (such as 1Password or LastPass) ensure that users are not storing their passwords on physical devices (can be accessed by other people) or through their memory (will not be a secure password). The passwords for your whole organisation can then be managed through the appropriate members of staff who will monitor the system and be alerted by any suspicious activity. Therefore, staff will only need to remember one core password to access the software and gain access to their secure passwords. Any unauthorised users who use this password will be flagged as their IP address will be different and access to the account can then be blocked by the administration team.

Password management tools will alert users about repeated passwords while also having tools that can quickly generate and store long, hard to replicate, and secure passwords. These tools are also easily accessible and can be downloaded on devices such as mobile phones if necessary.

Multi Factor Authentication
MFA (Multi-Factor Authentication) is an authorisation method that requires two or more successful prompts to verify a user’s identity. These prompts could be a fingerprint scan, entering a pin, or even accessing another account such as their email to repeat a specifically generated code. After verifying their identity, staff will only then be given access to their account.
Having MFA decreases the likelihood of a successful cyber-attack and should form one of the core components of your IAM (Identity and Access Management Tool) policy.

Users that are required to authenticate their identity reduce the risk of a successful brute force password attack. So, if an attacker successfully guesses the correct password, they still can not access your staff’s account as the system/software they are using will require your actual staff member to authenticate that they are the ones trying to access their account.

Change passwords regularly
It is always good practice to regularly change passwords. With staff potentially leaving over time, you can never accurately account for who does and does not know what. Having policies in place that requires your staff to change their passwords on a 6-12month basis can ensure that only those who require access, gain access.

3. Unencrypted File Sharing

Although many already encrypt their data on a network, we do not always see data that needs to be transferred and shared with others being encrypted too. If sensitive information sent out to others is intercepted, it could potentially lead to ransomware attacks and identity fraud.

Ensuring your staff understand why and how to encrypt data ensures that only the intended target can decrypt the message. Your business can ensure good encryption methods by:

• Using email encryption platforms
• Having a phone system that can encrypt phone & voicemail communications
• Using end-to-end file sharing platforms such as OneDrive, Dropbox & Google Drive

4. Insecure home Wi-Fi

With staff working remotely, each staff member will require their own network connection. Rather than just ensuring your own business network is secure, you now must ensure that all your staff are not vulnerable to attack through their own home Wi-Fi or that they understand the dangers relating to publicly accessible Wi-Fi. If you do not currently know the dangers relating to public Wi-Fi, make sure that you read our 'VPN - What, How & Why' blog post.

Additionally, many organisations will have their own firewall protection, however, most home Wi-Fi connections will not. Even though routers and computers typically have their own Firewall, and anti-virus protection, these are usually very basic and could leave security gaps within your organisation’s security.

How to secure home Wi-Fi

Consistently update software

Ensure your staff understand the importance of updating their devices operating systems, applications, and network-related software packages. It is so easy to forget about updating our software. However, not doing so leaves your staff and their systems extremely vulnerable to an attack. When a system or application requires an update, it requires an update because it is no longer as good as it was yesterday. Developers will have found a better, more efficient way of performing its task due to it having a current vulnerability. The longer you leave these updated, the more likely they will be exploited. In today’s day and age, it is extremely easy to schedule updates – even windows 10 has a feature where you can set the user’s working hours, this way, updates will be performed out of working hours.

Firewall Management Service

Ensure your organisation has a Managed Firewall Service. Self-managing your businesses technical security controls can take up considerable resources and require constant monitoring. By having a Firewall Management service, you will have cybersecurity experts on hand 24/7 to ensure that your businesses firewall is protecting your staff, is updated whenever necessary and complies with ISO 9001 and ISO 27001 standards.

You can find out more about Firewall security by visiting the following resources:

• Managed Firewall Service
• What is a Firewall and Why Do You Need one?
• Types of Firewall Security & their Benefits
• Managed Firewall Service – Why your Business Needs one
   
  

Encrypt data with a VPN

 A VPN (Virtual Private Network) is a service for privatising and encrypting a user’s online activity by connecting a device to a VPN server. Any actions or data used while connected to the VPN network will be encrypted so an attacker will not be able to identify the users or any of the personal data.

The most typical type of VPN is a client-to-Site VPN. A Client-to-Site VPN is where a client will connect to the server to access the corporate network or Local Area Network (LAN) behind the server but still maintains the enterprise level security of the network and its resources.

A Site-to-Site VPN will use the internet to extend your business network so it can be accessed by the appropriate users in multiple locations. The gateway of one location can then successfully communicate and share resources with the rest of the network.

5. Working from Personal Devices

By working remotely, staff are most likely provided with their own computer device. The risk is that your employees will feel that they have the freedom to connect to/with any other personal devices at home such as their mobile phone, printers, speakers, etc. Connecting to these devices can pose their very own cybersecurity risks.

If you cannot provide all staff with their very own laptop/computer, staff may have to use their personal computers. This again can provide a new set of vulnerabilities. A virtual computer service such as a Desktop-as-a-Service (DaaS) can transform personal tablets and computers so that they have their own area where work-related tasks can be completed on a private cloud service, with access to the companies’ network. Once they have finished working, they can log off from the service and continue to use their device for personal tasks without risking any business data. If their device were to be stolen, as the data is held on the virtual desktop, data cannot be accessed on a physical drive, only on the company’s network.

If your staff must use their mobile phone for work-related tasks, ensure that they can only do so once their device has been encrypted. IOS devices have additional features that will wipe the data held on the phone upon a certain amount of failed log-in attempts.